IPv6 and What is Coming in the Future – CF030

Listen Mobile:

Cyber Frontiers is all about Exploring Cyber security, Big Data, and the Technologies Shaping the Future Through an Academic Perspective!   Christian Johnson, a student at the University of Maryland will bring fresh and relevant topics to the show based on the current work he does.

Please leave a REVIEW (iPhone or iPad) – https://itunes.apple.com/WebObjects/MZStore.woa/wa/viewContentsUserReviews?id=857124890&type=Podcast&ls=1&mt=1

Support the Average Guy Tech Scholarship Fund: https://www.patreon.com/theaverageguy

WANT TO SUBSCRIBE? We now have Video Large / Small and Video iTunes options at http://theAverageGuy.tv/subscribe

You can contact us via email at jim@theaverageguy.tv

Full show notes and video at http://theAverageGuy.tv/cf030

IPV6 Adoption in 2016




  • What is IPV6

    • New internet protocol

    • Ability to many more devices due to 128 vs 32 bit of ipv4

  • IPV6 Benefits

    • End to end connectivity

      • No private address collisions

      • Efficient routing

      • Simpler header, less extraneous data

      • Easier administration

      • Less information to be processed by router

        • Fewer information in header

      • New Extension Headers The IPv6 specification currently defines 6 Extension Headers:

        • Routing Header – Similar to the source routing options in IPv4. Used to mandate a specific routing.

        • Authentication Header (AH) – A security header which provides authentication and integrity.

        • Encapsulating Security Payload (ESP) Header – A security header which provides authentication and encryption.

        • Fragmentation Header – The Fragmentation Header is similar to the fragmentation options in IPv4.

        • Destination Options Header – This header contains a set of options to be processed only by the final destination node. Mobile IPv6 is an example of a Destination Options Header.

        • Hop-by-Hop Options Header – A set of options needed by routers to perform certain management or debugging functions

  • Drawbacks

    • No NATS

      • No drawbacks in security

      • The firewall provides security not NAT itself

    • Not backwards compatible

  • Security differences

    • IPV6

      • IPSEC – built in

        • Using IPSec, participating peers (computers or machines) can achieve data confidentiality, data integrity, and data authentication at the network layer (i.e. Layer 3 of the Open Systems Interconnection 7-layer networking model).

          • Encryption – symmetric

          • Certificate authorities

          • Encryption that can be deployed in standalone environments between clients, routers, and firewalls

        • With IPsec, data can be sent across a public network without observation, modification, or spoofing. IPsec functionality is similar in both IPv6 and IPv4; however, site-to-site tunnel mode only is supported in IPv6.

        • In IPv6, IPsec is implemented using the AH authentication header and the ESP extension header. The authentication header provides integrity and authentication of the source. It also provides optional protection against replayed packets. The authentication header protects the integrity of most of the IP header fields and authenticates the source through a signature-based algorithm. The ESP header provides confidentiality, authentication of the source, connectionless integrity of the inner packet, antireplay, and limited traffic flow confidentiality.

      • Offers end to end encryption

      • SEND Protocol – secure neighbor discovery

        • Cryptographic confirmation of host at connection time

      • Privacy

        • The design of IPv6 intended to re-emphasize the end-to-end principle of network design that was originally conceived during the establishment of the early Internet. In this approach each device on the network has a unique address globally reachable directly from any other location on the Internet.

      • Drawbacks

        • Deployment and configuration is an issue

          • Proper deployment and configuration is a serious issue. Trying to deploy IPv6 the same way IPv4 was done guarantees problems. IT administrators must learn a whole new approach to networking, from simple network troubleshooting to configuring firewalls and monitoring security logs. There are many opportunities for confusion and mistakes.

        • Lack of support

          • The No.1 risk today is the lack of IPv6 security knowledge. Enterprises must invest time and money in IPv6 security training upfront, before deploying. That or risk compromise and spending more time and more money on security later to plug the holes. Network security is more effective as part of the planning stage rather than after deployment. This is not an area to skimp on. According to Scott Hogg, IPv6 Security author and CTO of GTRI, “All security practitioners should learn about IPv6 now because all organizations have IPv6-capable and enabled operating systems in their environments. Failure to secure the IPv6 systems is like allowing a huge back-door to exist.”

        • Security device bypass via unfiltered IPv6 and tunneled traffic. Only a lack of knowledge is considered a bigger risk than the security products themselves. Conceptually it’s simple, security products need to do two things – recognize suspicious IPv6 packets and apply controls when they do. However in practice this is hardly possible in v4 let alone an environment that may have rogue or unknown tunnel traffic.

Reputation based protection – Many security software vendors use the reputation of IP addresses to filter out malicious websites that are known sources of malware. While reputation systems for IPv4 addresses already exist, it’s a bit of a chicken-and-egg situation when it comes to IPv6. No one has established an IPv6 reputation database, so no one is using reputation-based security with IPv6 addresses — and therefore no one is building a reputation database. It’s something the security industry will surely eventually adopt, but for now it’s a missing piece in the security puzzle.

Jim’s Twitter: http://twitter.com/#!/jcollison

Contact Christian: christian@theaverageguy.tv

Contact the show at jim@theaverageguy.tv

Find this and other great Podcasts from the Average Guy Network at http://theaverageguy.tv

Music courtesy of Ryan King. Check out the Die Hard Cafe band and other original works at: