IPv6: Click, Clack, Front and Back

Do seat belts make a car more secure? Yes, if you wear them.

So although IPSec is a mandatory part of IPv6, it's not mandatory to use it. It's nice to have seat belts, and having seat belts built in does make it more likely people will use them.

We've been using IPSec for years in IPv4, mostly in VPNs. IPSec was invented for IPv6 and then retrofitted to IPv4, so it is no wonder the mechanics are so similar. IPv6 uses two extension headers (rather than header options) to support IPSec.

The Authentication Header (AH) provides authentication and integrity. An integrity check value (ICV) is calculated over the packet and the result is inserted into the packet as an extension header. The recipient calculates the ICV, and if the received ICV matches the calculated ICV, the recipient knows the message comes from the address that appears to have sent it, it was not altered in transit. However, nothing is hidden — the packet is not encrypted.

Because the source and destination addresses are included in the ICV calculation, AH cannot pass network address translation (NAT). The Encapsulating Security Payload (ESP) header encrypts payloads, hiding them from prying eyes while in transit. The payloads are not transmitted; they are replaced by ESP headers.

The ESP header does ensure the integrity of the payload, but it doesn't guarantee the integrity of anything else, such as the source and destination addresses, or any other headers that may accompany the packet.

The solution? Use both types of header: ESP to encrypt the payload and AH to ensure the integrity of the entire packet.

Internet Control Message Protocol (ICMP)

Many IPv4 network managers block all ICMP. It is a simple and effective way to protect against various attacks. While most well-managed networks are not quit so heavy-handed, it is still quite a common approach. But it's an approach that does not work very well with IPv6.

IPv6 uses ICMPv6 to do critical things like neighbour discovery. Blocking ICMPv6 on an internal interface will interfere with these things. Blocking it on an outside interface, at the border of a network will have a more subtle effect — it will break path MTU discovery (PMTUD).

IPv6 fragments packets only at the source, and reassembles them only at the destination. Fragmentation is done at the edges of the network, making the core faster and more efficient. When a router discovers that it cannot forward a packet because it is too large for the outgoing interface, the router sends an ICMPv6 “packet too big” response back to the source, giving the maximum transmission unit (MTU) that it can support. The source node tries again with that MTU. This is repeated until a packet size is found that is small enough to make it through all intervening routers to the destination.

If anyone along the way is blocking ICMPv6, packets will be dropped, and the sender will have no reason to try smaller packets. By all means block those ICMPv6 types that you don't need — router advertisements on an outside interface, for example. And by all means rate limit those that might otherwise pose a risk — echo requests, perhaps. But block with care!

If you are providing a service that may be affected by other people breaking PMTUD, such as a website, consider setting your outgoing MTU to 1280 - the minimum size that IPv6 supports. You will lose some efficiency, but will be immune to PMTUD failures.

Karl is technical manager at IPv6Now, a company specialising in helping organisations get into and get the most out of IPv6.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags Networkingsecurityipv6

More about etwork

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Karl Auer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place