6Sense: Generating New Possibilities in the New Internet.
Produced by: IPv6 Summit, Inc.

IPv6, An Enhanced Security Network Protocol
by Chuck Sellers
CISSP, Senior Product Engineer, Verio Network Services

Looking back, security precautions were not thought about in the development of IPv4 and have continued to be a challenge for application developers since then: IPsec was an afterthought, and Network Address Translation (NAT) - which has been widely deployed to solve the address depletion problem and for perceived security benefits - makes true end-to-end, secure applications extremely difficult to deploy. The integration of secure point-to-point networking is one area that today holds great promise for the IPv6 "killer app," and is expected to help drive widespread consumer adoption.

IPv6 solves the IPsec and NAT dilemmas. Since IPsec is designed into the v6 protocol, the need for NAT is eliminated, opening up a new networking paradigm currently not on the radar screen in the v4 world.

NAT was first defined in RFC 1918 to reduce the consumption of IPv4 address space, a task that it fulfilled well. However, NAT was not designed to and does not provide security. NAT functions more like pseudo-privacy in hiding the number of nodes behind a NATed network, either behind a firewall or a router that maps the private address to a publicly routeable address. NAT breaks end-to-end connectivity by introducing additional hop(s) or node(s) (i.e. gateways) in the data path. NAT violates the IP architecture that states that every IP address uniquely identifies a computer/node. These NAT gateways typically rewrite the IP headers to masquerade systems on the internal network. If a NAT device (e.g. typically a firewall) breaks, all connections are lost.

If one desires to have address privacy in the sense that one doesn't want the host, with a unique built-in MAC identifier, to be traced, then IPv6 Privacy Extensions for Stateless Address Autoconfiguration (RFC 3041) can be used. This IPv6 address contains a random number in place of the factory assigned serial number used for the MAC. Not only is this address a randomly generated number, it can also change over time. This works well for clients who wish to maintain their privacy while using FTP or HTTP. However, this is not a viable option for servers that need a well known, fixed address. This mechanism achieves the same address privacy results as a NAT does in IPv4.

NAT is not needed in IPv6, but can be used if desired. IPv6 NAT has a different meaning than in IPv4, as in routing between an IPv6 network and an IPv4 network. RFC 2765 and RFC 2766 describe address and protocol translation techniques as another transition mechanism in addition to dual stack and tunneling techniques. However, this translation mechanism should not be used if dual stack or tunneling is available. While NAT in IPv4, and the address privacy, protocol and port translation functions in IPv6 are good, neither provides authentication or encryption services.

Though the Internet was originated with DARPA, the academic community developed the original protocol design. Security in IPv4 was not part of the original specification but rather an add-on after the Internet became more popular in the early 1990s. RFCs 2401-2411 define the Internet security architecture in which the three basic security requirements [1] of authenticity, confidentiality, and integrity are satisfied. Internet Protocol Security (IPsec) and Internet Key Exchange (IKE) are support protocols to IPv4. IKE provides a method to exchange cryptographic data (common security policy, agreed upon algorithms for authentication and encryption, and shared secret keys) in an authenticated, secure fashion, in order to key and manage the Security Associations in IPsec. IKE and IPsec have been designed into the IPv6 protocol as mandatory extension headers to the IPv6 protocol as defined in RFC 2460, Internet Protocol Version 6 (IPv6) Specification. This allows IPv6 the option to "turn on" the security features, where in IPv4 an IPsec transport or tunnel would need to be constructed in order to transmit the data in a secure fashion.

Despite which protocol (v4 or v6) is supported, the management of the security credentials in a Public Key Infrastructure (PKI) framework is a major issue to consider, especially if it is to scale. The corresponding standards comprising components of PKI have been available for some time, but there is no generally available comprehensive PKI. Both the Department of Commerce (DoC) and the Office of the Secretary of Defense (OSD) have indicated that the single issue of certificate revocation is the biggest issue they face with PKI. Additionally, the issue of vendor interoperability between various PKI components present challenges.

m2m-x, or machine to machine, anything, anyplace, anytime connectivity, undertakes the management of secure IPv6 connections between client devices and the server. m2m-x enables secure peer-to-peer connectivity between applications, hosts or mobile devices using IPv6. The connection management server functions as a clearing house for peers desiring a secure connection. The central management server completes its task of negotiating the Security Association (SA) parameters after the connection is established between the peers.

IPv6 by itself gives cable modem, DSL subscribers, and mobile devices public address space so that true peer-to-peer connectivity can again be realized. IPv6, coupled with the integrated security features of IPsec, will allow the realization of secure end-to-end connectivity, allowing multimedia and interactive-transaction oriented network applications to grow and flourish in the IPv6 environment. These applications can then deliver content to devices such as mobile phones, Personal Digital Assistants (PDAs), and home appliances including refrigerators, coffee machines, microwaves and other appliances. An MP3 player installed in an automobile can communicate with the home theater system to synchronize movies and music for road trips while parked at home. The future holds an unforeseeable number of new applications and devices that can be networked in a secure fashion.

[1] The Common Criteria is an international standard (ISO 15408) that was developed by the United States, Canada, France, Germany, the United Kingdom, and the Netherlands. The standard has been additionally recognized by Australia, New Zealand, Italy, Spain, Norway, Finland, Greece, Sweden, Austria, and Israel. In the US, the program is managed by the National Information Assurance Partnership (NIAP), a joint activity of the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA).

You can find out more about the Common Criteria at the NIST (National Institute of Standards and Technology) web site:
http://niap.nist.gov/cc-scheme/index.html

Additional References:
http://www.ipv6style.jp/en/apps/20040224/index.shtml
http://www.rfc-editor.org/rfc.html
http://www.ietf.org/html.charters/ipsec-charter.html