IPv6 And Security: What You Probably Don’t Know

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, April 06, 2010

Follow me on Twitter as @mattiasgeniar

For anyone claiming IPv6 is more secure than IPv4, take a deep breath, count to ten, and rethink your arguments again. While IPv6 has some technological advantages over IPv4, I wouldn’t go so far as saying it’s safer.

Scanning ~3.7billion hosts (IPv4) vs a couple trillion hosts (IPv6)

This is probably the biggest advantage that IPv6 has over IPv4; it’s shere number of available IP addresses. A botnet nowadays can scan all of our IPv4 addresses in a relatively timely manner. It will never scan all assigned IPv6 ranges, because it’s just too big.

Of course, any targeted scan for a specific (smaller) range could yield results, but you’d still only see a fragment of all available addresses. I predict we’ll be seeing less computer infections in the first 20 minutes of being online.

IPSec built-in IPv6

For IPv4, IPSec was an extra protocol on top of the IP layer, which added encryption to individual IP packets (versus encrypting specific TCP streams with SSL). IPv6 has built-in support for IPSec, which means it can also be applied to UDP streams.

However, having the ability ****to use IPSec, does not necessarily mean it will be used. It requires a number of modifications in the applications themselves, to support and implement it. But having IPSec available for all hosts with IPv6, could mean a broader adaptation of the technology.

NAT won’t save you this time

Most home networks are relatively safe, as they only have one router in their network, and use NAT for all internal routing. Doing so gives you an advantage to the outside world, as your computer can’t be reached directly (unless through UPnP or port forwarding), but only your router can. Of course, this can be circumvented, but it’s a layer of “security”.

Since NAT was introduced as a means to stop the rapid assignment of IPv4 addresses, it was ment to be deprecated in IPv6. It has more advantages than disadvantages to give all hosts a publicly routable IP address, so IPv6 strives towards this. Your local LAN will probably contain hosts (computers, routers, NAS’s, printers, …) that all have public IPv6 addresses.

So your private LAN will no longer form a barrier, but direct access to your hosts will be possible. Which brings us to the next point.

Firewalling IPv4 traffic, doesn’t automatically mean firewalling IPv6 traffic

This is something very important to understand. A software firewall designed to filter IPv4 traffic based on IP policies, will probably not filter IPv6 addresses (some firewalls will, some won’t). This means that traffic targetted towards your IPv6 address, will most likely not be stopped by your IPv4 firewall.

Add to this that whenever you bring up a NIC (Network Interface Card), and attach a cable, an IPv6 address will automatically be assigned to that interface. So whenever you install a new host, and hook it up to your network, it will be reachable over IPv6 (but probably limited to the current network only).

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.