The China-sponsored IPv6 scale deployment action plan aims to accelerate the deployment of the next-generation Internet and realize the deep integration of the next-generation Internet in all areas of the economy and society. It also enhances the security transmission capability of IPSec and the security of the network. IPv6 will also Become the dominant force in the next generation network.
Due to its huge address space, IPv6 has a natural advantage in responding to some security attacks. It improves network security in terms of traceability, anti-hacker sniffing capability, neighbor discovery protocol, secure neighbor discovery protocol, and end-to-end IPSec secure transmission capability. .
In response to the "Promoting Internet Protocol Version 6 (IPv6) Scale Deployment Action Plan", Huawei Security gave a detailed interpretation of network security protection under the IPv6 scale deployment, and took over the impact of the IPv6 industry in the previous period. This issue focuses on IPv6 security technology.
Traceability
IPv6's huge address space allocates a unique network address to each network device. It does not need to solve the problem of insufficient address through NAT in the IPv4 network, which is beneficial to trace backtracking and improve security.
Anti-hacker sniffing ability
Sniffer scanning, which is often used by hackers in IPv4 networks, becomes more difficult in IPv6 networks due to the large IPv6 address.
NDP & SEND
In IPv6, the functionality of ARP is replaced by the Neighbor Discovery Protocol (NDP). The neighbor discovery protocol finds the addresses of other nodes and finds available routes by discovering other nodes on the link. Compared to ARP, NDP is implemented only at the link layer and is more independent of the transmission medium. The Secure Neighbor Discovery (SEND) protocol of the next generation Internet guarantees the security of transmission through another encryption method independent of IPSec.
End-to-end IPSec secure transmission capability
IPSec provides data source authentication, integrity, and confidentiality for each node in an IPv6 network for end-to-end secure encryption.
Seven questions and seven answers about ipv6 security technologyWhat is the difference between the new security features of Q1IPv6 and IPv4?
The security of IPv6 network, because only the IP header and addressing mode have changed, and built-in end-to-end security mechanism, so compared with IPv4, IPv6 has not greatly improved the current security risks in terms of security.
Q2 Based on security considerations, IPv4 networks use NAT technology to hide intranet IP addresses. Does IPv6 network also need similar technologies to improve security?
The IPv6 NPT (Network Prefix TranslaTIon) (RFC6296) protocol can implement a similar function to IPv4 NAT, allowing 1:1 mapping of IPv6 addresses to achieve the effect of hiding internal IPv6 addresses.
What impact does Q3 have on the application layer attacks and the defense methods and methods of IPv6 networks?
The application layer defense function generally includes protocol identification, IPS, anti-virus, and URL filtering. It mainly detects the application layer load of packets and is hardly affected by the network layer protocol IPv4/IPv6. Therefore, most application layer security under the traditional IPv4 protocol. Capabilities are not affected in IPv6 networks.
However, a small number of IPv4 network protocols need to be changed under the IPv6 network. For example, if the DNS protocol is upgraded to DNSv6, the corresponding application layer security detection needs to be adjusted according to the protocol changes.
Q4IPv6 adds IPSec's end-to-end encryption capability to the extension header. If the application enables this feature, how should the network security device detect and defend against encrypted traffic?
In general, network security devices cannot decrypt IPSec encrypted traffic and can only be controlled based on IP addresses. However, from the current situation, this "embedded" IPSec needs to use key distribution technology, which is generally immature and has high management cost. In addition, because the network security device is normal, it is impossible to decrypt IPSec traffic, firewall and other network security. The device cannot detect IPSec traffic at the network & application layer. In a sense, the security of the system cannot be fully guaranteed. For general enterprise applications, based on management cost and security considerations, it is recommended to use the firewall to implement IPSec VPN encryption and decryption, and perform security checks such as IPS and stateful firewall at the gateway location. Then, end-to-end encryption is deployed after the technology matures.
Is the Q5SSL proxy function affected under the IPv6 protocol?
The SSL proxy does not rely on the specific protocol of the network layer, and can still decrypt IPv6 SSL encrypted traffic.
Q6 For IPv6 networks, how to implement security policy management through firewalls, what is the difference between IPv4 security policies and IPv4 security policies?
The management of the security policy of IPv6 is the same as that of IPv4. The ACL-based quintuple is still configured one by one. The IPv6 address is longer and the policy configuration is more complicated.
How does Q7 affect the IPv4 service in terms of function and performance after the IPv4/IPv6 dual stack function is enabled on the existing security device?
The IPv4/IPv6 dual-stack is generally not affected by the function of the security device, which mainly affects the performance of the device. The IPv6 protocol stack will occupy the CPU and memory resources of the IPv4 service, resulting in the existing IPv4 service in the session table capacity. There will be different degrees of decline in rate and throughput. It is recommended to evaluate the processing capabilities of existing security devices before upgrading/opening the IPv4/IPv6 dual stack. If necessary, you can replace existing security devices to avoid affecting existing IPv4 services.
GuangZhou HanFong New Energy Technology Co. , Ltd. , https://www.gzinverter.com