Issues related to IPv6 transition security include transition strategies, tunneling approaches, and considerations on the potential abuse of transition mechanisms. There are indications that attackers have been exploiting IPv6 for a number of years; therefore, it is important for network administrators to be aware of these issues. The transition mechanisms generally include: (1) IPv6 over IPv4 tunneling approaches. Encapsulating IPv6 packets within IPv4 headers to carry them over IPv4 routing infrastructures. Two types of tunneling are employed: configured and automatic. (2) Dual IP layer approaches. Providing complete support for both IPv4 and IPv6 in hosts and routers.
TopIpv6 Addressing Security
As we have seen, IPv6 enjoys a very large address space with a /64 usually being the smallest block for a Local Area Network (LAN). This large address space can be beneficial from a security perspective because detailed address and port scanning a subnet can be a lot more difficult and time consuming.
As noted, the IPv6 address has two parts: a subnet prefix representing the network to which the interface is connected, and a local identifier. IPv6 stateless address autocofiguration facilitates IP address management, but raises some concerns since the Ethernet address is encoded in the low-order 64 bits of the IPv6 address. This could potentially be used to track a host as it moves around the network, using different Internet Service Providers (ISPs), and so forth. IPv6 supports temporary addresses that allow applications to control whether they need long-lived IPv6 addresses or desire the improved privacy of using temporary addresses (RFC4218, 2005).
Autoconfiguration operates as follows at a high level: For an Ethernet device, the local identifier is usually derived from the EUI-48 Media Access Control (MAC) (the EUI-64 standard allows one to stretch IEEE 802 addresses from 48 to 64 bits by inserting the 16 bits 0xFFFE at the 24th bit of the IEEE 802.) To automatically create a link-local address, the system prepends the well-known prefix FE80::/64 to the identifier just described—the subnet prefix is a fixed 64-bit length for all current definitions. During the initialization phase of IPv6 NICs, this process allows the system to build automatically a link-local address. This address is associated with the interface and tagged “tentative.” After uniqueness verification, this system can communicate with other IPv6 hosts on that link without any other manual operation (Donze, 2004). Obviously, in order to exchange information over the Internet, it is necessary to obtain a global prefix.
Usually the identifier built during the first step of the automatic link-local autoconfiguration process is appended to this global prefix. Generally, global prefixes are made available by ISPs. The EUI-48-to-EUI-64 transform is simple to implement; however, as stated above, it gives rise to a security concern. Because a MAC address follows the interface it is attached to, the identifier of an IPv6 address does not change with the physical location of the Internet connection. Hence, it is possible to trace the movements of a laptop or other mobile IPv6 device. This can be mitigated given that RFC 3041 allows the generation of a random identifier with a limited lifetime. Considering the fact that the IPv6 architecture permits multiple suffixes per interface, a single network interface is assigned two global addresses, one derived from the MAC address and one from a random identifier. A typical policy for use of these two addresses