The US National Institute of Standards and Technology (NIST) has recently published the “Guidelines for the secure deployment of IPv6” written by Sheila Frankel, Richard Graveman and John Pearce, security experts and authorities on this topic. The document can be viewed here: http://csrc.nist.gov/
IPsec was designed at the beginning for IPv6 to benefit from the e2e restoration. However, IPsec was adapted to IPv4 and was quite successfully deployed where NAT was not in the middle. IPv6 requires changing of firewall policies, i.e. multicast and ICMP traffic should not be blocked by default. Moreover, several operating systems enable IPv6 by default but users/administrators may not be aware of this, leaving temporarily room for IPv6 attacks. This requires training of network administrators now in order to get appropriate protection in place.
” The IPv6 deployment should be undertaken with upfront security consideration. Some 40 IPsec implementations have passed the IPv6 Ready Logo program. This program wishes to scale up understanding and use of IPsec in all network security scenarios with greater security benefits" states Latif Ladid, President of the IPv6 Forum, Senior Researcher at University of Luxembourg Security & trust (SnT) center, Emeritus Trustee Internet Society.
“IPv6 will facilitate and accelerate the deployment of e2e services (i.e. e-government services), requiring user-friendly security mechanisms (i.e. user authentication via certificates)
“IPsec is a fundamental core building block of the communication puzzle. IPsec with IPv4 has been difficult to deploy due, in part, to the lack of globally routable IPv4 addresses and the wide use of NATs. IPsec is a mandatory part of an IPv6 implementation. This Logo recognizes implementations that have implemented IPsec. It will allow the industry to further secure its communication and infrastructure components.”
‘’IPsec is a key feature that will be critical for securing the IPv6 network, particularly as the number of active devices and applications increase exponentially. The IPv6 Ready Logo program for IPsec will follow the other successful IPv6 Forum Ready Logo programs in ensuring that these critical features conform to the standards and interoperate in heterogeneous networks” states Erica Johnson, IPv6 Ready Logo Regional Officer, IPv6 Forum Fellow
“IPsec works far better on IPv6 than on IPv4, due to the absence of NAT on IPv6 connections. IPsec is simply incompatible with the NAT found everywhere on the First Internet. NAT traversal can be used, but it complicates the implementation and adds new security issues. VPNs and secure remote access will work better than ever on the Second Internet. The final piece of the IPsec puzzle is to use IKEv2 with IPsec Digital Certificates to automate the mutual authentication process. IPv6 Ready certification of IPsec and IKEv2 will insure that these technologies work as designed.” Lawrence Hughes, IPv6 Ready Logo Regional Officer and Author of “The Second Interne
"The ubiquitous computing environment is now accelerated by the trend of smart grids. In such a society, security is the most important element. It is nice to highlight IPsec, which is the key component for real ubiquitous computing." states Hiroshi Miyata, IPv6 Ready Logo Regional Officer, IPv6 Forum Fellow.
The summary of the European Commission white paper on the IPv6 security study can be downloaded here: http://ec.europa.eu/
To test and obtain the IPv6 IPsec Ready Logo, please apply by filling out the application form on: http://www.ipv6ready.org/?
# # #
The IPv6 Forum is a world-wide consortium of leading vendors, Internet service vendors, National research & Education Networks (NRENs) and international ISPs, with a clear mission to promote IPv6 by improving market and user awareness, creating a quality and secure New Generation Internet and allowing world-wide equitable access to knowledge and technology. The key focus of the IPv6 Forum today is to provide technical guidance for the deployment and interoperability thru its IPv6 Ready & Enabled Logo Programs : http://www.ipv6ready.org http://www.ipv6forum.com