IPv6 promotes phased reform of security, and security vendors will face new security challenges

Why we need to understand IPv6

Generally speaking, when we mention IPv6, we just mean that the IPv6 address space is huge, allowing every grain of sand on the earth to have an IP address, and IPv6 is more secure! But today, I want to talk about the consequences of not using IPv6 and the necessity of learning about IPv6 in a timely manner.

Unstoppable: All major operators are already rolling out IPv6, including mobile phones and home broadband. For example, the 4G mobile phone in Fuzhou, where I live, has obtained an IPv6 address.

Sit back and wait for death: When the IPv6 usage rate reaches a certain percentage, I believe that existing websites and newly registered websites will be forced to use IPv6. If they are not configured, existing websites will cease operations and their registration applications will not be approved. Even by then, mobile phones and home broadband will only get IPv6 addresses and will not be able to get IPv4 addresses. Finally, IPv4 will be abolished from the Chinese Internet.

From the above two points, we can know that as a server (such as a WEB service provider), it is necessary to use IPv6, otherwise it will not only fail to operate, but also users will not be able to access it.

Question 1: Does the intranet need IPv6?

Home network, such as mobile phones and computers connected to wifi

Intranet, such as the computers at each workstation in the office

Data center intranet, such as servers in the computer room and public cloud hosts

Do these intranet environments also need to configure IPv6 addresses?

As long as you want to access the IPv6 Internet, you must configure an IPv6 address on the terminal. The reason is the "IPv6 priority principle". More and more programs, such as many mainstream modules/frameworks of major programming languages, will query AAAA records (corresponding to IPv4's A records) through DNS first when resolving domain names. If the domain name provides IPv6 access, the AAAA record will inevitably be resolved. Then, it will be accessed through IPv6 first (even if the local machine is not configured with IPv6 or even not enabled). If the IPv6 network is not accessible, the access will fail directly. Even if some modules/frameworks will try IPv4 after failure, it has already increased a lot of delays.

Question 2: IPv6 addresses are too complicated to remember

It seems that you can memorize IPv4 addresses. In fact, IPv6 addresses are just longer and displayed in hexadecimal instead of decimal. The specific calculation method is the same. And with DNS, there is no need to memorize IP addresses. Even if it is an IPv6 address for the intranet, it can be automatically generated through DHCPv6 or the router sending RA packets.

Problem 3: Each server has an IPv6 address, which will expose the entire intranet and is unsafe

It is right to worry, but the solutions are the same as those for IPv4. There are two options:

You can configure "IPv6 private network address" on the intranet server so that it cannot be accessed from the public network. In IPv6, the private network address is fd00::/8, which is equivalent to 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 in IPv4. Then configure NAT on the gateway;

Still use the "IPv6 public network address" (that is, the global unicast address), but configure the "stateful firewall" on the gateway.

Regardless of which solution is used, the ultimate goal is to achieve "outgoing but not incoming", that is, the server can actively access the IPv6 public network, but the public network cannot actively access it, thus ensuring the security of the intranet.

IPv6 Basics

There are already many great tutorials on IPv6 on the Internet. I am not sure I can write a better one. Therefore, the "IPv6 Series" will focus on some concepts, solutions, pitfalls that many people don't notice, working principles, etc.

IPv6 address length

？ IPv4：32 bit

？ IPv6：128 bit

You can remember it this way: IPv6 has twice as many segments as IPv4, and each segment is twice as long, so IPv6 is 2×2=4 times longer than IPv4.

IPv6 address components

? IPv4: network number + host number / subnet mask, such as 192.168.1.2/24

? IPv6: prefix ID + interface ID / prefix length, such as 2001:0000:0000:0000:0011:0000:0000:0010/64

Address abbreviation

? IPv4: Not supported

?IPv6: compression 0

Note: IPv6 can be compressed repeatedly within a single segment, for example, the above can be compressed to 2001:0:0:0:11:0:0:10/64; if multiple segments are consecutively 0, they can be compressed, but only once. For example, the above can be further compressed to 2001::11:0:0:10/64, or 2001:0:0:0:11::10/64, usually the former.

Testing method

Find a Linux server, such as a centos7 system, execute ip addr add ${IPv6 address} dev eth0, and then ip addr show dev eth0 to see how the compression will be performed.

In addition to unicast and multicast, IPv6 adds a new type of anycast compared to IPv4. Anycast belongs to the category of unicast and cannot be identified simply from the address.

the term

Node: Any device running IPv6

Router: A node that forwards IPv6 packets that are not sent to itself

Host: A node that is not a router

Interface: The physical or logical connection between nodes and links.

Link: A collection of network interfaces separated by routers

Neighbors: nodes on the same link

Link MTU: The maximum unit that a link can transmit, that is, the maximum number of bytes in an IPv6 message

Path MTU: The maximum number of IPv6 packet bytes that can be transmitted between the IPv6 source and destination. It is usually the minimum link MTU of all links in the path.

IPv6 address generation

? IPv4: Manually specified, DHCP allocated

? IPv6: Manually specified, DHCP assigned, automatically generated

In IPv6, the mainstream solution is to automatically generate IP, rather than manually specify or allocate it through DHCP. Of course, as a server, it needs to be manually specified, but for a wider range of clients, it is basically automatically generated. This kind of automatic generation is called "stateless". Compared with "stateless", the fixed IP obtained through DHCP is called "stateful" (DHCP also supports "stateless", which will not be explained in detail here).

In addition to the special addresses specified by the protocol, other self-assigned addresses can be automatically generated within a specific range, including link-local, global unicast, and unique local. Global unicast and unique local are automatically generated after receiving the RA packet sent by the router. Whether it is global unicast or unique local is determined by the prefix in the RA packet content.

IPv6 promotes phased reform of security

In the perception layer of the Internet of Things, the data collected by cameras accounts for more than half of the storage capacity of the world's Internet of Things data. Traditional video surveillance technology has been widely used in various industries such as smart cities and public security, and the current network video surveillance technology is being upgraded to "Internet of Things information services with video as the core", namely "video +", "video + multi-dimensional perception" and "video + multi-dimensional application". The video surveillance network has become a widely used and mature Internet of Things.

The expansion of IPv6 address space plays a good role in the control of smart security equipment connection in the field of video surveillance, the management of cloud service platforms, and the security of video data transmission. Combined with the continuous development of 5G , it can also play a good role in saving time and labor in data transmission rate and frequency band. The dual effects brought by IPv6 to smart security deserve attention.

Therefore, the development and large-scale implementation of IPv6 will be a new industrial revolution in the Internet industry, and will also be a phased reform in the field of smart security. In this situation, smart security should not only enter the market quickly, but also seize the opportunity to quickly expand the application pilot and accelerate the full implementation scope.

Security vendors will face new security challenges

Another advantage of IPv6 is the greatly improved security. In the deployment of IPv6, IPSec was once the standard, which means that data transmitted between IPv6 addresses is often encrypted and information can no longer be easily hijacked. With the unstoppable development trend of smart cities, the information security issues brought about by technologies such as intelligent video surveillance, face recognition , and license plate recognition have aroused great concern from the public. IPv6 will undoubtedly meet the public's requirements for personal information security to a large extent.

However, the security of IPv6 is not without worries. With the large-scale deployment of IPv6, the global Internet security landscape will undergo major changes. Pv6 will face fragmented attacks under the existing IPv4 network, and problems such as address spoofing and flooding will still exist. Experts said that network security threats and new network security situations are severe, and IPv6 will become the main attack point. In the era of the Internet of Everything, security manufacturers will also face new requirements and challenges.