IJISET - International Journal of Innovative Science, Engineering & Technology, Vol. 3 Issue 1, January 2016.

www.ijiset.com
ISSN 2348 – 7968

An analytical study for Security in IPv6

M.A. Hadi1
1
Department of Networks & Communication Systems, Princes Nourah University, Riyadh, KSA,
Email: [email protected].

Abstract Comments (RFCs) such as RFC 24602 (IPv6 Protocol)[4] ,

The IPv6 protocol has solved some, but not all, of the security RFC 48613 (IPv6 Neighbour Discovery)[5] , RFC 48624
problems found in IPv4 networks.so in this paper we will (IPv6 Stateless Address Auto-Configuration)[6] , RFC
introduce the IPv4 Limitations, the need for IPv6, the security 44435 (Internet Control Message Protocol for IPv6
different in IPv6, the benefits of IPv6, security regarding IPv6,
(ICMPv6))[7], RFC 42916 (IPv6 Addressing
the Security Considerations, IPv6 Packet Security and Transition
to IPv6 .
Architecture)[8], and RFC 43017 (Security Architecture
Keywords: IPv4; IPv6; IPsec; Security; Transition. for IP or IPsec)[9] . IPv6 is also referred as the Next
Generation Internet Protocol (IPng) [10].
We will offer a brief introduction and then the
1. Introduction understanding of the IPv4 Defined, What Is the IPv4, The
advantages and benefits of IPv6, all this will be
The Internet Protocol is a set of technical rules that defines explained in section II, the security in IPv6, security
how computers communicate over a network. There are consideration and packet structure will be explained in
currently two versions: IP version 4 (IPv4) and IP version section III, . The comparison between IPv4 and IPv6 for
6 (IPv6). Which is more secure will discuss in section IV. In Section
Internet Protocol (IP) addresses are the unique numbers V, we explore the transition to IPv6. We will suggest a
assigned to every computer or device that is connected to general recommendation proposed and set of previous
the Internet. Among other important functions, they suggested solutions in conclusion.
identify every device connected to the Internet, whether it
is a web server, smartphone, mail server, or laptop. After
years of rapid Internet expansion, the pool of available II. IPv6 Vs IPv4
unallocated addresses for the original Internet Protocol,
known as IPv4, has been fully allocated to Internet • What is IPv4?
Services Providers (ISPs) and users. That’s why we need
IPv6, the next generation of the Internet protocol that has a In 1991, the IETF decided that the current version of IP,
massively bigger address space than IPv4. [1] called IPv4, had outlived its design. The new version of IP,
The major reasons why IPv6 was developed is that the called either IPng (Next Generation) or IPv6 (version 6),
eventual exhaustion of IPv4 addresses because we see was the result of a long and tumultuous process which
every day more and more devices are being connected to came to a head in 1994, when the IETF gave a clear
the internet, so The Internet Engineering Task Force (IETF) direction for IPv6. IPv6 is designed to solve the problems
in 1991 decided to create a new version of the Internet of IPv4. [1].It does so by creating a new version of the
Protocol (IP) called Internet Protocol version 6 (IPv6) [1] protocol which serves the function of IPv4, but without the
to replace the old Internet Protocol version 4 (IPv4). [2] same limitations of IPv4. IPv6 is not totally different from
The prevailing Internet Protocol standard is IPv4 (Internet IPv4: what you have learned in IPv4 will be valuable when
Protocol version 4), which dates back to the 1970s. There you deploy IPv6.The differences between IPv6 and IPv4
are well-known limitations of IPv4, including the limited are in five major areas: addressing and routing, security,
IP address space and lack of security. IPv4 specifies a 32- network address translation, administrative workload, and
bit IP address field, and available address spaces are support for mobile devices. IPv6 also includes an
rapidly running out. The only security feature provided in important feature: a set of possible migration and transition
IPv4 is a security option field that provides a way for hosts plans from IPv4. Since 1994, over 30 IPv6 RFCs have
to send security and handling restrictions parameters1. been published. Changing IP means changing dozens of
As a result, the Internet Engineering Task Force (IETF) Internet protocols and conventions, ranging from how IP
has been working on the IPv6 (Internet Protocol version 6) addresses are stored datagram’s are sent and routed over
specifications in order to address these limitations, along Ethernet, PPP, Token Ring, FDDI, and every other
with a number of performance, ease-of-configuration, and medium, to how programmers call network functions. The
network management issues [3]. The core IPv6 IETF, though, is not so insane as to assume that everyone
specifications have been defined by various Request for is going to change everything overnight. So there are also

1
 IJISET - International Journal of Innovative Science, Engineering & Technology, Vol. 3 Issue 1, January 2016.
www.ijiset.com
ISSN 2348 – 7968
standards and protocols and procedures for the coexistence because IPv4 cannot provide the needed number of IP
of IPv4 and IPv6: tunneling IPv6 in IPv4, tunneling IPv4 address around the world [13].
in IPv6, running IPv4 and IPv6 on the same system (dual The address space in IPv6 is much larger than the
stack) for an extended period of time, and mixing and address space of IPv4, and it went from 32 bits to 128 bits;
matching the two protocols in a variety of environments in other words, it went from 4 billion addresses to 340
[11] trillion trillion trillion of unique address [2]. IPv6 is
• Limitations designed to provide unique addresses for everyone on
earth. This expansion in address space will not just provide
The problem of the limited IPv4 addresses could be more unique address but it will also make routing easier
solved in different alternative technologies such as: and cleaner because of its hierarchical addressing and
subnetting, Network Addresses Translation (NAT), or simpler IP header [2].
Classless Inter-Domain Routing (CIDR). However, with The IPv6 addressing structure is designed to provide
NAT, the external people see the entire subnet as one compatibility with existing IPv4 networks and allows the
computer, and this inherits problems [12]. IP addresses existence of both networks. IPv6 does not only solve the
might be solved for a while, but they will no longer be able problem of shortage that IPv4 is causing, but it is also
to handle the fast growth of Internet. Moreover, some more enhances and improves some of the features that IPv4 has
problems are hardly to be solved relating to the current [4].
structure of IPv4. IPv6 uses 128 bits addressing format that is represented by
16-bit hexadecimal number fields separated by colons “:”.
Using this format makes IPv6 less messy and error-free.
Here is an example of an IPv6 address [2]:
2031:0000:130F:0000:0000:09C0:876A:130B
Additionally, this address can be shortened using some
rules like compressing the block of zeros to a single zero
like this [2]: 2031:0:130F:0:0:9C0:876A:130B or
0000=0
Also, successive fields of zero can be represented by
double colons “::”, but it is only allowed once to use a
double colon, so the above example will be shortened to
this:[2]. 2031:0:130F::9C0:876A:130B
IPv6 (Internet Protocol version 6, also known as IP
Next Generation, or IPng) has been developed by the
Internet Engineering Task Force (IETF) to overcome the
shortcomings in the current IPv4. For instance, IPv6
enables 128-bit address lengths, some four times that of
IPv4. It is envisaged that this protocol will satisfy the
Fig. 1 demand for addresses for a long time. In addition, IPv6 has
http://bgpexpert.com/addrspace2014.php other features that are intended to provide more reliable
• What is IPV6? services, such as stateless address auto-configuration, a
simplified header format to reduce the cost of packet
Internet Protocol (IPv6 or IPng) is the next handling and bandwidth, built-in security, and better
generation of IP and it is the successor of IP version 4 support for quality of service requirements. The current
which is widely used nowadays. The development of IPv6 Internet is mostly based on IPv4, which was defined in
started in 1991 and was completed in 1997 by the Internet 1981 at a time when developers could not imagine the
Engineering Task Force (IETF), and was officially used in scale of addresses required by the Internet today. IPv6 is a
2004 when ICANN added IPv6 addresses to its DNS newer numbering system that provides a much larger
server [2]. address pool than IPv4, amongst other features. It was
Data transfers between hosts in packets across networks, deployed in 1999 and should meet the world’s IP
these packets require addressing schemes. Using IPv4 and addressing needs well into the future.
IPv6 these packets can identify their sources and also find The great expansion architecture evolve to
their destinations. Every device on the Internet needs an IP accommodate the new technologies that support the
address to communicate with other devices, and the growth growing demand for use (by users, application, or services).
of the Internet led to a need for a new alternative for IPv4, IPv6 is a newer numbering system that provides a much

2
 IJISET - International Journal of Innovative Science, Engineering & Technology, Vol. 3 Issue 1, January 2016.
www.ijiset.com
ISSN 2348 – 7968
larger address pool than IPv4. It was deployed in 1999 and • IPv6 Header
should meet the world’s IP addressing needs well into the
future.[13] of the internet, these days, creates more
significant challenges. Not only the addressing of new
hosts like computer, tablets, laptop, cell phone but also the
technologies. Requires that its overall

Fig. 4
• Extension Headers & Fragmentation

Fig. 2
Fig. 5

Fig. 6
• The Benefits of IPv6
Six Benefits Of IPv6 [14]

With IPv6, everything from appliances to automobiles

can be interconnected. But an increased number of IT
Fig. 3
addresses isn't the only advantage of IPv6 over IPv4. In

3
 IJISET - International Journal of Innovative Science, Engineering & Technology, Vol. 3 Issue 1, January 2016.
www.ijiset.com
ISSN 2348 – 7968
honor of World IPv6 Day, here are six more good reasons in to IPv6. A router will send the prefix of the local link
to make sure your hardware, software, and services support
IPv6. With IPv6, everything from appliances to in its router advertisements. A host can generate its own
automobiles can be interconnected. But an increased IP address by appending its link-layer (MAC) address,
number of IT addresses aren’t the only advantage of IPv6
over IPv4. In honor of World IPv6 Day, here are six more converted into Extended Universal Identifier (EUI) 64-
good reasons to make sure your hardware, software, and bit format, to the 64 bits of the local link prefix.
services support IPv6.
• More Efficient Routing • Support for New Services
IPv6 reduces the size of routing tables and makes routing by eliminating Network Address Translation (NAT), true
more efficient and hierarchical. IPv6 allows ISPs to end-to-end connectivity at the IP layer is restored,
aggregate the prefixes of their customers' networks into a enabling new and valuable services. Peer-to-peer
single prefix and announce this one prefix to the IPv6 networks are easier to create and maintain, and services
Internet. In addition, in IPv6 networks, fragmentation is such as VoIP and Quality of Service (QoS) become more
handled by the source device, rather than the router, using robust.
a protocol for discovery of the path's maximum
• Security
transmission unit (MTU).
IPSec, which provides confidentiality, authentication and
• More Efficient Packet Processing data integrity, is baked into in IPv6. Because of their
IPv6's simplified packet header makes packet processing potential to carry malware, IPv4 ICMP packets are often
more efficient. Compared with IPv4, IPv6 contains no IP- blocked by corporate firewalls, but ICMPv6, the
level checksum, so the checksum does not need to be implementation of the Internet Control Message Protocol
recalculated at every router hop. Getting rid of the IP-level for IPv6, may be permitted because IPSec can be applied
checksum was possible because most link-layer to the ICMPv6 packets.
technologies already contain checksum and error-control • The following are the features of the IPv6 protocol:
capabilities. In addition, most transport layers, which
 Header simplification and new header format
handle end-to-end connectivity, have a checksum that
 Large addressing capability
enables error detection.  Efficient and hierarchical addressing and routing
infrastructure
• Directed Data Flows  Better support for prioritized delivery
 Extensions for authentication and privacy
IPv6 supports multicast rather than broadcast. Multicast
Ipv6 came as need of a big growth of the internet. It is the
allows bandwidth-intensive packet flows (like continuation of many opportunities to make meet the needs
multimedia streams) to be sent to multiple destinations for the future. The features of IPv6 are:
 Large address space
simultaneously, saving network bandwidth. Disinterested  New header format
hosts no longer must process broadcast packets. In  Efficient addressing and routing infrastructure
 Built-in security
addition, the IPv6 header has a new field, named Flow
 Better support for QoS (Quality of Service)
Label that can identify packets belonging to the same These enhancements in IPv6 provide better security in
flow. certain areas, but some of these areas are still open to
exploitation by attackers.
• Simplified Network Configuration
Address auto-configuration (address assignment) is built

4
 IJISET - International Journal of Innovative Science, Engineering & Technology, Vol. 3 Issue 1, January 2016.
www.ijiset.com
ISSN 2348 – 7968

III. The Security in IPv6 IP Security, or IPsec for short, provides interoperable,
high quality and cryptographically based security services
In IPv4 the IP Security Protocol is used which is not for traffic at the IP layer. It is optional in IPv4 but has been
different in principle to IPv6 but is very complex and made mandatory in the IPv6 protocol. IPsec enhances the
difficult to use. IPv6-enabled nodes must support the IP original IP protocol by providing authenticity, integrity,
Security Protocol; therefore IPv6 nodes are more secure. It confidentiality and access control to each IP packet
also includes security features, such as payload encryption, through the use of two protocols: AH (authentication
authentication of the communication and data integrity header) and ESP (Encapsulating Security Payload).
safeguards, in its specifications. Another advantage of 3. Replacing ARP by Neighbour Discovery (ND)
IPv6 over IPv4 is IP spoofing, which is known to be one of Protocol
the most common forms of denial-of-service-attack. With In the IPv4 protocol, a layer two (L2) address is not
IPv4 is impossible for a server to determine whether statically bound to a layer three (L3) IP address. Therefore,
packets are being received from a legitimate end node, it can run on top of any L2 media without making
while an IPv6 server is able to. significant change to the protocol. Connection between L2
and L3 addresses is established with a protocol named
A) Security Considerations [15] Address Resolution Protocol (ARP), which dynamically
1. Massive Size of the IP Address Space establishes mapping between L2 and L3 addresses on the
• Makes Port Scanning Harder local network segment. ARP has its own security
When they start, attackers usually employ port vulnerabilities (such as ARP Spoofing). In the IPv6
scanning as a reconnaissance technique to gather as much protocol, there is no need for ARP because the interface
information as possible about a victim’s network. It is identifier (ID) portion of an L3 IPv6 address is directly
estimated that the entire IPv4 based Internet can be derived from a device-specific L2 address (MAC Address).
scanned in about 10 hours with enough bandwidth8, given The L3 IPv6 address, together with its locally derived
that IPv4 addresses are only 32 bits wide. IPv6 interface ID portion, is then used at the global level across
dramatically increases this limit by expanding the number the whole IPv6 network. As a result, the security issues
of bits in address fields to 128 bits. By itself, such a related to ARP no longer apply to IPv6. A new protocol
massive address space creates a significant barrier for called Neighbour Discovery (ND) Protocol for IPv6 is
attackers wanting to conduct comprehensive port scanning. defined in RFC 486111 as a replacement to ARP.
However, it should be noted that the port scanning
reconnaissance technique used in IPv6 is basically the B) Concerns, Potential Threats and Measures
same as in IPv4, apart from the larger IP address space. 1. IP Addressing Structure
Therefore, current best practices used with IPv4, such as The IP addressing structure defines the architecture of
filtering internal-use IPv6 addresses in border routers, and a network. A well-planned addressing structure will reduce
filtering un-used services at the firewall, should be potential risks associated with new features provided by
continued in IPv6 networks. IPv6. The following areas should be considered when
• Cryptographically Generated Address (CGA) designing an IPv6 network.
In IPv6, it is possible to bind a public signature key to Numbering plan and hierarchical addressing
an IPv6 address. The resulting IPv6 address is called a The numbering plan describes how the organization
Cryptographically Generated Address (CGA). This segregates its IPv6 allocation, for example, if an
provides additional security protection for the IPv6 organization is granted with a 16 subnet bits (/48) address
neighbourhood router discovery mechanism, and allows block, this will allow supporting 65,000 subnets. A good
the user to provide a "proof of ownership" for a particular numbering plan can simplify access control lists and
IPv6 address. This is a key differentiator from IPv4, as it is firewall rules in security operations, and identify
impossible to retrofit this functionality to IPv4 with the ownership of sites, links and interfaces easily.
current 32-bit address space constraint. CGA offers three Organizations should carefully plan and create a site
main advantages: hierarchy by consider subnet methods as follows:
a. It makes spoofing attacks against, and stealing of, IPv6 Sequentially numbering subnets
addresses much harder. VLAN number
b. It allows for messages signed with the owner's private IPv4 subnet number
key. Physical location of network
c. It does not require any upgrade or modification to Functional unit of an organization (Accounts, Operation,
overall network infrastructure. etc.)
2. IP Security (IPsec)

5
 IJISET - International Journal of Innovative Science, Engineering & Technology, Vol. 3 Issue 1, January 2016.
www.ijiset.com
ISSN 2348 – 7968

2. Unauthorized IPv6 Clients It may be better to specify critical systems as static

IPv6 support is available for most modern operating Neighbour entries to their default router, instead of using
systems or equipment; it can be easy and sometime ND, this would avoid many typical Neighbour-discovery
unnoticeable to user where the IPv6 protocol is enabled. attacks. However, certain administrative efforts would be
Due to the extended capabilities of IPv6, as well as the required.
possibility of an IPv6 host having a number of global IPv6 4. Dual Operations
addresses, it potentially provides an environment that make Organizations cannot change all their networks to IPv6
network level access easier for attacker if the access overnight, IPv6 will be gradually deployed while IPv4 will
controls are not properly deployed. be supported for legacy clients and services. A dual
To reduce the risk, the following measures could be protocol environment increases the complexity for
considered: operations and also security. Nevertheless, existing
Locate and disable any IPv6 enabled equipment measures on IPv4 should be maintained while the same
Detect and block IPv6 or IPv6 tunnel traffic at network level of coverage should be applied to IPv6. Organizations
perimeter need to implement a consistent security policy for both
Include IPv6 usage policies in the organization’ s security IPv4 and IPv6 (including firewalls and packet filters).
plan During operations, administrators should be aware of
3. Neighbour Discovery and Stateless Address Auto- relevant threats and vulnerabilities in both protocols and
configuration apply appropriate measures to mitigate the risks.
Neighbour discovery (ND) is a replacement for ARP,
and stateless address auto-configuration—which allows an c) Common Attacks In Both IPv4 and IPv6
IPv6 host to be configured automatically when connected IPv6 cannot solve all security problems. Basically it
to an IPv6 network—is a lightweight DHCP-like function cannot prevent attacks on layers above the network layer in
provided in ICMPv6. They are both powerful and flexible the network protocol stack. Possible attacks that IPv6
options in the IPv6 protocol. However, ND may be still cannot address include:
subject to attacks that could cause IP packets to flow to 1. Application layer attacks: Attacks performed at the
unexpected places. Denial of service may be one of the application layer (OSI Layer 7) such as buffer overflow,
results. Also, such attacks could be used to allow nodes to viruses and malicious codes, web application attacks, and
intercept and optionally modify packets destined for other so on.
nodes. While this may be protected with an IPsec AH, 2. Brute-force attacks and password guessing attacks on
RFC 375613 (IPv6 ND Trust Models and Threats) also authentication modules.
defines the type of networks in which the secure IPv6 ND 3. Rogue devices: Devices introduced into the network that
mechanisms are expected to work. The three different trust is not authorized. A device may be a single PC, but it could
models can roughly corresponding to secured corporate be a switch, router, DNS server, DHCP server or even a
intranets, public wireless access networks, and pure ad hoc wireless access point.
networks. Moreover, the SEcure Neighbor Discovery 4. Denial of Service: The problem of denial of service
(SEND) protocol is developed to provide an alternate attacks is still present with IPv6.
mechanism for securing neighbor discovery with a 5. Attacks using social networking techniques such as
cryptographic method. email spamming, phishing, etc.
Neighbour discovery, as well as router solicitation in the IP D) IPv6 Packet Security [16]
network (v4 or v6) uses ICMP. While ICMPv4 is a Unlike IPv4, IPsec security is mandated in the IPv6
separate protocol on the outside of IPv4, ICMPv6 is an protocol specification, allowing IPv6 packet authentication
integral protocol running directly on the top of the IPv6 and/or payload encryption via the Extension Headers.
protocol, which again could lead to security problems. However, IPsec is not automatically implemented; it must
Exchanging ICMPv6 messages on the top of the IPv6 be configured and used with a security key exchange.
protocol for vital "network health" messages and 1) IPv6 Packet Structure
environment solicitations are crucial for IPv6 The IPv6 header is not variable, as in IPv4, but has a
communication. However, this could be abused by sending simple, efficient fixed 40-byte length. Minimum packet
fake, carefully crafted response messages for denial of size is 1280 bytes, from 40 bytes of header plus 1240 bytes
service, traffic re-routing or other malicious purposes. For of payload.
security reasons, the IPv6 protocol recommends that all
• Next Header Field
ICMP messages use an IPsec AH, which is able to offer
integrity, authentication and anti-relay functions. The Next Header field defines the type of header
immediately following the current one. It is usually the

6
 IJISET - International Journal of Innovative Science, Engineering & Technology, Vol. 3 Issue 1, January 2016.
www.ijiset.com
ISSN 2348 – 7968
payload, but sometimes Extension Headers provide ESP also provides connectionless integrity, data-origin
valuable functions. Encryption capabilities are defined by authentication, protection against replay attacks, limited
the Authentication and Encapsulated Security headers. traffic flow confidentiality, but also provides privacy and
• Extension Headers confidentiality through encryption of the payload. See RFC
Protocol numbers in required order of use 2406.
000 Hop-by-hop – must be examined by every node on • IPsec Modes
path to destination 043 Routing header – list of nodes that
should be visited on path IPSec operates in two different modes: Transport
060 Destination options – processed by routers along path mode (host-to-host) and Tunnel mode (gateway-to-gateway
044 Fragment header – packet was fragmented at source if or gateway-to-host).
too large for path Transport mode: the IPv6 header of the original packet is
051 Authentication header – part of IPsec used, followed by the AH or ESP header, then the
050 Encapsulated security payload – IPsec payload.
060 Destination options – processed at destination
Tunnel mode: a new IPv6 header encapsulates the AH or
ESP header and the original IP header and payload.
Extension headers (Hop-by-Hop, Routing, and
Fragmentation) immediately follow their IP headers, except
for Destination Options, which can appear before or after
AH or ESP.

Fig. 7
Right: A simple IPv6 packet (top row) with a TCP header
and data payload. The second row shows the packet with
an additional Routing header, third row has Routing and Fig. 8
Fragment headers.
• AH in Transport & Tunnel Mode
2) IPv6 Packet Encryption [16]
IPsec defines cryptography-based security for both IPv4 AH authenticates the packet and the outermost IPv6
and IPv6 in RFC 4301. IPsec support is an optional add-on addresses (except for mutable fields), but does not encrypt
in IPv4, but is a mandatory part of IPv6. It provides two payloads. AH cannot be used to traverse NATs, as it
security headers which can be used separately or together: calculates the integrity check value (ICV) over source and
Authentication Header (AH) and Encapsulating Security destination addresses: NATs translate addresses, so would
Payload (ESP), used in conjunction with security key invalidate ICVs.
exchange.
• Authentication Header
AH provides connectionless integrity, data-origin
authentication and protection against replay attacks. It
authenticates with an Integrity Check Value (ICV)
calculated over the payload, the header, and unchanging
fields of the IPv6 header and options. AH does not
provide privacy and confidentiality of packet contents.
See RFC 2402.
• Encapsulating Security Payload Fig. 9

7
 IJISET - International Journal of Innovative Science, Engineering & Technology, Vol. 3 Issue 1, January 2016.
www.ijiset.com
ISSN 2348 – 7968

• ESP in Transport & Tunnel Modes IPsec is optional, but it is commonly available. Because the
ESP authentication does not include the outermost IPv6 IPsec protocol suite is designed to be indifferent to IP
headers, but in Tunnel mode it protects the original headers. versions, the technology works generally the same way in
ESP is used to build virtual private network tunnels both IPv4 and IPv6. In this way, the benefits of using IPsec
between sites. It permits NAT traversal, as it does not use are similar in either environment.
the outermost address values in the ICV calculation. If AH The increased address space provided by IPv6 does
and ESP are used together, ESP is applied first, and then eliminate the need to use NAT devices, which are pervasive
AH authenticates the entire new packet. in many IPv4 networks. Broadly speaking, security is harder
• The Security Association to deploy and troubleshoot when NATs are present in a
network as they disrupt IP layer traceability and therefore
Security Association is a record of the authentication
security audit trails. In addition, the address rewriting that
algorithm, encryption algorithm, keys, mode (transport or
tunnel), and sequence number, overflow flag, expiry of the NAT performs is considered by some security protocols to
SA, and anti-replay window. The SA is held in a database be a security violation. Thus, with the increased address
at each endpoint, indexed by outer destination address, space eliminating the need to use NATs, IPv6 potentially
IPsec protocol (AH or ESP), and Security Parameter Index facilitates deployment of end-to-end security.
value. Many of the IPv6 security issues reported today have to
Selection of SA can be manually (pre-shared keys) but do with vulnerabilities in individual products, not the IPv6
preferably is automated with Internet Key Exchange (IKE, protocol. IPv4 is widely deployed and individual IPv4
IKEv2). IKE uses Diffie-Hellman techniques to create a products have gone through the recurring cycle of
shared secret encryption key used to negotiate SA data. For discovering and fixing security vulnerabilities and other
key exchange, IKE depends on a Public Key Infrastructure bugs. Because IPv6 products are comparatively new, they
(PKI), which is not yet widespread. The framework and have not benefited from similar experience. Consequently,
syntax for key exchange is ISAKMP (Internet Security security vulnerabilities in IPv6 products will need to be
Association and Key Management Protocol). See RFC discovered and repaired, just like for other products.
2408. Also, the operational practices built up over many years
I. Which is more secure IPv6 or IPv4 for IPv4 networks will have to be adapted for IPv6. New
Which is more secure? practices will need to be developed for the dual stack IPv4
and IPv6 environment. This will be accelerated as more
network operators deploy IPv6 and continue to exchange
information about experience and best practices through
established operators groups, the IETF Operations area, and
other forums.
Overall, maintaining network security will continue to be
a challenging undertaking in both IPv4 and IPv6 contexts.
Neither protocol provides a simple solution to the
complexities associated with securing networks. Like with
IPv4, network operators should become educated on IPv6
security practices and keep up-to-date with developments as
they plan for and deploy IPv6.

• IPv6 Prevents Man-In-The-Middle Attacks [17]

Fig. 10
Since IPv6 doesn't use Address Resolution Protocol
Debates concerning IPv4 versus IPv6 security often focus (ARP), it's assumed that it prevents man-in-the-middle-
on different aspects of network deployment. It has been attacks. In fact, IPv6 uses ICMPv6 to implement the
said that IPv6 supports improved security because the Neighbor Discovery Protocol, which replaces ARP for local
specifications mandate the inclusion of the IP Security address resolution. The Neighbor Discovery Protocol, notes
(IPsec) suite of protocols in products. In IPv4, including

8
 IJISET - International Journal of Innovative Science, Engineering & Technology, Vol. 3 Issue 1, January 2016.
www.ijiset.com
ISSN 2348 – 7968
Moore, is just as vulnerable to man-in-the-middle attacks as while many software applications and operating systems
ARP--if not more so. (especially in open source code) have already been
updated for IPv6, not all products (including some from
• IPv6 With Mandatory IPSec Is More Secure Than major vendors) are fully IPv6 ready. It is best to check
IPv4 [17] with specific vendors on the IPv6 readiness of their
A widely assumed benefit of IPv6 is IPSec support, individual products and services. In addition, in-house
but the reality is more nuanced. While IPv6 supports IPSec application software or custom code that interfaces with
for transport encryption, notes Moore, actually using IPSec the network will likely need updating for IPv6.
is not mandatory and it is not configured by default. • IPv6 Operational Practices
Operational practices built up over many years for
III. Transition to IPv6 IPv4 networks will have to be adapted for IPv6. There is
Most of the existing systems that we use today already growing experience in the deployment of IPv6 in research
support IPv6. If you’re using a laptop, odds are, It supports networks and R&D projects, while some production
IPv6 and has done so for quite some time. IPv6 is not networks (primarily in Japan and Korea) have been
dramatically different on the network from IPv4, and the running IPv6 for a number of years. IPv6 traffic today,
machines we used 30 years ago were capable of running however, remains small in comparison to IPv4. As more
IPv6. This means that if the kind of computers operating network operators deploy IPv6 and continue to exchange
thirty years ago could run IPv6, then pretty much any cell information about experience and best practices through
phone (or even pocket calculator) could run IPv6 today, if established operators groups, the IETF, and other forums,
the community knowledge level will grow. In summary,
you really wanted it to. [18]
IPv6 is ready for deployment, but additional effort is
There are three basic aspects involved in the deployment of
needed to make its use pervasive. The IETF, equipment
IPv6: the protocol, the products, and the operational
vendors, application developers, network operators and
practices.
end users all have roles to play in ensuring the successful
wide-spread deployment of IPv6.[18].
• The IPv6 Protocol
IPv6 has benefited from over 10 years of
development within the Internet Engineering Task Force Conclusions
(IETF). The core standards have been stable for many
There is an immediate need to adopt IPv6 protocol as
years and deployed in both research and operational
early as possible, so as to avoid future impediments in the
contexts. In addition to the core specifications, IPv6
Internet network. IPV6 is the new version of the internet
includes a large number of individual standards that have a protocol will replace the IPV4 protocol. Due to prevailing
more limited applicability and are only needed in security problems occur in IPV4 day by day the acceptance
specialised environments. Additional development work of the IPV6 on the internet is grown at the very fastest rate
will continue in these areas as new issues are discovered in in the present scenario. The new version of the internet
response to deployment-specific scenarios. Like the protocol provides numerous features over IPV4 which
continuing evolution of IPv4, there will always be updates directly or indirectly improve security for devices that are
and additions to IPv6 in response to deployment connected to the internet. Beside these improvements some
of the security issues are still exists and needs thorough
experience. Thus, even though the core IPv6 specifications
attention. IPsec protocol in IPV6 is mandates which
are stable, there will continue to be ongoing work on IPv6- enhanced the security in IPV6 but cannot solve all the
related specifications. security problems exist in IPV6. Even though IPV6 is
• IPv6 Products accepted protocol but if we provide some more ways and
The core IPv6 specifications are becoming increasingly means to solve the existing issues in
However, acceptance and usage of IPv6 has been slow,
available as a standard part of products and service
because change is hard and expensive. The good news is
offerings. However, not all products are fully IPv6 capable that all operating systems support IPv6, so when you are
at this time and some significant upgrade gaps remain, ready to make the change, your computer will need little
especially in low-end consumer equipment. Similarly, effort to convert to the new scheme.

9
 IJISET - International Journal of Innovative Science, Engineering & Technology, Vol. 3 Issue 1, January 2016.
www.ijiset.com
ISSN 2348 – 7968

References
[1] IP Version 6 Addressing Architecture, RFC 2373, R.
Hinden, S. Deering, July 1998
[2] Amer Nizar Abu Ali, “Comparison study between IPV4 &
IPV6”, International Journal of Computer Science Issues,
Vol. 9, Issue 3, No 1,May 2012.
[3] http://www.ietf.org/rfc/rfc0791.txt
[4] http://tools.ietf.org/html/rfc2460
[5] http://tools.ietf.org/html/rfc4861
[6] http://tools.ietf.org/html/rfc4862
[7] http://tools.ietf.org/html/rfc4443
[8] http://tools.ietf.org/html/rfc4291
[9] http://tools.ietf.org/html/rfc4301
[10] http://www.opte.org/history/
[11] Ashis Saklani, S. C. Dimri, “Technical Comparison
between IPv4 & IPv6 and Migration from IPv4 to IPv6
“,International Journal of Science and Research (IJSR), India
Online ISSN: 2319-7064.
[12] Holly Hubbard Preston, Network World: Edge Routers For
IPv6 Migration, http://www.itworld.
com/Net/4057/NWW010423tech/. [Retrieved: 16/12/03].
[13] Ghaida Yagoub, and others, “ Comparison Between Ipv4
And Ipv6 Using Opnet Simulator“,IOSR Journal of
Engineering (IOSRJEN), Vol. 04, Issue 08 (August. 2014),
||V4|| PP 44-50, www.iosrjen.org
[14] http://www.networkcomputing.com/networking/six-
benefits-of-ipv6/d/d-id/1232791?
[15] http://cisco.com
[16] http://www.ipv6now.com.au/primers/IPv6SecurityIssues.php
[17] http://www.networkcomputing.com/networking/4-ipv6-
security-fallacies/d/d-id/1234351?
[18] https://www.isoc.org/internet/issues/ipv6_faq.shtml

10