IP security, or IPsec, is a collection of standards for the security of transmitted sensitive information over unprotected networks. At the network level, IPsec protects and authenticates data packets being sent between IPsec devices. IPsec has several optional security features, the use of which can be dictated by local security policies:
- Data confidentiality -sender can encrypt packets before send
- Data integrity - receiver can authenticate packets to ensure data hasn’t been tampered with
- Data origin authentication – receiver can confirm the source of any packets received
- Antireplay -receiver can detect and reject any replayed data packets
IPsec for IPv6 is implemented with Authentication Header and Encapsulating Security Payload. Authentication Header (AH) verifies the source to protect IP header integrity. Encapsulating Security Payload (ESP) “provides confidentiality, authentication of the source, connectionless integrity of the inner packet, antireplay, and limited traffic flow confidentiality.”
IPsec has two different modes of operation: Transport mode and Tunnel mode.
- Transport mode (host to host) uses the IPv6 header of the original packet, then the AH or ESP header, and then the payload
- Tunnel mode (gateway to gateway or gateway to host) uses a new IPv6 header that includes the AH or ESP header, the original IP header, and the payload
While end-to-end encryption was retroactively added to IPv4, it was built into IPv6. Encryption and integrity-checking, currently used by VPNs, is standard in IPv6 for all devices and systems.
IPv6 is also more secure for name resolution. The Secure Neighbor Discovery (SEND) protocol enables cryptographic confirmation of a host’s identity upon connection, making naming-based attacks more difficult. This is not a replacement for verification at the application or service level but offers additional security.
Is IPv6 more secure than IPv4?
The short answer is no. However, this question can mean two different things, and therefore requires a more nuanced answer. This question can mean:
- Whether the specific IPv6 protocols are more secure than their IPv4 equals
- Whether deployments of IPv6 are more secure than their IPv4 equals
When comparing IPv4 and IPv6 at the protocol level, the complexity of IPv6 could present a higher number of points for attacks. However, it is more practical to compare IPv4 and IPv6 deployments in terms of security. For that, it is important to consider how long protocol specifications and implementations have existed.
Most frequently, the security vulnerabilities in a network protocol stem from flaws in implementation. These flaws are later patched, and over time the discovery and patching of vulnerabilities strengthens the security of the network protocol. Because IPv4 protocols have benefitted from this process much longer than IPv6 protocols, there are more robust in their security.
Sometimes, these vulnerabilities stem from flaws in the protocol specifications. In this case, IPv4 protocol specifications once again benefit from having been around longer, as the IPv6 protocol specifications are newer and have not yet received the same level of scrutiny.