A Comparison of Internet Protocol (IPv6) Security Guidelines

Steffen Hermann, Benjamin Fabian
2014 Future Internet  
The next generation of the Internet Protocol (IPv6) is currently about to be introduced in many organizations. However, its security features are still a very novel area of expertise for many practitioners. This study evaluates guidelines for secure deployment of IPv6, published by the U.S. NIST and the German federal agency BSI, for topicality, completeness and depth. The later two are scores defined in this paper and are based on the Requests for Comments relevant for IPv6 that were
more » ... d, weighted and ranked for importance using an expert survey. Both guides turn out to be of practical value, but have a specific focus and are directed towards different audiences. Moreover, recommendations for possible improvements are presented. Our results could also support strategic management decisions on security priorities as well as for the choice of security guidelines for IPv6 roll-outs. Future Internet 2014, 6 4 give a unique address to every device connected to the Internet for a practically indefinite amount of time and enables a true end-to-end communication among them. The effectively available address space is certainly smaller than theoretically possible, since large blocks are reserved for special purposes such as multicast, or for purposes yet unknown. The smallest allocation possible is furthermore a/64 prefix. This leaves 64 bit to be assigned to network devices. While this will also lead to a lot of waste of addresses, this decision was made to improve manageability and routability of networks [23] . Moreover, there are also further standards published around IPv6 that, for example, define interoperability with other protocols or compatibility with IPv4. Basically, IPv6 serves the same purpose as IPv4 does, namely the packet-oriented connection of host systems. The following are the main features introduced with IPv6: a simplified IP header structure, Extension Headers, Stateless Address Autoconfiguration (RFC 4862) [24], IP Security Extensions (IPsec), Mobile IPv6 (MIPv6), QoS, route aggregation, and Path Maximum Transmission Unit (PMTU) Discovery. Although IPv6 has already been specified in 1995, IPv4 is still the most popular protocol in networks of all sizes including the Internet as has been shown by several studies. With CAIDA, kc claffy investigated the global IPv6 peering of AS's in 2010. Only 307 thousand paths to networks were sufficient to cover 99% of all routed prefixes for IPv6, while 170 million paths where used for IPv4, covering 96% of all routed IPv4 prefixes [25]. According to Dell Inc., there were only 44 ISPs worldwide who offered native IPv6 connectivity in 2010 [26]. Why does it take so long for IPv6 to replace IPv4? It is true that the IPv4 address space is very small and would have been exhausted for a long time if the principle of end-to-end connectivity had been upheld. However, techniques such as Network Address Translation (NAT) were developed that are virtually extending the address space, making it possible to use a single address for multiple sites by utilizing formerly unused transport layer ports [27] . Moreover, some of the features introduced with IPv6, such as IPsec [28] and QoS, were made available for IPv4 as well. Another problem is the unclear business case for IPv6 [29] . So far, there are only very few applications leveraging the features of IPv6, and there is barely any noticeable advantage for end customers. Hence, it is difficult for ISPs to sell IPv6 as a feature to customers and charge for it. Until now, most ISPs have postponed the migration of IPv6
doi:10.3390/fi6010001 fatcat:nx6bzelghjckberkvhkl3gbqx4