IPv6 tutorial 3 New features: IPsec and LAN features

https://4sysops.com/archives/ipv6-tutorial-part-3-new-features-ipsec-and-lan-features/

In the last post of this series, I discussed the new IPv6 features Quality of Service (QoS), hierarchical addressing, and the new address space. In this post, I talk about some of the new IPv6 features that are most relevant for Windows admins.

IPsec is short for Internet Protocol SecurityIPsec

Mandatory IPsec support

The IPv6 specification mandates support for IPsec (Internet Protocol security). IPv6 supporters often claim that this will improve overall security on the Internet. Since IPsec for IPv4 is optional, proprietary VPN solutions are ubiquitous. However, I believe, the main reason why IPsec deployments are rare is because configuration is relatively complicated. Thus, I doubt somehow that we will see significantly more IPsec deployments because of IPv6.

But what is most disappointing for me is that IPv6 doesn’t encrypt all kinds of IP traffic. While IPsec implementation is mandatory for IPv6, IPsec deployment is not. Besides, IPsec is essentially a solution for securing connections among sites; it is not a P2P encryption solution

In my view, it is unbelievable that we are now introducing a new network protocol with a huge amount of effort but will still send data in clear text across the Internet. The inventors of IPv4 couldn’t foresee that secure data transmission would be an issue since their protocol was just intended to allow data transfers between educational institutions. No one really could imagine that the whole planet will use this form of communication in the future.

The IPv6 creators had the chance to correct this shortcoming of the Internet protocol and ensure that any kind of network traffic is encrypted by default. It is really a pity that they didn’t use this once-in-a-lifetime chance.

DHCP is short for Dynamic host configuration protocol

(Simplified) automatic address assignment

This is perhaps one of the features that will affect the work of Windows admins the most. Much of the documentation talks of “simplified” address assignment, but I somehow think this new feature will cause confusion among admins in the beginning. In an IPv4 network, a computer’s automatic address assignment means that a DHCP server is involved.

IPv6 still knows DHCP-based address assignment (also called stateful address configuration), but now hosts can also configure themselves with IPv6 addresses (stateless address configuration). There are two types of stateless configurations. Hosts can derive an IP address from a prefix (the first part of an IPv6 address that belongs to your organization) advertised by a local router, and they can assign themselves so-called link-local addresses (addresses that are not routed), which they can use to communicate with other nodes on the link (local network). Scary, isn’t it?

Neighbor discovery

The Internet Control Message Protocol for IPv6 (ICMPv6) will replace the Address Resolution Protocol (ARP).

You probably know that ARP is used to determine the link layer address (MAC address in the case of Ethernet) from the IP address.

The main problem of ARP is that it uses broadcasts, which disturbs all hosts on the link (LAN).

By contrast, IPv6 uses Neighbor Solicitation multicast messages for neighbor discovery.

Instead of sending a broadcast message to all nodes on the link, only the so-called solicited node multicast IPv6 address is contacted.

The first 104 bits of the solicited node multicast are fixed (FF02::1:FF00:0/104), and the last 24 bits are equivalent to the last 24 bits of the IP address that has to be resolved.

Since only nodes that share the last 24 bits in their IP address will listen to the solicited node address, fewer hosts are disturbed.

Extensibility

This is my favorite new IPv6 feature.

While the IPv4 header only supports 40 bytes for options, the size of the IPv6 extensions is only constrained by the size of the IPv6 packet.

IPv6 supports multiple so-called extensions headers that can be added after the IPv6 header.

These extensions headers have no maximum size, which makes future enhancements of the protocol quite flexible.

My hope is that this feature will be used for mandatory encryption of all IP packets.

Next, I will introduce the IPv6 address syntax.

时间: 2024-10-08 22:03:24

IPv6 tutorial 3 New features: IPsec and LAN features的相关文章

IPv6 tutorial – Part 8: Special addresses

https://4sysops.com/archives/ipv6-tutorial-part-8-special-addresses/ The special IPv6 addresses discussed in this part of the IPv6 tutorial are the unspecified address, the loopback address, IPv4-mapped addresses, 6to4 addresses, multicast addresses,

IPv6 tutorial – Part 7: Zone ID and unique local IPv6 unicast addresses

The zone ID is used to distinguish ambiguous link-local and site-local addresses. Unique local IPv6 unicast addresses are another way to address the problem of ambiguous IPv6 addresses. In the last post of this IPv6 tutorial, I introduced link-local

IPv6 tutorial – Part 6: Site-local addresses and link-local addresses

https://4sysops.com/archives/ipv6-tutorial-part-6-site-local-addresses-and-link-local-addresses/ In the last post of this IPv6 tutorial, you learned about the different address types and the new public IP addresses,the global unicast addresses. Today

IPv6 tutorial 4 IPv6 address syntax

https://4sysops.com/archives/ipv6-tutorial-part-4-ipv6-address-syntax/ Now that you know about the new features of IPv6, it is time to have a closer look at the practical details. In this post, I will give a short summary about the IPv6 address synta

Open vSwitch Advanced Features Tutorial

Open vSwitch Advanced Features Tutorial ======================================= Many tutorials cover the basics of OpenFlow. This is not such a tutorial. Rather, a knowledge of the basics of OpenFlow is a prerequisite. If you do not already understan

Cisco IOS LAN Base、IP Base 和IP Service的区别

Details: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3560-x-series-switches/white_paper_c11-579326.html The LAN Base feature set offers enhanced intelligent services that include comprehensive Layer 2 features, with up-to 255 V

【IPv6总结】

IPV6的优势 1.更大地址空间,IPV6采用了128bit的地址长度,可以提供2^128个地址. 2.IPV6包头长度为固定40个字节,IPV4是40-60个字节:这样容易实现硬件式转发,提高转发效率 3.IPV6包头比IPV4包头简化,取消了网络层的校验工作,提高了网络层效率 4.引入灵活的扩展头,使得IPV6的协议扩展更加灵活,但是不是所有的路由器都需要处理IPV6的扩展头,这样中间路由器的转发提高了效率. 5.IPV6地址分配严格按照层次区域划分,使得骨干区域的IPV6路由能最大化的汇总

IPSEC VPN

目录: 简介:... 2 分类:... 2 1.在路由上实现的VPN可分为:... 2 2.在ASA防火墙上实现的VPN:2 IPSec VPN:3 IPSec能实现的功能有:... 3 IPSec的特性(IPSec之所以安全是由它的特性决定的):... 3 IPSec的实施包含两个阶段... 4 IPSec协商过程:... 4 IPSec 范畴的VPN中各种形式的大体配置步骤:... 6 IPSEC VPN几种配置实例... 6 一.实验拓扑... 7 二.实验目的... 7 三.实验要求..

Microsoft Azure Tutorial: Build your first movie inventory web app with just a few lines of code

Editor's Note: The following is a guest post from Mustafa Mahmutovi?, a Microsoft Student Partner who attends the Faculty of Electrical Engineering at the University of Sarajevo where he is a Computer Science Major. In this tutorial, you will learn h