Real World Applications of IPv6 from NTT Communications

Where Does IPsec Fit Into An IPv6 Architectures?

Securing network infrastructures is a never-ending quest of figuring out where to deploy the most effective strategies in a specific environment. While it is common to use IPsec for site-to-site IPv4 VPN environments, it is underutilized for host-to-host communication, which could offer a far greater improvement for secured communications. If IPv6 deployments are architected to utilize IPsec, many of the lower level reconnaissance attacks which enable today’s large scale denial of service (DoS) attacks can be eliminated. Specifically, using transport-mode IPsec for integrity protection can stop random port scans from being successful while still allowing for network-based firewalls, IDS and QoS mechanisms to be utilized. While IPsec will not deter attacks that are based on an actual compromised host, it will help mitigate attacks that are used to compromise hosts in the first place.

The major issue surrounding IPsec deployments today are complex user configurations and the lack of common terminology, both of which make the technology operationally expensive to deploy. Also, the lack of scalable peer authentication credentials, which could be resolved in a manner similar to that of SSL where devices ship with a default number of trusted PKI roots.

Since the actual current IPv6 deployments are still small, there is a small window of opportunity to fix the issues that are so prevalent in IPv4-related IPsec deployments. Interoperable defaults are needed, as are common user interface terminology, which could make configurations of IPsec as easy as SSH and/or SSL. If IPv6 deployments are architected with IPsec as an afterthought, there is a real likelihood that the implementations will be as complex as today, with no vendor cohesiveness. This will create the same underutilization of the IPsec technology as exists in IPv4 deployments today and will greatly undermine the added security considerations that were to be inherent in IPv6 deployments.