With the depletion of IPv4 addresses, IPv4 addresses are a thing of the past, replaced by an IPv6 address. I found a lot of enterprise network management on migration to IPv6 issues seemed hesitant, probably felt this was a new area, migration can be a hassle. But the actual work, such as the firewall service adjustments, is not so difficult as you think. Cisco IOS Firewall configuration can support a variety of ways. Your device has the following static access-list:

access-list 101 permit tcp any host 10.1.1.1 eq www

access-list 101 permit tcp any host 10.1.1.1 eq ftp

access-list 101 permit tcp any host 10.1.1.1 eq 22

IPv6 routers, access-list configurations also exist just like with extensions of access-list.

IPv6 access list example:

permit tcp any host 2001:DB9:2:3::3 eq www sequence 10

permit tcp any host 2001:DB9:2:3::3 eq telnet sequence 20

permit tcp any host 2001:DB9:2:3::3 eq 22 sequence 30

permit tcp any host 2001:DB9:2:3::3 eq ftp sequence 40

Using the IP traffic-filter command IP access-group command control port than we are used to using it much more clear.

IOS in the Reflexive of Access-list:

interface Ethernet0/1

ip address 172.16.1.2 255.255.255.0

ip access-group inboundfilter in

ip access-group outboundfilter out

ip access-list extended inboundfilter

permit icmp 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255

evaluate tcptraffic

ip access-list extended outboundfilter

permit icmp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 reflect tcptraffic

Also need to configure IPv6 mode of reflexive access-lists, operation little difference:

interface Ethernet0/1

ipv6 address 2001:db9:1::1/64

ipv6 traffic-filter inboundfilter in

ipv6 traffic-filter outboundfilter out

ipv6 access-list inboundfilter

permit icmp host 2001:db8:1::F host 2001:db9:2::2

evaluate tcptraffic

ipv6 access-list outboundfilter

permit tcp any any reflect tcptraffic

Permit icmp any any

Content-based access control (CBAC) also known as IOS Firewall.

In the context of IPv4, the firewall looks like this:

ip inspect name FW tcp

!

interface Ethernet0

ip address 10.10.10.2 255.255.255.0

ip access-group 101 in

ip inspect FW in

!

interface Serial0.1 point-to-point

ip address 10.10.11.2 255.255.255.252

ip access-group 102 in

frame-relay interface-dlci 200 IETF

!

In the IPv6 environment, basically unchanged:

ip inspect name FW tcp

!

interface Ethernet0

ipv6 address 2001:db9:1::1/64

ipv6 traffic-filter inboundfilter in

ip inspect FW in

!

interface Serial0.1 point-to-point

ipv6 address 2001:db9:2::A/64

ipv6 traffic-filter outboundfilter in

frame-relay interface-dlci 200 IETF

!

There’s also a Zone-Based Firewall, IPv4 and IPv6 environments are like this:

class-map type inspect match-any MYPROTOS

match protocol tcp

match protocol udp

match protocol icmp

!

policy-map type inspect OUTBOUND

class type inspect MYPROTOS

inspect

!

zone security inside

zone security outside

!

zone-pair security IN>OUT source inside destination outside

service-policy type inspect OUTBOUND

!

interface fastethernet0/0

zone-member security private

!

interface fastethernet0/1

zone-member security public

!

Through this strategy, you can add IPv4 or IPv6 address to port. TCP, UDP, and ICMP does not belong to the three-layer protocol, so the firewall service will not be affected.

Overall, above a very simple examples, mainly to one fact, Cisco IOS device configured on firewalls, whether IPv4 or IPv6 differences are rather big. So, now you can start to consider its enterprise network capable of supporting dual protocol, while the Firewall works.

Since last year, telecom operator China Telecom and China Mobile has launched pilot work in IPv6.

"Father of the Internet" wendun·SEFU is now the United States Google Vice President and Chief Internet consultant, in 1977, he created the Internet communication protocol "IPv4", global computer link to each other. IP address is assigned to every computer, website or other networked devices a series of numbers, each IP address is unique.

Prior to this, the Internet Corporation for assigned names and numbers (ICANN) had been expected, the IPv4 address in August 2011, runs out. This expert believes that emphasis today around the world for Internet development, and popularization of intelligent Terminal is a significant cause of depletion of IPv4 addresses to speed up, and the only solution is to replace next-generation IP protocol IPv6.

Shanghai Securities analyst Zhang Tao said, with the present domestic computers and the number of mobile phone users, IPv4 can also support, but with the Internet for the network requirements grow, the IPv4 address is clearly not good enough, IPv6 can be thought of as the development of things for the future development of the necessary network ready.

World-wide transition from IPv4 to IPv6 protocol has been started. It is learnt that the GMT 24 hour starting on June 8, 2011 at 1 will be the first trial day IPv6 protocol system. By then, the Internet search engine Google and social sites "Facebook" (Facebook) and other sites will be the first to start IPv6 protocol systems, testing and analysis platform for users and engineers.

Government incentive mechanism is extremely important, which can reduce and resolve during the transition to IPv6 infrastructure development of resistance.

HP said its networks Division has spent billions of dollars (most of the money from the printer and cartridge business) to boost the network providers and operators to upgrade to IPv6, but little income.

For world of Warcraft players, with the release of Warcraft Patch version 4.1, using the IPv6 protocol is now belongs to the function that can be selected. Of course, before you use, the player must also have IPv6 connectivity. In accordance with the one from Blizzard employees within the company to say, if you do not start the IPv6 Internet connection, related IPv6 connectivity options are dimmed, lead to normal use.

In order to implement IPv6 on a network running world of Warcraft, pure IPv6 must be used. 6To4 is a dynamic tunneling mode, you can use IPv4 unicast to across the IPv4 Internet and Teredo is another type of tunneling technology, you can use models based on IPv4 Protocol User Datagram Protocol (UDP) packet sends an IPv6 packet.

Of course, in order to do this, in addition to IPv6 Internet connection, also need to ensure that the home network hardware supports the IPv6 protocol. Is, unfortunately, most consumer-level network device does not support the IPv6 protocol SOHO/.

For main interests are playing a game of world of Warcraft players, that option is not practical. Select use IPv6 protocol does not bring any additional benefits. Really the dead!

But in my estimation, due to the low number of users of IPv6 protocol, so the network may appear faster, transfer more stable situation. Blizzard provides IPv6 support for world of Warcraft’s real focus was to ensure that all the players and the game server is ready to meet the full deployment of IPv6 protocol work.

With the complete exhaustion of the IPv4 Internet address, we need to work based on the IPv6 protocol for the Internet connection. For the Asian region, from now on to the last IPv4 address assignment out not too long. In support of the IPv6 protocol and 128-bit addresses, at least until Star Trek era before the advent of the Internet address, we no longer need to fear a shortage of network addresses on the Internet. However, in order to do this, use the IPv6 protocol, we need to be converted to the corresponding network.

IPv6-ready services provided by OpenDNS is designed as a sandbox environment, comprehensive management to the network, you can apply to networks of all sizes, from large enterprises to small and medium enterprises, from universities to compulsory education school district, even small organizations can also be included. By connecting the DNS test platform, network administrators can rehearse before project migration, ensure the problem does not occur in a real operation. For the vast majority of business users today, Internet service providers can address the issues of IPv6 address; in addition, you can also select one provided by Hurricane Electric free IPv6 tunnel services.

In a statement, Chief Executive of OpenDNS daiwei·youliweiqi claimed that: "for every network administrator in the world, based on sandbox environment for IPv6-ready DNS services are services that must be used in the migration process. For network administrators without IPv6 protocol-related experience, which can help them establish a IPv6 Tunnel, use OpenDNS provides DNS service for IPv6 compatibility testing. The tester belongs to Internet services, worldwide can provide users with help of the migration from IPv4 to IPv6. Needless to say, we can for the company to become the world’s first IPv6-ready DNS Recursive DNS service provider and are very proud. "

Now, let’s take a look at how they are using it. First, users need to make sure that you have IPv6 Internet connection is available. There is an easy way to meet this requirement, this is the Web site access Kaim. On this Web site provides support for IPv6, IPsec and Mobile IPv6 stack of free BSD Unix. It also provides a lovely sea turtle logo. If the turtle is in the "swimming" status, supporting IPv6 connections are available.

If you think that ISP connection support has been provided, but did not show up, you should ensure that the currently used network equipment compatible with the IPv6 protocol. A large number of small Office/Home Office (SOHO) hardware does not support the IPv6 protocol.

If your ISP does not support IPv6, but the equipment currently in use and the operating system has completed the preparatory work, you can select the Hurricane Electric IPv6 Tunnel proxy to connect to the IPv6 Internet. This free service to allow developers and researchers can use existing IPv4 tunneling using IPv6 host or router on the IPv6 router connected to the hurricane.

You can now get DNS service, enter the OpenDNS provides DNS address the IPv6 ready. They are:

2620:0:ccc::2

2620:0:ccd::2

Set step if you also want to know more, please visit the IPv6 application page comprehensive guide provided by OpenDNS

Currently, Internet network is mainly based on the IPv4 protocol, but the deployment of IPv6 network has begun a wide-ranging, CNGI is one. However, the maturity of the IPv4 network, and security, are not fully applied to the IPv6 network. For example existing IPv6 access networks, is still open, the user can access, free access to addresses, change of address, is not subject to any constraints and limitations. Therefore, its more difficult of access security is guaranteed.

At this point WLAN is a large difference between wireless networks and wired network, wireless users need to authenticate, wireless access device to learn about every user online, understanding their corresponding MAC, keys and other information, so for wireless networking IPv6 user access security, can be distinguished from Wired some of the processing mechanisms. As hosts, including WLAN H3C unified software platform for all network features, Comware platform taking into account both in current common IPv4 network security, also consider the security of IPv6 network.

For users, their Internet identity, in the link layer is the MAC address, in network layer for the IP address, in the application layer for the Internet account. For WLAN networks, its link-layer security, which can correct use of the MAC on the 11i guarantee, but the user identifies the IP address of the packet, in particular cross-validity of a three-layer IP recognition after, will be to ensure the safety of users of important links. Existing wireless security technologies does not guarantee that the IP layer is reliable, even if IPv6 is not an example. Also, quite a lot of wireless network using a shared key mode, IPv6 users can actually link layer can exchange visits between, makes it possible to hostile sniffing attacks, also in serious security issue rather than a wired network.

Source address spoofed series security

In IPv4 networks, all networks are packet forgery problems faced. Traditional router when forwarding IP packets, packet-based IP addresses for the purpose of checking table forwards, not any authentication the authenticity of the message source address. Upper layer protocol based on IP protocols (for example, TCP,UDP) is identified using the IP address as the address of each other, as long as the attacker has forged packet source IP address, will be able to deceive each other, existing network applications such as device to attack the server. H3C series have been developed for IPv4 properties to prevent such attacks.

As with IPv4, IPv6 network packet forgery problems faced mainly packet source address forgery problems. And because IPv6 network is a new network, it is easy to neglect this issue. But the attacker has already begun “concern” it, and may launch new attacks on them.

Attacker spoofed message may be the data packet may also be the control message, the most important is the control message address assignments, resolve. In the IPv6 network, assign, resolve and address control messages are mainly related to the ND (Neighbor Discovery) protocol messages, the DHCPv6 protocol.

Attacks against the ND protocol has the following main categories,

L types: spoofing attacks. By sending forged NA/NS/RS messages, modify specific user on the terminal or gateway MAC address.

L type II: DoS attacks. By sending a large number of forged NS/RS messages, attack gateway, gateway ND number table overflow.

L-type III: DAD attack. NA message of forging, blocking the normal Terminal DAD process.

L type four: RA attacks. Of RA by sending forged packets, spoofing Terminal on the network, configure network parameters for the error.

Main forged against the attacks of the DHCPv6 protocol DHCPv6 server attacks. If the erection of unauthorized pseudo DHCPv6 server exists on the network, it may cause a DHCPv6 client gets the wrong IPv6 address, and network configuration parameters, unable to communicate properly.

Comware platforms designed SAVI (Source Address Validation, source address validation) technology, allowing you to listen on address allocation protocol for a user’s IP address, ensuring subsequent application to use the correct address on the Internet, and are not forged others ‘ IP address, ensure the reliability of the source address. At the same time, through a combination of SAVI and Portal technology, to further ensure message authenticity and security of all Internet users.

First, the source address validation ensure the security of IPv6 network access

Comware platform for IPv6 source address spoofed the series on the network security issues, has made a series of solutions. DHCPv6 Snooping, IPv6 Source Guard characteristics and ND Snooping features establish an IPv6 address, MAC address and port bindings of the table, and based on bindings for the DHCPv6 protocol messages, ND protocol packet and IPv6 filter to check the legality of the data packet’s source address.

1. DHCPv6 Snooping

Security keywords: anti-counterfeiting server attacks, against address spoofing attacks against DAD attack

DHCPv6 Snooping features ensures that clients obtain an IPv6 address from a legitimate server, and records the DHCPv6 client IPv6 address and the MAC address of correspondence, thus preventing ND attack.

DHCPv6 by preventing fake server attacks as follows: to enable DHCPv6 DHCPv6 server to obtain the IPv6 address of the client through a legitimate, DHCPv6 Snooping security allows port is set to trusting port (Trusted Port) and distrust port (Untrusted Port): trusted port forwarding DHCPv6 message received correctly; not trust ports when the DHCPv6 server sends a reply message is received, discard the packet. Connection or other DHCPv6 DHCPv6 server, DHCPv6 Relay Snooping device ports need to be set up as a trust port, port is set to do not trust other port, so that DHCPv6 DHCPv6 server to obtain the address of the client can only be from a legitimate, erection of unauthorized pseudo DHCPv6 server cannot allocate addresses for DHCPv6 client.

DHCPv6 Snooping by listen for DHCPv6 messages, record DHCPv6 Snooping table, including the client’s MAC address, IPv6 address, and the DHCPv6 client connection gets to the port and that port is a member of VLAN information. And then by device access IPv6 Source Guard feature is enabled on the port side of the user, for the generated table, filter the message received in the corresponding ports on the control to prevent illegal messages through ports, so as to limit the illegal use of network resources, including address spoofing attacks, improve the security of the port.

For DAD attacks, have status assigned address, using DHCP snooping to generate trusted keys, an attacker cannot use DHCP to obtain the same address with the victim, the NA message of the exception cannot be filtered through the access layer switch, which effectively prevents the DAD attack. When no status is automatically assigned addresses, the user can use the random InterfaceID, normal user address allocation process, the device can establish a trusted key, and use the table filter the NA message to the attacker, so as to effectively prevent DAD attack.
2. IPv6 Source Guard

Security key words: legitimacy of user checks

IPv6 Source Guard function is checked against the legality of user functions, is the source IPv6 address and the source MAC address in the message, check whether the user is a legitimate user of message received on the VLAN to which the port belongs, including check based on the IP Source Guard statically bound table, ND-based Snooping table checks and checks based on DHCPv6 Snooping security table entries. In the case of these three tables are present, check process is as follows:

IP Source Guard static binding l first table check. If you find the source IPv6 address and the source MAC address of a static binding table, the ND message is considered legitimate, forward. If you find the source IPv6 address of a static binding table but does not match the source MAC address, the ND message is considered illegal and discarded. If you do not find the corresponding source IPv6 address of a static binding table, continue the DHCPv6 Snooping safety check table, ND Snooping security table entries.

L check IP Source Guard statically bound table-based DHCPv6 based Snooping after security check table, ND Snooping security table entries, provided that they meet any one of the two, the ND message is considered legitimate, forward.

L if all checks no matching table is found, is considered to be illegal messages, direct drop.

3. ND Snooping

Security key words: prevent address spoofing attacks

ND Snooping features by listening during automatic address configuration for IPv6 ’s DAD (Duplicate Address Detection, duplicate address detection) NS messages to establish a ND Snooping table, table content includes the source IPv6 address of the packet, which the source MAC address, VLAN, into the port information. When a VLAN-enabled ND after Snooping, all ports in that VLAN ND messages received will be redirected to the CPU. Ntdp ND after Snooping, CPU will analysis the ND message, get the source IPv6 address of the message, source, source VLAN and MAC address into port information, and according to the information to new or updated ND Snooping table. Updated table of the main under DAD NS messages, taking into account other types of ND messages, and additional confirmation of more active mechanisms: first, the device will detect existing the correctness of the entries received, detecting new messages (message a) authenticity. Final adoption of the key mechanisms of ageing, ND Snooping of guarantee expire table entries can be removed in a timely manner.

As with DHCPv6 Snooping, ND Snooping table can also be used with the IPv6 Source Guard function, by device access IPv6 Source Guard feature is enabled on the user side of the port, table generated for ND Snooping, filter the message received in the corresponding ports on the control to prevent address spoofing attacks, so as to limit the illegal use of network resources, improve the security of the port.

4. ND Detection and other preventive mechanisms

Security keywords: gateway for anti-phishing attacks, preventing DoS attacks

In DHCPv6 based on Snooping and ND Snooping, Comware ND Detection features, check the legality of the ND protocol messages for the user. For legitimate users of the ND message for normal forward or drop directly to prevent phishing attacks users, phishing gateways. ND Detection feature to access ports on the device is divided into two: a trust port, ND ND untrusted ports. For ND trust port, no legality user checking; ND untrusted ports, if RA and the RR message is received, it considered illegal messages directly drop, if you received other types of ND messages, a legitimacy check user is required to prevent phishing attacks users.

Against DoS attacks, Comware provides prevention mechanism. Attacker by constructing a changing NS/RS IP or MAC message for DoS attacks on three-layer device, ND table resource drain gateway. Comware gateway based on routing, can also be configured based on the physical port number ND learn, ND attacks limited to a smaller range, you can within the time limit fixed in the future of learning technologies such as number, extended DoS attack defensive ability.

Second, the expansion of WLAN technology

The above mechanism in broadband networks are powerful guarantee reliability of the IPv6 source address of the user. New groups for WLAN networks, Comware platform introduced new programmes (H3C patented technologies), address such issues as including equipment performance, client roaming, and effectively complete the IPv6 source address validation.

WLAN network includes two elements:

L AP (Access Point, access points), the wireless client to the LAN bridging, between the wireless clients and wireless LAN wireless to wired and wired to a wireless frame conversion.

L AC (Access Controller, a wireless controller), to control all of the AP and the wireless LAN management. Wireless controllers can also interact with the authentication server information, to provide authentication services for WLAN users.

Forward because there is a link-layer level control devices, if similar to the wired network, simple DHCPv6 Snooping or ND snooping, IP Source Guard again, you need to consider deployment at what level. If both are deployed on the AC, when the number of users very often resource-intensive, and easy performance degradation. If both are deployed on the AP, the AP should listen learn table and maintaining IP Source Guard table, and filter the data in this message, the performance will also have certain effects. In addition, problems still exist between different AP IP counterfeiting. For example, after a user used an IP on the AP and other AP phishing a user on the same IP, DHCPv6 Confirm sent messages (DHCP interactions are also legal process, to reconfirm the assigned address), the original AP and not knowing in a timely manner.
Therefore in WLAN environment Xia, Comware used has new of source address validation model, through on WLAN original of MAC validation mechanism, and roaming mechanism for extended, in AC/AP schema Xia, in AP Shang used similar Yu DHCPv6 Snooping,ND Snooping of mechanism, generated based on user of IPv6 address related information, and used IPv6 Source Guard for IPv6 source address validation; in to AC synchronization user information table Shi, synchronization user of IPv6 information and corresponds of IPv6 address life period, related information, in user roaming Hou to new AP synchronization corresponds of information generated new of user information table; in AC Shang generated all with chain road user IPv6 address information total table, in each new user IPv6 address escalation to AC Shi for only sexual contrast, prevent same chain road within of IPv6 address forged.

Through this technology, extends the original user WLAN authentication technology, use of IPv6 addresses based on each user table to find IPv6 users, faster, and easier to maintain; and addresses the WLAN network, roaming situations exist that IPv6 source address validation to user problems.

Third, combined with Portal certification, ensure IPv6 access for manageability

Source address validation methods discussed earlier, solved the problem of users of forged messages. In this way, we can use the IPv6 address of the user to uniquely identify a user, will match it with the users one by one, you can also use the span of three-layer router identification, so as to facilitate the management of users ‘ online behavior, including authentication, authorization, and accounting. Typical for identity authentication based on IP technology for Portal certification, also commonly known as a Web certification.

Deploying the Portal network, when not authenticated user on the Internet, device to force users to log on to a specific site, users can access the service for free. When other users need to use the Internet information, must be in the portal site for certification, certification after the IPv6 address of the device allows the user to use an Internet resource.

Comware Portal authentication functionality that is implemented by the platform, supports local Portal Server features, namely Portal authentication system without using external stand-alone Portal Server, Portal Server features by the access device implementation. In this case, Portal authentication system only include three basic elements: authentication client authentication/billing, access device, and server. Because the device supports direct Web user authentication, therefore does not require deployment of additional Portal Server enhances Portal authentication interoperability. Wireless application environment, can belong to different SSID (Service Set Identifier, service set ID) bind different authentication of the user page, so as to provide differentiated services.

Four, closing

IPv6 source address verification (SAVI), ensures each user on the network the release of the reliability of the source address, authentication ensures the IPv6 Portal user manageability, the Portal with the IPv6 source address validation effective combination, will guarantee the user ease of use and security of the Internet, IPv6 traffic and users unified management and network maintenance simplicity and ease of operation.

Currently gets some information network attacks, while the IPv4 to IPv6 transition has only just begun, but some attackers have started spreading spam IPv6 infrastructure, or even use of the address space of IPv6 to IPv4 network attack.

“Look beautiful” IPv6 if there is a greater security of the black hole? while in a warm and welcome the IPv6, we saw the hidden safety problems in the transition process? whether people experience accumulated in IPv4 environments the security also apply to IPv6?
Three years ago, a on “Teredo technology included in Windows Vista system there is a potential security risk” message, had exposed the security problems faced by some of the IPv4 to IPv6 transition. Teredo is an address assignment and automatic tunneling technology that can transfer IPv6 traffic over an IPv4 network, helping clients implement compatibility for IPv4 and IPv6 protocols. At that time, have a security expert points out that Teredo client can pass to another IPv6 packet destination at the same time, bypass source routing control based on networks through the firewall and other security devices, and this feature is also enabled by default in the Vista system, the technology being formed as part of security vulnerabilities can easily be exploited by hackers. Since there was not any system to effectively filter all Teredo packet, experts can only suggest that the network administrator disable Teredo functionality and initiative and router, firewall, intrusion detection system vendors to increase support for Teredo protocol to ensure that conventional network security products that filter all Teredo packets.
In fact, “Teredo” just brought by IPv6 security implications of a microcosm. Three years later, Teredo problem has not been fully resolved, a large number of similar transition technologies are beginning to be more widely used (such as 6to4, SIT mechanism of UDP and IPv6-based communication standards, such as the transition mode), and related products using these technologies also have IPv6 certification. This situation inevitably let reporters hanging on the current large number of IPv6 certification mark was concerned about the real effects of network security products.

Radware security products Director Ron Meyran told reporters, although many manufacturers have claimed to have IPv6 certification of security products, but the fact that many manufacturers only provide a special version is only able to support the ability to communicate with IPv6 network or rely on a License to run, does not mean that these products can effectively address the IPv6 security issues. Even when many security products in dealing with issues similar to the Teredo, either limited or completely invalid.

He said, even for some of the certified safety equipment, enterprises are carefully selected. Without understanding their operation mechanism, not blindly purchasing. For example, businesses still need to test the firewall can allow some unchecked IPv6 flow easily through, not be considered a non-IPv6 applications to intercept, check; IPv6 traffic can bypass multiple deep-packet engine hardware components, and so on. In addition, due to the length of the IPv6 address is IPv4 4 times will therefore significantly affect network security traffic processing speeds. This feature can also help us to determine the authenticity of IPv6 related security products support.

Attention to its inherent weaknesses

And IPv4 and IPv6 at the beginning of the design, it has made more consideration to security issues. With IPSec (Internet Protocol security), IPv6 security can indeed be improved. However, recent network attacks shows that IPSec cannot address all vulnerabilities of IPv6 network. Comparison of IPv4, new more complex network environment, the resulting network vulnerabilities are more difficult to predict. For example, attack who of IPv6 router can using false advertising, for network in the has enabled IPv6 of device automatically created new of IPv6 address; some transition mechanism makes IPv6 and IPv4 network Zhijian can mutual effect, instead for network attack who provides has more rich of can using of resources; transition tools can for various IPv4 application provides connection to IPv6 service of connection way, IPv6 application also can connection to IPv4 service, this status can let network attack became more crazy; IPv6 address of length also will became attack who with of strong tools, because based on IPv6 of flow filter will increased security device CPU of burden, attack who launched of DDoS attack by produced of flow, will than past easier led network device and server of paralysis.
Moreover, although the internal IPv6 encryption mechanism is to provide communication between user and server authentication and security, but it did give the firewall and IPS are “down the snare”. It enabled the attackers to use cryptographic mechanisms to bypass firewall and IPS to check, launch an attack directly to the server, because are these security device is unable to detect encrypted content. Ron Meyran pointed out that the attacker can also take advantage of Teredo, 6to4, ISATAP IPv6 protocol mechanisms such as camouflage to attack. Attackers will allow packets through IPv4 traffic looks like normal there is no difference at all, only through firewalls and IPS accurately verified through technology of deep packet inspection (DPI) complete content inspection on IPv6 traffic. “At present, to support IPv6 and can really implement IPv6 IPS product of DPI and the few firewall products. If not deployed additional security devices or border security gateway, an attacker may exploit this negligence, using IPv6 packets into the core network. ”

In addition, the security risk exists in the IPv6 redirect Protocol is very worthy of attention. In the IPv6 protocol, redirection message’s primary role is to provide the correct routing nodes in LAN. Redirect IPv6 protocol itself’s main function is to ensure that the host has a dynamic routing table, small but excellent, to improve the efficiency of packet forwarding. However, because the IPv6 redirect Protocol lacks source address authentication, malicious node for LAN, you can use IPv6 redirect message to achieve illegal redirect datagram, an attack to achieve a variety of measures. For example, it first masquerade router, and then sending a Redir message tells the attacker: packets destined to a network node, follow your own routing this section better, then attacked the node forwards packets will be handed over to the malicious node, while the malicious node can not forward and to prohibit their traffic, or tampering.

Beware of “disobedient” IPv6

In the process of transition from IPV4 to IPV6, enterprises will face more to information security issues, and new understanding of information security system and adjustments.

First, in order to achieve seamless compatibility for IPv4 and IPv6, many IPv6 devices have built-in the stateless auto-configuration capabilities, and the network devices for network administrators looking for devices that have become uncontrollable. Administrators will be difficult to detect which network devices are out, and an attacker can exploit this situation from becoming victims. For example, an attacker can easily control a behavioural disorders network devices have it modified or reduce traffic, but they can not be found by your network administrator. IPv6 brings such risks, I am afraid that many network administrators are not expected.

Second, enterprises meet the IPv6 at the same time, IT also increases the difficulty of management. Sophos technology policy James Lyne told reporters that some enterprises for IPv6 traffic is not interested in, hope to establish clear rules to strictly prevent the IPv6 packet. And IT managers need to know “how to dialogue with the IPv6″ to write the rules to deal with the agreement.

Meanwhile, James Lyne also pointed to some current issues. He believes that industry for built-in features of the IPv6 protocol on how to help users improve privacy protection problem of few, but a more focused look how fast to deploy IPv6, it makes a lot of insecure protocols, standards, technology is widely adopted by reckless, enterprises in an environment of such a transition is vulnerable to attack.

Relative to people accumulating on IPv4 security experience, experience in IPv6 security deficiencies of the industry. Progressively introduce IPv6 in the days, all network devices have to support two versions of network protocols, thus increasing the network of security risk is likely to result in huge losses. Prior to see IPv6, vigilance and passion of people apparently need to co-exist.

In recent years, mobile devices (for example, smart phones, iPad, iPod, Internet radio, DVR, game machines and all that) the prevalence of global depletion of the IPv4 address pool, limiting their development such as such as Asia’s major markets. Make up for the shortage of network addresses with IPv6 protocols, ABI Research estimates global mobile IPv6 support for broadband users will reach 1 billion by the end of this year. Only IxVeriWave WaveTest solutions allow service providers, device manufacturers and enterprise implementation of key performance and compatibility testing ensures that public and private infrastructure in order to successfully migrate to IPv6.

IPv6 package for Ixia test solutions with test plans and tools for service providers, device manufacturers and enterprises to fully evaluate each device, system, or end-to-end network for IPv6 readiness. IxVeriWave IPv6 test from Wi-Fi access points to the IP network core by providing comprehensive IPv6 testing enhance end-to-end IPv6 performance of Ixia. As for wireless infrastructure and equipment of the “gold standard” develop and deploy test solutions, WaveTest solutions to the new and improved features and detailed testing of the performance, and performance of the system at the same time dealing with both IPv6 and IPv4 clients for testing.

“Cisco is committed to providing support of IPv6 LAN, WAN and Wi-Fi Internet connection-oriented,” said Cisco Technical Marketing Director Jake Woodhams. “IxVeriWave IPv6 capabilities of Ixia is timely addition to WaveTest series. Our Wi-Fi solution compatible with IPv6 WaveTest system used in the development, QA and marketing, this allows us to maintain the leading position in the market at the same time to have a high speed of innovation. In addition, powerful tools like WaveTest for when we migrate to IPv6 to provide needed to work closely with our customers critical data. ”

“Ixia’s goal is to test for network equipment manufacturers, providers and users need to provide one-stop solution. Transition to IPv6 is a reality for us, and must be thoroughly verified end-to-end by a network, including Wi-Fi, “Ixia, President and CEO Atul Bhatnagar said. “Our acquisition of WaveTest recently and now it’s the new IPv6 capabilities, enables Ixia to achieve the vision, and to help network operators to their customers a seamless and efficient network and Internet services. ”