This article discusses the new IPv6 features of IPsec support, automatic address assignment, and the neighbor discovery function of the ICMPv6 protocol that will replace ARP.
In the last post of this series, I discussed the new IPv6 features Quality of Service (QoS), hierarchical addressing, and the new address space. In this post, I talk about some of the new IPv6 features that are most relevant for Windows admins.
Mandatory IPsec support
The IPv6 specification mandates support for IPsec (Internet Protocol security). IPv6 supporters often claim that this will improve overall security on the Internet. Since IPsec for IPv4 is optional, proprietary VPN solutions are ubiquitous. However, I believe, the main reason why IPsec deployments are rare is because configuration is relatively complicated. Thus, I doubt somehow that we will see significantly more IPsec deployments because of IPv6.
But what is most disappointing for me is that IPv6 doesn’t encrypt all kinds of IP traffic. While IPsec implementation is mandatory for IPv6, IPsec deployment is not. Besides, IPsec is essentially a solution for securing connections among sites; it is not a P2P encryption solution.
In my view, it is unbelievable that we are now introducing a new network protocol with a huge amount of effort but will still send data in clear text across the Internet. The inventors of IPv4 couldn’t foresee that secure data transmission would be an issue since their protocol was just intended to allow data transfers between educational institutions. No one really could imagine that the whole planet will use this form of communication in the future.
The IPv6 creators had the chance to correct this shortcoming of the Internet protocol and ensure that any kind of network traffic is encrypted by default. It is really a pity that they didn’t use this once-in-a-lifetime chance.
(Simplified) automatic address assignment
This is perhaps one of the features that will affect the work of Windows admins the most. Much of the documentation talks of “simplified” address assignment, but I somehow think this new feature will cause confusion among admins in the beginning. In an IPv4 network, a computer’s automatic address assignment means that a DHCP server is involved.
IPv6 still knows DHCP-based address assignment (also called stateful address configuration), but now hosts can also configure themselves with IPv6 addresses (stateless address configuration). There are two types of stateless configurations. Hosts can derive an IP address from a prefix (the first part of an IPv6 address that belongs to your organization) advertised by a local router, and they can assign themselves so-called link-local addresses (addresses that are not routed), which they can use to communicate with other nodes on the link (local network). Scary, isn’t it?
Neighbor discovery
The Internet Control Message Protocol for IPv6 (ICMPv6) will replace the Address Resolution Protocol (ARP). You probably know that ARP is used to determine the link layer address (MAC address in the case of Ethernet) from the IP address. The main problem of ARP is that it uses broadcasts, which disturbs all hosts on the link (LAN). By contrast, IPv6 uses Neighbor Solicitation multicast messages for neighbor discovery. Instead of sending a broadcast message to all nodes on the link, only the so-called solicited node multicast IPv6 address is contacted. The first 104 bits of the solicited node multicast are fixed (FF02::1:FF00:0/104), and the last 24 bits are equivalent to the last 24 bits of the IP address that has to be resolved. Since only nodes that share the last 24 bits in their IP address will listen to the solicited node address, fewer hosts are disturbed.
Extensibility
This is my favorite new IPv6 feature. While the IPv4 header only supports 40 bytes for options, the size of the IPv6 extensions is only constrained by the size of the IPv6 packet. IPv6 supports multiple so-called extensions headers that can be added after the IPv6 header. These extensions headers have no maximum size, which makes future enhancements of the protocol quite flexible. My hope is that this feature will be used for mandatory encryption of all IP packets.
Admittedly, IPv6 addresses look somewhat complicated compared to the relatively simple IPv4 addresses. Rest assured that typos in IPv6 addresses will knock down quite a few systems once IPv6 starts replacing IPv4. But this is the price of the large address space. I guess, we will get used to it. In my next post, I will discuss the different types of IPv6 addresses. I promise that things won’t get easier. 
[IPv6 – Part 1] [IPv6 – Part 2] [IPv6 – Part 3] [IPv6 – Part 4] [IPv6 – Part 5] [IPv6 – Part 6]
