Do you need IPsec to run IPv6?

The usual claim that “IPv6 has better security because it includes mandatory IPsec support” is evidently creating some confusion, at least based on a set of questions I received from one of my readers.

Can IPv6 work without IPsec?

Absolutely. Most IPv6 deployments don’t use IPsec (unless you’re building IPsec-based VPNs over IPv6 transport infrastructure).

In December 2011, IPsec support in IPv6 was downgraded from MUST to SHOULD by RFC 6434.

When we want to connect to a server with IPsec over IPv6, shall we have certificates on the clients or will it be like HTTPS?

There’s no difference between IPsec running on top of IPv4 or IPv6. The first step in every IPsec session setup is key exchange; default key management protocol specified in RFC 6434 is IKEv2. IKEv2 can use preshared keys or certificates.

Is it mandatory to have a Cisco IOS image that includes IPsec support to deploy IPv6?

No. For example, IP Base technology package on ISR G2 includes IPv6 support. However, you should use the feature navigator to confirm which images support IPv6 on your specific platform/release.

More information

To get an overview of IPv6 deployment requirements, watch the Enterprise IPv6 – the First Steps webinar (or its Service Provider equivalent). Core and access network design guidelines and router configurations are explained in the Building Large IPv6 Service Provider Networks webinar (which is equally applicable in large enterprise environments). All three webinars are available as IPv6 Trilogy jumbo pack or as part of the yearly subscription.

And don’t forget – if you’d like to get help you with IPv6 design or deployment planning, check out my ExpertExpress service or contact our professional services team.

6 comments:

  1. its more important with v6 because currently its the only way to authenticate your ospfv3 neighbours

    ReplyDelete
  2. I'm surprised it's only since December 2011 that it's 'SHOULD'. Wasn't it earlier? I suppose politics came into play, selling IPsec separately from IPv6, among others.

    ReplyDelete
  3. IPsec was included based on the internet's founders original premise of “any to any” connectivity but to provide encrypted any to any connectivity. The end hosts would manage their own SAs and SPI on a per connection to another host basis. The extension headers are there to make it easier to achieve this, but because of their presence folks believed it was “on” automatically. Plus, with the addressing structure IPv6 provides the ability of anyone can talk to anyone securely around the world with no Nat, vpn tunnels, gateways, etc in between.. Just pure IPv6 to IPv6 client securely. We may get there with all the tablets, phones and IP enabled commerce machines, like soda etc.

    For those interested read
    Protocol Politics: The Globalization of Internet Governance (Information Revolution and Global Politics)
    by Laura DeNardis
    A great read not only on IPv6 history and geo politics involved in getting it going but also on IPv4’s history.

    ReplyDelete
  4. IPv6 don't require every device use IPsec, but any IPv6 device must support it.

    Best regards,

    ReplyDelete
    Replies
    1. Have you read RFC 6434? It's referenced in the above text.

      Delete
    2. Now I am studying about ipv6 and I read it in Cisco book.

      Delete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.