Do You Need IPsec to Run IPv6?
The usual claim that “IPv6 has better security because it includes mandatory IPsec support” is evidently creating some confusion, at least based on a set of questions I received from one of my readers.
Can IPv6 work without IPsec?
Absolutely. Most IPv6 deployments don’t use IPsec (unless you’re building IPsec-based VPNs over IPv6 transport infrastructure).
In December 2011, IPsec support in IPv6 was downgraded from MUST to SHOULD by RFC 6434.
When we want to connect to a server with IPsec over IPv6, shall we have certificates on the clients or will it be like HTTPS?
There’s no difference between IPsec running on top of IPv4 or IPv6. The first step in every IPsec session setup is key exchange; default key management protocol specified in RFC 6434 is IKEv2. IKEv2 can use preshared keys or certificates.
Is it mandatory to have a Cisco IOS image that includes IPsec support to deploy IPv6?
No. For example, IP Base technology package on ISR G2 includes IPv6 support. However, you should use the feature navigator to confirm which images support IPv6 on your specific platform/release.
More information
- To get an overview of IPv6 deployment requirements, watch the Enterprise IPv6 – the first steps webinar or its service provider equivalent.
- You’ll find IPv6 network design and deployment guidelines in the Building Large IPv6 Service Provider Networks webinar.
- All three webinars are included in the yearly subscription.
For those interested read
Protocol Politics: The Globalization of Internet Governance (Information Revolution and Global Politics)
by Laura DeNardis
A great read not only on IPv6 history and geo politics involved in getting it going but also on IPv4’s history.
Best regards,