Do You Need IPsec to Run IPv6?

The usual claim that “IPv6 has better security because it includes mandatory IPsec support” is evidently creating some confusion, at least based on a set of questions I received from one of my readers.

Can IPv6 work without IPsec?

Absolutely. Most IPv6 deployments don’t use IPsec (unless you’re building IPsec-based VPNs over IPv6 transport infrastructure).

In December 2011, IPsec support in IPv6 was downgraded from MUST to SHOULD by RFC 6434.

Update 2020-12-25: This blog post has only historic significance. Nobody is talking about IPsec with IPv6 anymore. Most everyone gave up and moved to SSL/TLS and/or HTTP/2.

When we want to connect to a server with IPsec over IPv6, shall we have certificates on the clients or will it be like HTTPS?

There’s no difference between IPsec running on top of IPv4 or IPv6. The first step in every IPsec session setup is key exchange; default key management protocol specified in RFC 6434 is IKEv2. IKEv2 can use preshared keys or certificates.

Is it mandatory to have a Cisco IOS image that includes IPsec support to deploy IPv6?

No. For example, IP Base technology package on ISR G2 includes IPv6 support. However, you should use the feature navigator to confirm which images support IPv6 on your specific platform/release.

More information


  1. its more important with v6 because currently its the only way to authenticate your ospfv3 neighbours
  2. I'm surprised it's only since December 2011 that it's 'SHOULD'. Wasn't it earlier? I suppose politics came into play, selling IPsec separately from IPv6, among others.
  3. IPsec was included based on the internet's founders original premise of “any to any” connectivity but to provide encrypted any to any connectivity. The end hosts would manage their own SAs and SPI on a per connection to another host basis. The extension headers are there to make it easier to achieve this, but because of their presence folks believed it was “on” automatically. Plus, with the addressing structure IPv6 provides the ability of anyone can talk to anyone securely around the world with no Nat, vpn tunnels, gateways, etc in between.. Just pure IPv6 to IPv6 client securely. We may get there with all the tablets, phones and IP enabled commerce machines, like soda etc.

    For those interested read
    Protocol Politics: The Globalization of Internet Governance (Information Revolution and Global Politics)
    by Laura DeNardis
    A great read not only on IPv6 history and geo politics involved in getting it going but also on IPv4’s history.
  4. IPv6 don't require every device use IPsec, but any IPv6 device must support it.

    Best regards,
    1. Have you read RFC 6434? It's referenced in the above text.
    2. Now I am studying about ipv6 and I read it in Cisco book.
Add comment