Building network automation solutions

9 module online course

Start now!

Do you need IPsec to run IPv6?

The usual claim that “IPv6 has better security because it includes mandatory IPsec support” is evidently creating some confusion, at least based on a set of questions I received from one of my readers.

Can IPv6 work without IPsec?

Absolutely. Most IPv6 deployments don’t use IPsec (unless you’re building IPsec-based VPNs over IPv6 transport infrastructure).

In December 2011, IPsec support in IPv6 was downgraded from MUST to SHOULD by RFC 6434.

When we want to connect to a server with IPsec over IPv6, shall we have certificates on the clients or will it be like HTTPS?

There’s no difference between IPsec running on top of IPv4 or IPv6. The first step in every IPsec session setup is key exchange; default key management protocol specified in RFC 6434 is IKEv2. IKEv2 can use preshared keys or certificates.

Is it mandatory to have a Cisco IOS image that includes IPsec support to deploy IPv6?

No. For example, IP Base technology package on ISR G2 includes IPv6 support. However, you should use the feature navigator to confirm which images support IPv6 on your specific platform/release.

More information

To get an overview of IPv6 deployment requirements, watch the Enterprise IPv6 – the First Steps webinar (or its Service Provider equivalent). Core and access network design guidelines and router configurations are explained in the Building Large IPv6 Service Provider Networks webinar (which is equally applicable in large enterprise environments). All three webinars are available as IPv6 Trilogy jumbo pack or as part of the yearly subscription.

And don’t forget – if you’d like to get help you with IPv6 design or deployment planning, check out my ExpertExpress service or contact our professional services team.


  1. its more important with v6 because currently its the only way to authenticate your ospfv3 neighbours
  2. I'm surprised it's only since December 2011 that it's 'SHOULD'. Wasn't it earlier? I suppose politics came into play, selling IPsec separately from IPv6, among others.
  3. IPsec was included based on the internet's founders original premise of “any to any” connectivity but to provide encrypted any to any connectivity. The end hosts would manage their own SAs and SPI on a per connection to another host basis. The extension headers are there to make it easier to achieve this, but because of their presence folks believed it was “on” automatically. Plus, with the addressing structure IPv6 provides the ability of anyone can talk to anyone securely around the world with no Nat, vpn tunnels, gateways, etc in between.. Just pure IPv6 to IPv6 client securely. We may get there with all the tablets, phones and IP enabled commerce machines, like soda etc.

    For those interested read
    Protocol Politics: The Globalization of Internet Governance (Information Revolution and Global Politics)
    by Laura DeNardis
    A great read not only on IPv6 history and geo politics involved in getting it going but also on IPv4’s history.
  4. IPv6 don't require every device use IPsec, but any IPv6 device must support it.

    Best regards,
    1. Have you read RFC 6434? It's referenced in the above text.
    2. Now I am studying about ipv6 and I read it in Cisco book.
Add comment