IPv4 vs. IPv6: What’s the Difference? | Avast
IPv4: a brief history
Before we get into the differences between the two IP address protocols, what’s IPv4? Well, an IP address is a string of numbers that is assigned to a device to identify it on the internet. It is an address, just as the number and street of your home is an address. While your home address is used to send you mail, your IP address is used to send packets of data that you request.
Internet Protocol version 4, generally referred to as IPv4, was developed in the early 1980s. An IPv4 address comprises four numbers, each ranging from 0 to 255, which are separated by periods. For example, Avast’s IP address is 5. 62. 42. 77. There is more to IP addresses, and it helps to understand the essentials of TCP/IP as well, but these are the basics.
Every website has an IP address; we just don’t use them anymore, typically. In the early days of the internet, it was necessary to know a website’s IP address in order to navigate to it. Then, the Domain Name Service (DNS) came along, which translates numbers into names. So when you type in “ the DNS translates that back to 5. This enables us to navigate the web much more conveniently, as it’s much easier to recall a website’s name than its IP address.
Have we run out of IPv4 addresses?
IPv4 has a theoretical limit of 4. 3 billion addresses, and in 1980, that was more than enough. But as the internet grew and went global, we quickly ran out of addresses, especially in today’s era of smartphones and IoT devices.
The internet has been running out of IPv4 addresses since the 1990s. While clever engineers have found ways around the problem, it wasn’t long before a more permanent fix became the goal. Developed to solve these capacity issues for good, IPv6 was needed when IPv4 could no longer support the load.
At present, IPv4 coexists on the internet with its newer version, though eventually, everything will use IPv6. Replacing old IPv4 equipment would be prohibitively expensive and disruptive, and so IPv6 is being slowly rolled out as older IPv4 hardware is retired.
IPv6: the future of the web?
Internet Protocol version 6, or IPv6, was first introduced in the late 1990s as a replacement for IPv4. Even then the builders of the internet realized IPv4’s limitations and the eventual shortage.
IPv6 uses 128-bit addresses, allowing for a theoretical 340, 282, 366, 920, 938, 463, 463, 374, 607, 431, 768, 211, 456, or 340 undecillion addresses. IPv6 addresses are represented as eight groups of four hexadecimal digits, with the groups being separated by colons. One example might be “2002:0de6:0001:0042:0100:8c2e:0370:7234, ” but methods to abbreviate this full notation exist.
In addition to increasing the supply of IP addresses, IPv6 also addressed IPv4’s many shortcomings — chief among them being security, which we’ll delve into more later.
IPv4 vs. IPV6
The advent of IPv6 brought more functionality, in addition to more IP addresses. For example, IPv6 supports multicast addressing, which allows bandwidth-intensive packet flows (such as multimedia streams) to be sent to multiple destinations simultaneously, reducing network bandwidth. But is IPv6 better than IPv4? Let’s find out.
IPv6 has a new feature called autoconfiguration, which allows a device to generate an IPv6 address as soon as it powers up and puts itself on the network. The device begins by looking for an IPv6 router. If one is present, the device can generate a local address and a globally routable address, allowing access to the wider internet. In IPv4-based networks, the process of adding devices often has to be done manually.
IPv6 allows devices to stay connected to several networks simultaneously. This is due to interoperability and configuration capabilities that enable the hardware to automatically assign multiple IP addresses to the same device.
Next, we examine the differences between IPv4 and IPv6 through the lenses of speed and security.
IPv4 vs. IPv6: Speed comparison
How do IPv4 and IPv6 compare when it comes to speed? The security blog Sucuri ran a series of tests in which they found that in direct connections, IPv4 and IPv6 delivered the same speed. IPv4 occasionally won the test.
In theory, IPv6 should be a little faster since cycles don’t have to be wasted on NAT translations. But IPv6 also has larger packets, which may make it slower for some use cases. What really makes a difference at this point is that IPv4 networks are mature and thus highly optimized, more so than IPv6 networks. So with time and tuning, IPv6 networks will get faster.
IPv4 vs. IPv6: Security comparison
IPv6 was built with more security in mind. IP Security (IPSec) is a series of IETF security protocols for security, authentication, and data integrity, and it’s fully integrated into IPv6. The thing is, IPSec can also be fully integrated into IPv4. It’s up to ISPs to implement it — and not all companies do.
IPv6 Security
IPv6 is designed for end-to-end encryption, so in theory, widespread adoption of IPv6 will make man-in-the-middle attacks significantly more difficult.
IPv6 also supports more-secure name resolution. The Secure Neighbor Discovery (SEND) protocol adds a security extension to the Neighbor Discovery Protocol (NDP), which handles discovery of other network nodes on a local link. By default, NDP is not secure, so it can be susceptible to malicious interference. SEND secures NDP with a cryptographic method that is independent of IPsec.
Thanks to native IPSec, IPv6 provides two security headers which can be used separately or together: the Authentication Header (AH) and Encapsulating Security Payload (ESP). Authentication Header provides data-origin authentication and protection against replay attacks, while ESP delivers connectionless integrity, data-origin authentication, protection against replay attacks, and limited traffic flow confidentiality, as well as privacy and confidentiality through encryption of the payload. IPv4 can also have this protection if IPSec is implemented on the network.
IPv4 Security
IPv4 has been significantly updated over the years, so the difference between IPv4 and IPv6 security is not extraordinary. The same IPSec in IPv6 is now available for IPv4; it’s up to network providers and end users alike to embrace and use it — so a properly configured IPv4 network can be as secure as an IPv6 network.
Avast SecureLine VPN is currently compatible only with IPv4, but keeps your IP completely hidden with bank-grade encryption to maintain safety and anonymity online.
Additional benefits of IPv6
IPv6 allows for binding a public signature key — one-half of an asymmetric encryption system, the other being the private key — to an IPv6 address. The resulting Cryptographically Generated Address allows the user to demonstrate “proof of ownership” for a particular IPv6 address and validate their identity. It is impossible to retrofit this functionality to IPv4 with the current 32-bit address space constraint.
The new protocol also enables end-to-end connectivity at the IP layer by eliminating the need for Network Address Translation (NAT) — one of the workarounds designed to conserve IPv4 addresses. This transition opens the door for new and valuable services. Peer-to-peer networks are easier to create and maintain, and services such as VoIP and Quality of Service (QoS) become more robust.
Also, IPv6 brings the ability to belong to many networks simultaneously, with a unique address on each network, and the ability to combine multiple enterprise networks without readdressing.
Ultimately: Is IPv6 better? Usually, but not always. If you’re asking yourself, “Should I use IPv6? ” read on before making your decision.
How to disable IPv6 on Windows, Mac, and Linux
Since very few VPN services support IPv6, IPv6 traffic on your physical NIC may leak information about your online activity or your hardware MAC address. For that reason, if your ISP does support IPv6, but you use a VPN like SecureLine VPN, you should disable IPv6 on your system.
The first thing to do is determine if your ISP supports IPv6. Comcast most notably does and makes a lot of noise about it. However, plenty of big-name ISPs do not, such as Spectrum (which you may know as Time Warner or Road Runner). This site will help you determine if your ISP supports it.
If the IPv6 connectivity test says “Not supported, ” then you are OK and your IPv6 address isn’t leaking. Spectrum falls into this category. If the test for IPv6 connectivity says “Supported, ” then you should consider disabling the IPv6 in your operating system.
Instructions for disabling IPv6 are available for Windows, MacOS, and Linux.
Why don’t we switch to IPv6 permanently?
We will, in time. Legacy technologies take a long time to die off, and the switch to a replacement is never as fast as its supporters would prefer. There will be a permanent migration to IPv6, but it will take decades to achieve. The Internet Society reported last year that there are 24 countries in the world where IPv6 totals more than 15% of overall IP traffic, and 49 that have topped the 5% threshold. So migration from IPv4 to IPv6 is progressing very slowly.
How to Protect your IP address
Why protect your IP address? With your location showing, you expose yourself to a variety of security and privacy issues, such as:
Packet sniffing: Hackers can observe your IP traffic to find out sensitive information about you such as your online banking activity.
Surveillance: Your ISP, snoops, and even governments can spy on your web Websites can see your location and discriminate against you based on it. They can block content and even raise prices.
Avast SecureLine VPN hides your IP address and anonymizes your online activity to keep you safe online. Take back your online privacy in just one click.
Common misconceptions about IPv6 security | APNIC Blog
Misconceptions can be dangerous. This is especially true when they lead to network this post I’ll seek to set the record straight for several of the most common misconceptions about IPv6 security. IPv6 is more/less secure than IPv4There are two big misconceptions about IPv6 security:IPv6 is more secure than IPv4IPv6 is less secure than IPv4Neither are true. Both assume that comparing IPv6 security with IPv4 security is meaningful. It is ’s networks, whether they have IPv6 deployed in them or not, are largely IPv6 compatible. All modern operating systems and network devices employ IPv6 dual-stacks, in which IPv6 is turned on by default. Even if you have not actively deployed IPv6, your networks still have the combined vulnerability surface of IPv4 and erefore, comparing IPv4 security with IPv6 security is meaningless. They both have the vulnerabilities of IPv4 and IPv6. Every network should be secured for IPv4 and IPv6. Ideally, you should have done this well over a decade ago. IPv6 is IPv4 with longer addressesIn network security, it is crucial not to underestimate the scale of risks. The most common misconception that I have heard in my twenty years of working with IPv6 is that IPv6 is IPv4 with longer addresses. It is not. IPv6 is vastly different from IPv4, often in complex and subtle ways. Sometimes, what is best practice in IPv4 is the opposite of best practice in IPv6 misconceptions: It’s fake newsIt is not possible to list all the differences here. Instead, I will illustrate this using addressing. This is one area where superficially the difference between IPv4 and IPv6 appears obvious. However, not only are IPv6 addresses longer, they are also inherently different in attributes, types, structure and how they are used. For example:They have new attributes: length, scope and is normal for IPv6 interfaces to have multiple addresses. IPv6 addresses can change over lticast plays a crucial role in core IPv6 are a vast number of methods for assigning interface identifiers (the bottom 64 bits) IPv6 addresses are used and managed is hugely public addresses are is only addressing. IPv6 has many other differences both in things we are familiar with in IPv4 and in completely new protocols and features. All of these have security implications; the biggest being that staff will not appreciate the differences, and therefore the need, to secure give you a feel for the scope of the IPv6 vulnerability surface, I have included the figure below. Of course, it is not intended to compare IPv4 and IPv6 security (indeed IPv4 is included). However, it does illustrate that there are many new areas to consider, some of which are significant. Figure 1 — The IPv6 vulnerability makes IPv6 more secure than IPv4Internet Protocol Security (IPsec) was designed to provide network layer security (authentication and encryption). It was included as a mandatory feature in the IPv6 standards. Many believed, and some still believe, that this gives IPv6 an advantage over are two reasons why this is not the case. Firstly, while including IPsec functionality in the IPv6 stack was mandatory, using IPsec is not mandatory. Secondly, IPv4 also has IPsec, so there is no difference. Or is there? IPsec in IPv4 is often used for VPNs. These are terminated at the edge of networks. IPv4 IPsec is rarely used to secure end-to-end traffic. This is because of the widespread use of Network Address Translation in IPv4 (NAT44). NAT44 mangles the IPv4 headers and breaks IPsec. In IPv6 this restriction does not exist. Using IPsec end-to-end becomes more practical. IPv6 is already facilitating new and innovative ways of using IPsec. We have clients who are using IPv6 IPsec to secure all traffic within their data centres. We also have clients who have deployed IPv6 to leverage IPsec based end-to-end security allowing them to decommission their existing VPN dress scanning is impossible in IPv6The enormous number of IPv6 subnet addresses (264 = 18, 446, 744, 073, 709, 551, 616) is often thought to make it impossible for attackers to scan IPv6 subnets. There is some truth in this. To sequentially scan a gigabit ethernet subnet would take 491, 351 years if there is no other ever, it is not impossible for an attacker to find addresses in a subnet, it is simply harder. How hard depends on the type of addresses that you are using and where the scanner is Zesplot: visualizing IPv6 address spaceIf the network’s IPv6 addresses have a known structure, then scanning them becomes much easier. For example, some organizations number their hosts sequentially: for example, 1, 2, 3. This is the first sequence a scanner is likely to base their IPv6 address structure on IPv4 addresses. This is not considered to be a good idea. From a security perspective, it makes address scanning as trivial as it is in an IPv4 network. Even networks that use modified EUI-64 addresses that are based on MAC addresses can be scanned if an attacker has enough prior, the use of opaque static and privacy addresses can make remote IPv6 address scanning impractical. However, discovering addresses by other means may still be timating the time required to scan an IPv6 subnet: Length of Neighbour Solicitation frame (including the preamble and interframe gap) = 840 bitsTime to send Neighbour Solicitation on gigabit ethernet = 0. 00000084 secondsTime to transmit all 264 Neighbour Solicitation = 1. 54953 x 1013 seconds= 1. 54953 x 1013/31536000 = 491351. 6306 years(Assumes that there is no other traffic on the subnet! )No NAT makes IPv6 insecureOne of the most common misconceptions regarding IPv6 security is that the lack of NAT makes IPv6 less secure. NAT44 is often seen as a security feature in IPv4 networks. The use of public addresses in IPv6 and the restoration of end-to-end connectivity is of great concern to many IPv4 network nfusing brokenness with security is a mistake. Firewalls can easily provide equivalent and better protection than NAT without breaking end-to-end connectivity. Ironically, NAT44 and its associated myriad of NAT-traversal techniques have many security issues of their lessonsThese are just a few of the most common misconceptions about IPv6 security. There are many key lessons are:Don’t underestimate the scale of the differences between IPv6 and IPv4 networks need to be secured against IPv6 network and security staff need to be competent in IPv6 and in IPv6 security IPv6 is deployed will influence how secure it is in a longer introduction to IPv6 security threats and security features, watch my presentation at the UK IPv6 Council on IPv6 Security David Holder is CEO and chief consultant at Erion Ltd. He has over twenty years’ experience providing IPv6 consultancy and training to enterprises and organizations around the views expressed by the authors of this blog are their own
and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.
7 IPv6 Security Risks | eSecurity Planet
The rise of IPv6 could give you some severe security headaches — even if you have no current plans to implement the new networking protocol.
That was the stark warning issued by Eric Vyncke, a security expert from Cisco, talking at the RSA Conference Europe in London this month.
On the face of it, there is not much to worry about with IPv6. After all, it is simply a protocol with a much, much larger address space than IPv4. That certainly makes rigorous network scanning impossible in practice, and it does away with the need for network address translation, but nothing changes at the data-link layer, the transport layer or the application layer. Ethernet, TCP, HTTP — all remain unchanged. So what’s the problem?
Here are seven ways IPv6 can make your organization less secure:
Effective rate limiting is hard to achieve
Rate limiting is a straightforward tactic you probably use to protect your network from automated attack tools. This works on IPv4 networks, making automated attacks less likely to succeed or harder to launch by forcing hackers to deliberately slow their automated attack tools, or to use multiple hosts from which to launch attacks on your network.
The tactic doesn’t really work on IPv6 networks. That’s because IPv6 networks are so vast that it’s impractical to rate limit at the 128-bit address level, Vyncke pointed out. In any case, hackers may be allotted millions or even billions of IPv6 addresses, meaning that to rate limit effectively you would need to limit addresses at the 48-bit or 64-bit level. Right now it’s simply not clear what practical approach you should use to provide the same level of protection. “The industry has yet to learn how to do it, ” Vyncke warned.
Reputation-based protection does not (yet) exist
Many security software vendors use the reputation of IP addresses to filter out malicious websites that are known sources of malware. While reputation systems for IPv4 addresses already exist, it’s a bit of a chicken-and-egg situation when it comes to IPv6. No one has established an IPv6 reputation database, so no one is using reputation-based security with IPv6 addresses — and therefore no one is building a reputation database. It’s something the security industry will surely eventually adopt, but for now it’s a missing piece in the security puzzle.
Logging systems may not work properly
The key feature of IPv6 is that it uses 128-bit addresses, which are stored as a 39-digit string. IPv4 addresses, on the other hand, are written in the form 192. 168. 211. 255 and may therefore be stored in a 15-character field. If your logging systems expect 15-character IP addresses, they may crash when they encounter “monster” 39 -digit IPv6 addresses (creating possible buffer overflow error-related security problems) or they may only store only the first 15 characters, rendering the logged information useless. The only solution is to upgrade all your logging systems to support IPv6 addresses.
IPv6 may run by default
You may think you are running an IPv4-only data center, with IPv4-only IDS, monitoring and so on, but IPv6 could be activated and running without your knowledge. That’s because in some circumstances (such as an attacker on your network sending router advertisements), devices on your network can start communicating with each other by default over IPv6 using link-local addresses. (For more information, see the IETF Rogue IPv6 Router Advertisement Problem Statement. ) “Your IDS will see none of this traffic, so you should definitely upgrade it to IPv6 now, and make sure that its operators are trained to use IPv6, ” warned Vyncke.
SIEM systems may not work properly
Another problem with IPv6 is that every host — inside or outside your network perimeter — can have multiple IPv6 addresses simultaneously. This is not usual in the IPv4 world, and it can cause serious problems. “For example, how do you know by looking at your logs that different entries refer to the same host? ” asked Vyncke. In order to make sense of your logs you need to be able to correlate addresses to hosts, but Vyncke warned that thus far no SIEM system fully supports IPv6 fully. It may support it at the network level, for example, but the correlation engine may not.
Simple log analysis using grep won’t work
Yet another problem is that the same IPv6 address can be written in multiple ways, for example: 2001:0DB8:0BAD::0DAD
or
2001:DB8:BAD:0:0:0:0:DAD
2001:db8:bad::dad (this is the canonical RFC 5952 format)
As a result, a grep search through your log files is not going to work as before. If devices log in using different IPv6 formats, you may have to reconfigure the way they log or change the way you search to catch all the information in your logs about a device.
Implications of service provider NAT
IPv6 will probably never completely replace IPv4, and service providers are increasingly likely to resort to service provider network address translation (NAT) in order to be able to produce distinct IPv4 addresses to customers when no new routable ones are available. These customers may in turn use NAT to share the IP address they receive with multiple devices on their home or corporate networks. The security impact of this on IPv4 networks may not be obvious yet, but it is significant nonetheless.
One of the effects is the diminished usefulness of rate limiting IPv4 addresses. When thousands (or more) of people effectively share the same IPv4 address (through service provider NAT and the home or office NAT), your security systems could be fooled into thinking that traffic is coming in from a single source when it is in fact coming from many different sources. It may then block the legitimate traffic.
Similarly, attempting to block a denial of service attack or a source of spam by blocking a single IP address could potentially block thousands of other users who are in no way responsible, and who may in fact be potential users or customers.
There is no obvious way to get around this problem. Thus the effectiveness of rate limiting and IP address blocking as security tools to protect against automated attack tools, denial of service attacks and spam will be limited.
The good news
The good news about IPv6, Vyncke pointed out, is that the majority of vulnerabilities on the Internet are at the applications layer, and that means IPv4 IPS signatures can be reused in IPv6 IPS systems.
Other network -based escapades such as Man In The Middle attacks or networking sniffing are also unaffected by the protocol version, so they will be no more (or less) likely to succeed with IPv6 than they are with IPv4.
But he warns that any notion that IPv6 is a new, improved, security-from-the-ground-up replacement for IPv4 should be quickly dispelled. Don’t forget, he concludes, that IPv6 was originally specified almost 20 years ago.
Paul Rubens has been covering IT security for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.
Paul RubensPaul Rubens is a technology journalist based in England, and is an eSecurity Planet contributor.
Frequently Asked Questions about ipv4 vs ipv6 security
Is IPv4 or IPv6 more secure?
IPsec makes IPv6 more secure than IPv4 Internet Protocol Security (IPsec) was designed to provide network layer security (authentication and encryption). … These are terminated at the edge of networks. IPv4 IPsec is rarely used to secure end-to-end traffic.Mar 18, 2019
Is IPv6 a security risk?
The rise of IPv6 could give you some severe security headaches — even if you have no current plans to implement the new networking protocol. On the face of it, there is not much to worry about with IPv6. … After all, it is simply a protocol with a much, much larger address space than IPv4.Oct 18, 2012
What is the difference between IPv4 and IPv6 regarding security issue?
This process can sometimes pose problems for IPv4 devices. … Although IPv6 is designed to be more secure with its built-in encryption capabilities and packet integrity checking, IPv4 can also be made more secure so there is essentially no difference between them when it comes to Internet Protocol security (IPsec).Oct 21, 2020
