The relationship between IPv6 technology and smart security

Generally speaking, when we mention IPv6, there is no huge space for IPv6 address, which can make every grain of sand on the earth have an IP address. IPv6 is more secure! But today we are not talking about IPv6, what are the consequences and we know it in time. The necessity of IPv6.

Unstoppable: Major operators have already deployed IPv6, including mobile phones and home broadband, such as mobile 4G mobile phones in Fuzhou, which have obtained IPv6 addresses.

Sitting and waiting: When the IPv6 occupancy rate reaches a certain percentage, I believe that the existing website and the newly filed website will be forced to request IPv6. If not configured, the existing website will stop operating and the application for filing will not be passed. Even then, mobile phones and home broadband will only get IPv6 addresses and cannot obtain IPv4 addresses. Finally, IPv4 was abolished from the Chinese Internet.

Through the above two points, it can be known that as a server (such as a WEB service provider), it is necessary to access IPv6, otherwise it will not be able to operate, and even users will not be able to access it.

Question 1: Does the intranet need IPv6?

Home intranet, such as mobile phones and computers connected to wifi; intranets, such as computers at each workstation in the office; data center intranets, such as servers in the computer room, public cloud hosts... Also need to configure the ipv6 address?

As long as you want to access the IPv6 Internet, you must configure an IPv6 address on the terminal. The reason lies in the "IPv6 priority principle". More and more programs, such as many mainstream modules/framework of major programming languages, will query AAAA records (corresponding to IPv4 A records) through dns when performing domain name resolution. If the domain name provides IPv6 access, it will inevitably resolve the AAAA record. Then, it will be accessed preferentially through IPv6 (even if the device is not configured with IPv6 or even IPv6 is enabled). If the IPv6 network is unreachable, the access will fail directly. Even if some modules/framework will try IPv4 after the failure, it has been increased. A lot of delays.

Question 2: The IPv6 address is too complicated to remember.

It seems that the IPv4 address can be reversed. In fact, the IPv6 address is only increased in length, and the display mode is changed from decimal to hexadecimal. The specific calculation method is the same. Moreover, there is dns, there is no need to back the IP address, even if it is the IPv6 address of the intranet, you can also automatically generate the IPv6 address by sending the RA packet through DHCPv6 or router.

Question 3: Each server has an IPv6 address, which exposes the entire intranet and is unsafe.

Worry is right, but the solution is the same as IPv4, there are two kinds:

You can configure an IPv6 private network address on the intranet server so that the public network cannot access it. In IPv6, the private network address is fd00::/8, which is equivalent to IPv4's 10.0.0.8/8, 172.16.0.0/12, and 192.168.0.0/16. Then configure NAT on the gateway; still use the IPv6 public network address (that is, the global unicast address), but configure the "stateful firewall" on the gateway.

No matter which solution, in the end, it can achieve "only go out", that is, the server can actively access the IPv6 public network, but the public network can not actively access it to ensure the security of the internal network.

IPv6 basics

On the IPv6 tutorial, there are already a lot of great tutorials written on the web. I am not sure that I can write better. Therefore, the "IPv6 Series" article will focus on some concepts, solutions, and many people. Pit not noticed, working principle, etc.

1, IPv6 address length

IPv4: 32 bit

IPv6: 128 bit

It can be remembered that IPv6 is twice as large as IPv4, and each paragraph is doubled in length, so IPv6 is 2×2=4 times longer than IPv4.

2, IPv6 address composition

IPv4: network number + host number / subnet mask, such as 192.168.1.2/24

IPv6: prefix ID + interface ID / prefix length, such as 2001:0000:0000:0000:0011:0000:0000:0010/64

3, address shorthand

IPv4: Not supported

IPv6: Compression 0

Note: IPv6 can be repeatedly compressed in a single paragraph. For example, the above can be compressed to 2001:0:0:0:11:0:0:10/64; if multiple paragraphs are consecutively 0, it can be compressed, but can only be compressed once. For example, the above can be further compressed to 2001::11:0:0:10/64, or 2001:0:0:0:11::10/64, usually the former

4, inspection method

Find a Linux server, such as the centos7 system, execute ip addr add ${IPv6 address} dev eth0, then ip addr show dev eth0 to see how it will compress

5, terminology

Node: Any device running IPv6

Router: Forwards nodes that are not addressed to their own IPv6 packets.

Host: Non-router node

Interface: physical or logical accessory to which a node and link are connected

Link: A collection of network interfaces split by a router

Neighbor: a node on the same link

Link MTU: The largest unit that the link can transmit, that is, the maximum number of IPv6 packets.

Path MTU: The maximum number of IPv6 packets that can be transmitted between the source and destination of IPv6. Usually, the minimum link MTU of all links in the path.

6, IPv6 address generation

IPv4: manual assignment, dhcp allocation

IPv6: manual assignment, dhcp assignment, automatic generation

In IPv6, the mainstream solution is to automatically generate IP instead of manually specifying or dhcp allocation. Of course, as a server, you need to specify it manually, but for a broader client, it is basically generated automatically. This automatically generated, called "stateless", relative to "stateless", the fixed IP obtained through dhcp, is called "stateful" (dhcp also supports "stateless", not detailed here).

In addition to the special address specified by the agreement, other self-assigned addresses can be automatically generated within a specific range, including link local, global unicast, and unique local. The global unicast, unique local, is automatically generated after receiving the RA packet sent by the router, and the specific generation is global unicast or unique local, which is determined according to the prefix in the RA packet content.

IPv6 promotes security phased reform

In the IoT perception layer, the data information collected by the camera accounts for more than half of the world's Internet of Things data. Traditional video surveillance technology has been widely used in various industries such as smart cities and public safety. At present, network video surveillance technology is being upgraded to “video-centric IOT information service”, namely “video+” “video+multidimensional perception”. "and video + multi-dimensional applications", video surveillance network has become a widely used, mature Internet of Things.

The expansion of IPv6 in the address space plays a very good role in controlling and controlling the smart security in the device connection of the video surveillance field, the management of the cloud service platform, and the security of video data transmission. Combined with the continuous development of 5G, it can also play a good time and labor saving role in data transmission rate and frequency band. The double effect brought by IPv6 for smart security deserves attention.

Therefore, the development of IPv6 and the promotion of scale will be a new industrial revolution in the Internet industry, and it will also be a phased reform in the field of smart security. In this game, smart security should not only enter the market quickly, but should also pursue the trend and quickly expand the application pilot to accelerate the full scope of the project.

Security vendors will face new security challenges

Another advantage brought by IPv6 is the greatly improved security. In the deployment of IPv6, IPSec was once standard, which means that data transmission between IPv6 addresses is often encrypted, and information is no longer easily hijacked. Under the development trend of smart cities, the information security problems brought by technologies such as intelligent video surveillance, face recognition and license plate recognition have aroused public concern. IPv6 will undoubtedly meet the public's requirements for personal information security.

However, the security of IPv6 is not a peace of mind. With the large-scale deployment of IPv6, the global Internet security landscape will undergo major changes. Pv6 will face fragmentation attacks on existing IPv4 networks, and problems such as address spoofing and flooding still exist. Experts said that the network security threat and the new network security situation are severe, and IPv6 will become the main attack point. In the era of Internet of Everything, security vendors will also usher in new requirements and challenges.