IPv6

IP addresses are digital sequences that direct Internet traffic to the desired address, and users usually do not notice this. For example, when a www.facebook.com address is typed in the browser bar, a connection is made to a computer registered at 66.220.149.32. In this case, addresses are formed in accordance with the IPv4 protocol, which was created in 1977 and assumed the presence of about 4.3 billion addresses. According to the American Register of Internet Numbers, the number of free IP addresses decreased from 1 billion in 2006 to 117 million in December 2010. This is due to the fact that more and more different devices connect to the Internet.

The IPv6 protocol will replace, which makes it possible to create trillions of IP addresses. The IPv6 protocol, which provides much more number capacity, was created in the early 2000s, but it is incompatible with IPv4.

What is IP and why is it so important to the Internet?

IP is just right to call the circulatory system of the Internet. If you look at the information transmitted between network devices over wireless channels, copper cables and optical fiber, you will notice that it consists of tiny digital packets, or "IP packets" consisting of zeros and ones. These packages represent the fundamental foundation of the Internet. They can be compared to the atoms that make up physical matter, or the cells that make up living organisms. Trillions of IP packets pass through the Internet every second. At the beginning of each packet there is a "header" showing routers and switches where the information came from and where it should be transmitted. The introduction of the IP protocol caused a real revolution in the world of global electronic communications.

What is IPv6 and why do I need it personally?

The IP protocol was developed in an advanced research laboratory. The fourth version of this protocol (IPv4) was preceded by several earlier versions, but it was IPv4 that gained commercial popularity in 1980-1990 and continues to be actively used today. A new version - IPv6 - was developed to solve a number of problems of its predecessor. The main one is the limited address space. IPv4 supports 4.3 billion unique global addresses, and this restriction has not changed since the introduction of this version in 1981. Since the Internet has become an integral part of our daily lives, the transition from IPv4 to IPv6 should be smooth and invisible to users. The task is important and difficult. It can be likened to a wheel change that is invisible to passengers on a high-speed train. Whoever you are: an IT professional, a technology enthusiast or a company executive - you need to understand the problem of limited IPv4 address space and begin the transition to IPv6, especially since the world is already making such a transition. It will have a huge impact on the future growth and development of the internet for the benefit of billions of people using the global network in their daily lives for work, study and leisure.

IPv4 addresses ended in 2012

Why is the Internet still working and developing? Imagine a huge chessboard with 4 billion cells. There are separate zones on this board, many cells in each, which are assigned to various organizations, companies and Internet providers, and those, in turn, install a personal computer, laptop, tablet, smartphone, server or other device on each cell. The network can transmit data packets to any cell (and to a device installed on it). Since the number of cells is limited to 4 billion in the IPv4 protocol, devices on the chessboard become cramped. And although the connection between them is not interrupted, the growth of the network is suspended, and its effectiveness is falling. That's what we're seeing online right now. The IPv4 protocol still works, but we need an even larger chessboard (IPv6) to allow the Internet to grow and expand its functionality to meet our expectations.

Why is IPv6 so important to the Comprehensive Internet?

The "playing field" of IPv6 is much wider than that of IPv4. It provides huge scope for further development. This is especially important for the Comprehensive Internet, since IPv6 supports a virtually unlimited number of IP addresses needed to connect tens of billions of people, processes, information blocks, and inanimate objects from which the Comprehensive Internet is built. IPv6 quadruples the number of bits in the address field. The IPv4 address field consists of 32 bits, while IPv6 has 128 bits. As a result, the number of directly connected networks increases and it becomes possible to automatically configure IP addresses in any local network. Our capabilities are greatly expanded, as the number of squares in our imaginary playing field will be equal to two in the 128th degree. This means that we will have more than a hundred free squares to accommodate each atom located on the surface of the Earth.

Where did the IPv5 protocol go?

The first 4 bits in the header of the IP packet indicate the type of this packet, that is, practically, the version of the IP protocol. In IPv4 packets, this field is set to the number "4" (in binary number - 0100), and in IPv6 packets - the number "6" (0110). Version IPv5 (0101), the development of which began back in 1979, in practice turned into an Internet Stream Protocol, and despite the number "5" in the header that distinguishes IPv5 packets from other types of IP traffic, this protocol was never considered as a successor to IPv4. Thus, the next version of the IP protocol after IPv4 was the IPv6 protocol.

Differences from IPv4

Now the network address of the node on the Network, built using the IP protocol, is a record in the form of four decimal numbers (from 0 to 255), separated by dots, for example, 192.168.0.1. The main feature of the IPv6 protocol compared to IPv4 is the address length of 128 bits instead of 32. Actually, this is the reason for the transition, since the number of addresses in the case of IPv6 will be significantly large, which will expand the address space and solve the problem of lack of addresses. In version 6, the IP address (IPv6) is separated by colons and may look something like this: fe80: 0:0:0:200: f8ff: fe21: 67cf.

Advantages

After switching to IPv6, providers will be able to provide all users with unique network addresses, while now many users are behind the same IP address using NAT technology (a mechanism in TCP/IP networks that allows converting IP addresses of transit packets).

Especially important is IPv6 for innovative applications that involve a large number of network devices that require a wide address space - the future protocol avoids a shortage of IP addresses. We are talking about such applications and services of a new generation as machine-to-machine, sensor networks, environmental monitoring systems, energy consumption, security systems and telemedicine. The new IPv6 protocol provides a more efficient way to distribute and configure IP addresses, allowing you to assign a unique IP address to any device, as well as simplifying traffic routing and improving data security.

According to the expert, the transition to a new protocol will help in the fight against viruses and spam. If each user has their own unique IP address, this will allow, for example, various web services to more accurately estimate the number of visitors. And if one of the computers on the network has a virus that sends spam, then not the entire network will get into the blocking lists of mail services, but only a specific computer.

Using IPv6

In February 2011, according to Google, only less than 0.25% of users access the Internet using IPv6.

Some sites, including Google and Facebook, already support IPv6, but on a separate set of web addresses. On June 8, 2011, Google included IPv6 support at its primary addresses: www.google.com and www.youtube.com.

According to Google's IPv6 Statistics, on November 17, 2012, the number of user actions on websites in the native IPv6 environment reached 1 percent for the first time in history. At first glance, this figure is not impressive, but for such a vast network as the Internet, where by 2016 there will be 19 billion active fixed and mobile network connections, even one percent is an impressive figure. Billions of applications, devices, routers and switches that make up the Internet are connected to each other in such a way that if at least one device does not support IPv6 on the entire route between the user and the content source, the entire system automatically rolls back to IPv4. This is done to support the continuous operation of the Internet during the transition to the new protocol. As a result, all the advantages of end-to-end traffic transmission over IPv6 channels will become available only after IPv6 supports all links in the network chain without exception.

To better understand the process of upgrading each component, Cisco uses several critical indicators and IPv6 implementation statistics in different regions. All this data is collected by an interactive tool running on the 6lab.cisco.com website, where you can familiarize yourself with the progress of IPv6 implementation from different points of view. With this interactive tool, you can 'look' into any country to get an idea of ​ ​ how the process of switching to IPv6 is going on there. For example, hovering over the United States of America, you will see that in this country 57 percent of networks acting as IPv4 transit networks already support IPv6. You will also see that Google estimates that the number of American users working with IPv6 is 1.93 percent higher than the global average and that the average American, working online, spends 45 percent of his time on sites that support IPv6. In addition, on the 6lab.cisco.com website, you can get acquainted with the methodology used to compile ratings and determine percentages.

In 2007, when Google first published IPv6 metrics, the frequency of native IPv6 use was only 0.04 percent. Over the past five years, through joint efforts, our industry has increased this figure by 2,500 percent, at the same time increasing the number of Internet users by 1 billion people. All this was achieved largely due to events such as World IPv6 Day in 2011 and World IPv6 Day in 2012. When planning the worldwide launch of IPv6, I had the privilege of working with other industry leaders and the "Internet Society." 1

Migrating Operators to IPv6

Since free IP addresses are running out, Internet companies will have to make new versions of sites that support the IPv6 standard, and telecom operators will have to upgrade networks.

Large telecom operators are already actively modernizing networks so that both old and new IP addresses are available. For example, AT&T spent "hundreds of millions of dollars" on it, says its vice president, Dale McHenry. As yet, however, few companies are moving their business to a new protocol.

For any operator, a complete transition to IPv6 means a protracted and time-consuming process, so most operators continue to look for practical ways to facilitate this task. The 6rd standard that arrived in time (its full name is IPv6 Rapid Deployment, i.e. the rapid implementation of the IPv6 protocol) is a proven method for gradually implementing IPv6 in large networks. It is already approved for publication as the IETF Standard for Discussion (RFC).

MTS switches to IPv6

In June 2017, MTS announced the transition to a new Internet network protocol IPv6, which will allow connecting an unlimited number of mobile Internet of Things (IoT) devices to the global network and solve the problem of exhausting the IP addresses of the current IPv4 protocol. IPv6 support in the MTS mobile network is open in all 18 regions of the Central Federal District, and this summer it will become available in most of Russia.

Now the Internet mainly uses IPv4 addressing to identify devices. The number of IP addresses for devices in this protocol is about 4.3 billion in the world and has already been practically exhausted due to the length of the IP address of 32 bits. 128 bits are involved in the IPv6 address space, which makes the number of devices addressed on the Internet almost infinite. According to forecasts of analytical agencies, the number of connected IoT devices in the world by 2020 will exceed 20 billion and will continue to grow at an explosive pace.

As part of the IPv6 Access service, MTS will ensure smooth migration of clients to the new network architecture thanks to the parallel use of both protocols in Dual-Stack mode, when each device in the mobile network will use two IP addresses - IPv4 and IPv6 - within each data transfer session.

IPv6 is supported by most modern devices. To activate a smartphone or tablet on Android OS in the MTS network in Dual-Stack mode IPv4/IPv6 in the settings you need to specify the internet.mts.ru access point, select the APN protocol - IPv4/IPv6 and reboot the device. In the near future, IPv6 can also be enabled on Apple devices.

MTS began preparations for the implementation of IPv6 about 10 years ago. Back in 2008, support for a new protocol was launched on the entire MTS backbone network in Russia. In 2013, Moscow City Telephone Network, a member of the MTS Group, began providing Internet access services using the IPv6 protocol based on the GPON optical network.

10 Tips for Secure IPv6 Implementation

Building on its extensive experience with large-scale IPv6 implementations, Finland's Stonesoft Corporation, a developer of innovative network security and business continuity solutions, is actively helping businesses and government agencies transition to IPv6 in a safe and cost-effective way. Stonesoft shares 10 ideas on how to help CISO and system administrators dispel myths around IPv6 adoption and prioritize their security initiatives.

• Maximize your existing network: Upgrading your IPv4 network is replacing all legacy nodes and irrelevant features with new ones. Start by upgrading all nodes of the network to the next level and it will be easier and safer for you to implement IPv6, avoiding many difficulties and possible problems.
• Plan for a consistent implementation: Take the Social Security Administration (US), which has been implementing IPv6 for nearly 5 years. The final transition is planned to be carried out in three stages within another 6 years. You don't have to keep the pace as slow as it is in government, but phasing out IPv6 will give you plenty of time to make sure that the implemented IPv6 works seamlessly with your existing IPv4-upgraded infrastructure. Plus, you can control the budget.
• Use both protocol stacks in parallel: When switching to IPv6, select the dual protocol stack mode - IPv4 and IPv6. The use of a dual protocol stack is advantageous, although parallel protocol operation may require upgrading routers to match memory and network power requirements. In addition, to simplify the transition more, the dual stack allows your system to support those applications that do not yet work with IPv6. Using a dual stack will also help eliminate the need for network tunnels, which are very often a problem for security professionals.
• Take care of network tunnels: The National Institute of Standards and Technology (NIST, USA) in the "IPv6 Secure Implementation Guide" suggests treating tunnels as external links: with extreme caution. It is recommended that you carefully inspect all IPv6 tunneled traffic, including IPv4 packets, with the same care and consistency as you inspect all your traffic before allowing you to "log in" or "log out." It is proposed to use the usual virus protection tools, intrusion detection and prevention systems, inbound network traffic filters, packet filters and application-level proxies. In addition, it makes sense to use additional robust security measures such as authentication to protect endpoints.
• Do not lose sight of intruders: Attackers have already managed to penetrate the IPv6 protocol, and even faster than other technologies. Do not forget about router security warnings and man in the middle attacks. Some network attacks allow you to penetrate the system deeply faster than you realize what is happening, which will further aggravate the damage. Such attacks can come from scripts, the seeming simplicity of which can be misleading. Remembering all types of attacks and their corresponding counteraction is not always possible. It is important to be prepared and remember that there are already a great many types of attacks, and they are expected to become even more!
• Use IPv6-ready-certified firewalls: Be careful about vendors' IPv6 compliance claims. If the product is not certified by third parties, then it is likely that the vendor can simply embed a "traffic generator" in his product and at the same time claim that it works. Select products that have been certified by third parties. Only in this case, socially recognized assessment methods are used to help you verify what the real capabilities of your firewall are.
• Implement authentication: Authentication is becoming more important and, fortunately, more accessible than before. Stonesoft recommends using an HTTP/HTTPS proxy to access the Internet. Once you have set the required authentication options, you will reduce the number of unwanted threats attempting to enter your network without your knowledge or desire.
• Examine the syntax of the IPv6 protocol. The syntax of IPv6, on the one hand, is very similar to the syntax of the IPv4 protocol, but with significant differences in the database. Knowing the syntax will help you to quickly eliminate security weaknesses or implement the necessary security measures. Due to the fact that IPv6 has existed for more than a decade, there is no shortage of information on this issue, including from several well-known technological Talmuds, for example, as an 188-page guide from the US government.
• Use the disconnect button. This may sound strange, but everything is not so clear - disable the IPv6 protocol when you do not use it. This is due to the fact that a number of programs have been configured to work with IPv6, and even more applications may have built-in IPv6 by default. Check your network environment twice or three times to make sure that IPv6 features are only enabled when they are actually in use. The timely use of the disconnect button can generally be very useful.
• Neutralize in a timely manner: Even if IPv6 is disabled in most segments of your network, you may still be threatened by unwanted IPv6 users. If this threat becomes a reality, you need to know how to neutralize it before other users of your network are affected. This is where it is vital to apply knowledge of IPv6 syntax, especially to the configuration of efficient firewalls and network filters. You can create filters that allow the traffic you need and block unwanted traffic, and make sure that IPv6 functions properly when you need it.

History

2024: FSTEC warns: working in Windows with IPv6 can be dangerous

FSTEC On August 16, the company sent a warning Microsoft about the release of critical vulnerability fixes by the company on August 13 BDU:2024-06242^[1] c - operating system Windows its CVSS hazard assessment is 9.8 out of 10. This integer overflow vulnerability in the implementation of the basic IPv6 protocol, operating system which allows arbitrary code to be executed using specially crafted network packets. The danger of a corrected defect is that its operation does not require interaction with the user and cannot be blocked by the built-in defender of the operating system, since it works before transferring the package to it.

If the current description of the vulnerability is correct, and an attacker can really cause remote code execution by simply sending IPv6 packets to Windows hosts, then this is a very serious vulnerability that can be exploited in attacks on organizations in Russia and around the world, "warned TAdviser Alexander Leonov, lead expert at PT Expert Security Center, Positive Technologies. - As a result, a situation similar to the 2017 ransomware epidemics may arise, when attackers exploited a vulnerability in SMB MS17-010 using the EternalBlue exploit leaked from the NSA. The danger of the vulnerability is that IPv6 support is enabled on Windows hosts by default. Thus, all Windows devices that have not been reconfigured in a secure way can be vulnerable.

Some experts believe that the danger is limited by the availability of Windows servers from the outside, since the external network interfaces mainly contain security features that are no longer running Windows. The import substitution process forced companies to hide information systems based on Windows and other Microsoft products behind a protective perimeter of Russian products. Therefore, it is now difficult to get direct access to internal Windows servers directly from the Internet, even via IPv6 - they mostly use private IP network addresses.

The vulnerability is dangerous only for those who have a public address with IPv6 support enabled and have not installed security updates that fix this vulnerability, "assured ATdviser Mikhail Sergeyev, a leading CorpSoft24 engineer. - And since IPv6 is enabled by default on many servers and updates are disabled, the vulnerability can affect a large number of servers, so it is worth urgently checking your Windows servers and taking the necessary measures to protect.

However, if the malware has already entered the corporate network, then it can quickly spread in it and attack internal computers under Windows. This is exactly how encryption viruses based on EternalBlue, such as WannaCry or Petya, spread at one time. Moreover, it is IPv6 that in some cases allows the perimeter to be overcome, since not all firewalls can effectively block and filter it, and there are no restrictions on available IPv6 addresses, and therefore public addresses can also be inside the corporate network or the leased cloud to which the tunnel is configured inside the corporate network. As a result, this vulnerability just for domestic companies can be very dangerous.

When renting an IPv4 address or buying a server/VPS/VDS, large providers also issue a default IPv6 address and the server is available at both addresses (IPv4 and IPv6), - pointed to the current realities of the Mikhail Sergeyev. - Since the IPv4 address is paid, some providers offer a server with only an IPv6 address, you don't need to pay for the address, but the problem is that many servers, users and systems where there is no IPv6 support will not be able to interact with such a server, so the demand is very low.

According to the European Internet registrar RIPE NCC at the beginning of June 2023, the share of IPv6 Internet traffic in Russia amounted to 8.16% of the total volume of transmitted data. For comparison, in 2019 this figure was approximately equal to 3.45%. The increased popularity of the technology is precisely dangerous in that attackers can use it to unexpectedly attack an organization or cloud resources using an unusual protocol.

Attackers are showing increased interest in Russia, so this vulnerability poses a serious threat to our country, "Ruslan Bisengaliev, a cybersecurity threat analyst, shared his concerns with TAdviser. R-Vision- The blow is carried out on the Windows operating system, since many companies use it. This makes the area of ​ ​ attack very wide. According to information from the BDU, this vulnerability allows code to be executed remotely, which creates great opportunities for attackers. In addition, the situation is complicated by sanctions, since we need to find a reliable source for downloading updates. One way to protect Windows is to disable IPv6. However, this can cause system and some Windows components to malfunction.

Recommendations for disabling IPv6 are also offered by Luka Safonov, a representative of the Garda Group of Companies. He explained the situation to TAdviser as follows: since any version of Windows with IPv6 enabled by default is vulnerable, the discovered vulnerability is quite dangerous for Russian companies. Moreover, it is impossible to protect against its operation using the firewall of the operating system itself, since the handler receives packets BEFORE their processing by the security system. You can disable IPv6, but this can interfere with the operation of other OS components. He also noted that fake exploits to this vulnerability appeared on the network, which allow attacking the "grief of hackers" themselves, who downloaded and launched the exploit on their computer.

FSTEC itself offers the following compensatory measures for companies that cannot install the update released Microsoft:

• Use firewall tools to limit the ability to receive network traffic over IPv6 (not through the Windows operating system itself)
• Disable IPv6 on the operating system
• restrict remote access to the vulnerable operating system from external networks (Internet).

However, do not forget that hackers can use this error to move inside corporate systems or clouds, so it is also worth monitoring suspicious IPv6 activity inside a secure perimeter using intrusion detection systems, trying to identify signs of exploitation of the described vulnerability in the captured traffic.

2023: IPv6 accounts for 8% of Internet traffic in Russia

As of the beginning of June 2023, the share of IPv6 Internet traffic in Russia amounted to 8.16% of the total volume of transmitted data. For comparison: in 2019, this figure was approximately 3.45%. Such figures were revealed on June 9, 2023 by the RIPE NCC regional Internet registrar and Google Corporation.

It is reported that worldwide IPv6 accounts for about 39.15% of all Internet traffic. In 2019, the value was approximately 28.59%. The leadership in terms of IPv6 implementation belongs to France with a share of 74.13% of the total traffic by the beginning of June 2023. In Germany, the figure is 67.74%, in Belgium - 65.24%. Among European countries, IPv6 penetration is also high in Greece, where the result is 60.08%, in Hungary - 51.82%, in Finland - 48.03% and in Britain - 43.23%. In Portugal, at the beginning of June 2023, IPv6 accounted for 36.91% of Internet traffic, in Ireland - 24.58%, in Sweden - 19.07%. In Iceland, the result was recorded at 13.91%, in Belarus - 11.07%, in Ukraine - 10.82%.

The share of Internet IPv6 traffic in Russia amounted to 8.16% of the total

If we consider the North American region, then in the United States, IPv6 data accounts for 51.72% of Internet traffic, in Canada - 34.91%. In Central America, Mexico leads with 46%; next comes Guatemala with 32.72%. In South America, the highest value is observed in Uruguay - 54.29%, while in Brazil there is an indicator of 44.65%. Argentina showed penetration at 18.18%.

In Asia, IPv6 adoption is high in India - 67.82%, in Malaysia - 62.29%, in Saudi Arabia - 61.14% and in Taiwan - 50.29%. In Japan, the value is 47.48%, and in China - only 3%. It is also noted that in Australia, IPv6 Internet traffic accounts for 28.22%, in New Zealand - 19.66%. One of the lowest rates in the world was recorded in the Central African Republic - 0.16%.^[2]

2011: "World IPv6 Day"

On June 8, 2011, several of the largest Internet sites will host World IPv6 Day. The participants of the action - in addition to Facebook, Google and Yahoo, the world's leading content delivery networks Akamai and Limelight Networks joined it - will include full support for the IPv6 protocol on their sites for a day. Yahoo has repeatedly expressed concerns about the large number of users whose systems incorrectly support IPv6. World IPv6 Day will allow the company to clarify this data.

Notes