By Satya N Gupta
Last month, along with the Independence day, India also celebrated 25 years of internet and mobile, with a pledge to become atmanirbhar. The digital transformation facilitated by the adoption of next-generation technologies and new Internet (IPv6) offers a low-hanging fruit to achieve this ambition fast.
A number of misconceptions over security properties and privacy features of IPv6—the new generation internet which is solving the problem of IP address shortages of the IPv4 version—exist. This article provides a reality check of IPv6 from the security, reliability and privacy standpoint and touches upon the way forward.
In the last few years, IPv6 momentum in Industry has dramatically increased. These large IPv6 deployments in business have been driven by falling costs, decreasing complexity, improving security and eliminating barriers to innovation in networked information systems. Mobile networks, data centres and leading-edge enterprise networks, for example, have been evolving towards IPv6-compatible networks.
The most well-known benefit that IPv6 offers is the exponentially increased address space, providing many more unique IP addresses than what can be derived through IPv4, and hence, covering all users and devices connected to the internet. The 32-bit IPv4 addressing format enables only 4.3 billion IP addresses across the globe. Operators use measures like NAT (Network Address Translation) and CIDR (Classless Interdomain Routing) to somewhat extend the utility of IPv4 addresses.
However, NAT has its own limitations, and given the rate of internet users growth, 5G, and IoT adoption in the country, NAT is simply not desirable going forward. IPv6, on the other hand, has enormous address space, practically inexhaustible in the foreseeable future. Therefore, it allows simple, seamless, and cost-effective connectivity for service providers, enterprises and end-users.
The 128-bit IPv6 addressing format offers 340 sextillion IP addresses, making it extremely future-proof. But, that’s not all; IPv6 is also considered a protocol of better reliability, security and privacy. Also, IPv4 packets are often blocked by corporate firewalls because they could potentially carry malware. But IPv6 promises better reliability and security as IPSec, a protocol for authenticating and securing all IP data, is built into IPv6 as a default.
However, since the protocol was first specified, several myths have arisen about its properties in the areas of quality of service (QoS), “plug-and-play” features and, particularly, security. Many of these myths have been fuelled by IPv6 opponents or by the those who, ignorant of proper understanding of the features of this technology, may have thought their marketing-heavy statements would slow down the deployment and adoption of IPv6.
Today’s networks, whether they have IPv6 deployed in them or not, are largely IPv6-compatible. All modern operating systems and network devices employ IPv6 dual-stacks, in which IPv6 is turned on by default.
In network security, it is crucial not to underestimate the scale of risks. The most common misconception about IPv6 is that IPv6 is just IPv4 with longer address space. Actually, IPv6 is vastly different from IPv4, often in complex and subtle ways. The IPv6 operating systems create automatically two IPv6 addresses. One IPv6 with randomised MAC address in the suffix to hide the device identity and be used for web surfing so that nobody can identify who is connecting to its web site.
And another IPv6 with real MAC address which is only used for end-to-end encrypted applications. Such services, for the time being, are non-existent but will be available with the next wave of internet innovations. Besides, IPv6 has a privacy protocol to protect end-user privacy. The current internet (v4) lacks effective privacy and effective authentication mechanisms beneath the application layer. IPv6 remedies these shortcomings by having a few integrated options that provide security and privacy services.
IPv6 can run end-to-end encryption. While this technology was retrofitted into IPv4, it remains an optional extra that isn’t universally used. The encryption and integrity-checking used in current VPNs, especially required for work-from-home applications, is a standard feature in IPv6, available for all connections and supported by all compatible devices and systems. Widespread adoption of IPv6 will, therefore, make man-in-the-middle attacks significantly more difficult.
IPv6 also supports more-secure name resolution. The Secure Neighbour Discovery (SEND) protocol is capable of enabling cryptographic confirmation to confirm the identity of the host at the time of the connection. This renders Address Resolution Protocol (ARP) poisoning and other naming-based attacks more difficult. And, while it isn’t a replacement for application or service-layer verification, it still offers an improved level of trust in connections. With IPv4, it is fairly easy for an attacker to redirect traffic between two legitimate hosts and manipulate the conversation or, at least, observe it.
Though IPv4 also offers IPSec support as an optional feature, it is mandatory in IPv6. IPSec consists of a set of cryptographic protocols designed to provide security in data communications. IPSec has some protocols that are part of its suite: AH (Authentication Header) and ESP (Encapsulating Security Payload). The first provides for authentication and data integrity, the second, in addition to these, also for confidentiality.
According to the State of Internet IPv6 Adoption Visualisation published by Akamai, India tops the list of 229 countries with 59.7% IPv6 connections.
In terms of absolute numbers, as per the APNIC IPv6 data dated March 2020, India has the highest number of IPv6 devices, nearly 360 million, almost double that in the US (143 million). This is mainly led by country’s innovative operator Jio, which is poised to emerge as a global technology giant. This is going to grow further with the advent of 5G, adoption of IoT and an increase in the number of smartphones.
Reliance Jio is a 100% IPv6 compliant operator in India, thanks to its digital VoLTE network. However, other operators in the country are also moving to adopt IPv6. Most of our operators are more or less IPv6 compliant in the current scenario. Our operators need to get more IPv6 addresses in advance so that they do not miss out, as happened in the earlier version of internet.
The sustainable development and evolution of internet infrastructure is essential to the global cyberspace and digital economy, and IPv6 root server, which controls and manages the internet, can serve as a great tool. Creating such critical infrastructure at the national level is important. This can serve as a multi-stakeholder platform for diverse and innovative players from across the internet community in the country, academia and user communities to collectively experiment and develop the local routing infrastructure to maintain and operate the new internet.
As a critical internet resource, the IPv6 root server system is pivotal to manage the security and stability of the internet. Historically, there are 13 root server authorities from the IPv4 era with 10 in the US, 2 in EU and 1 in Japan, creating an unequal geographic distribution of critical internet management resource. Now, as we step into the next generation internet (IPv6) era, it offers us an opportunity to manage this critical infrastructure locally and create a more open architecture which welcomes innovation and flexibility.
The following main factors contribute to the adoption of IPv6 and establishing IPv6 Root Server locally:
the need for additional address space for new applications, the emergence of new connected devices which require more addresses and efficient network infrastructure, having a root server will contribute to in-country expertise building on critical information infrastructure as well as promoting ‘a major technological knowledge base within the country’, and having a root server within the country would facilitate surveillance by Indian legal authorities.
Let us not miss the ‘new internet’ bus.