You'll often see references to IPsec being "built into" or being an "integral part" of IPv6, implying that all IPv6 traffic is encrypted, making it more secure than IPv4. This isn't true. The only difference is IPv6 packets include an IPsec AH (Authentication Header) and ESP (Encapsulating Security Payload) header, whereas IPv4 uses header extensions to support IPsec AH and ESP.
IPv6 and IPv4 IPsec can be configured directly in Windows using Windows Firewall with the Advanced Security snap-in. IPsec rules are created with Connection Security Rules in the Windows Firewall. A screenshot showing the Connection Security Rules section is shown below.
Windows and IPsec
Completing Windows IPsec configurations and getting an IPv6 IPsec tunnel running is another story, which I'll leave to a future article. With Windows 2012 and Windows 8, Windows PowerShell can also be used for configuring IPsec. Neither method is easy. As we've seen with IPv4, practical use of IPsec with IPv6 will rely on running an IPv6 application.
IPv6 and NAT Firewalls
Many people think IPv6 with its globally-routable addresses for each device means that you no longer have to deal with your router's firewall when you want inbound traffic to reach a LAN-based server. But this isn't the case. There are a few things to keep in mind.
1) Your router blocks inbound IPv6 traffic by default, too.
With IPv4, devices have private addresses that are hidden behind a router's simple NAT firewall. But since IPv6 has enough addresses for every device to have a globally routable IPv6 address, there is no need for Network Address Translation (NAT). So a common concern is that having a globally routable IPv6 address on a device connected to your LAN exposes that device to all the bad guys on the Internet.
The reality is that your router's firewall blocks all incoming connections that aren't initiated by a LAN device. This applies to IPv6 as well as IPv4. It's just not performing NAT on IPv6 traffic. That means traffic coming from the Internet to your network is going to get dropped unless the router thinks the internal device initiated that traffic, such as a web page request.
2) You'll need to open ports to reach IPv6 servers on your LAN
But what if you want inbound traffic to reach an IPv6 server on your router's LAN? Even though you have a globally routable IPv6 address on your device, you will need to modify your firewall if you wish to permit externally initiated traffic access to a LAN device. Fortunately, the same methods used to permit externally initiated IPv4 traffic, such as port forwarding or DMZ, can permit externally initiated IPv6 traffic.
For example, let's say I'm running an FTP server with a permanent global IPv6 address of 2606:a000:xxxx:xxxx:5dea:56f9:xxxx:8609 on my home network. If I want to allow externally initiated IPv6 access to my server, I need to put in a rule such as the one below, configured on a Linksys LRT224.
IPv6 Firewall Rule
The above example assumed I knew my device IPv6 address. Finding a Windows device IPv6 address is the same as finding its IPv4 address, simply type ipconfig /all from the command line. Note you'll want to use your IPv6 Address, not your Temporary IPv6 Address in the firewall rule. Of course, if your router doesn't provide an IPv6 firewall rule configuration screen, you'll be out of luck.
3) For every IPv4 port you open, you need to open an IPv6 port too.
Since IPv4 and IPv6 are for the most part independent of each other, rules you create in your firewall to block or permit specific IPv4 traffic have to be duplicated with IPv6. A dual-stack network means you have dual tasks when configuring your router's firewall.
4) Parental Controls and Content filters need to handle IPv6
Routers that support keyword/URL based parental controls and content filters need to listen to both IPv4 and IPv6 traffic. Because in an automatic dual-stack world, websites that support IPv6 will respond using it. If your router is watching only IPv4 traffic for the naughty bits, then it won't block the bad stuff. However, as I'll discuss in the VLAN section next, not all IPv6 enabled routers have equal functionality for IPv4 and IPv6.
5) UPnP might not work
UPnP NAT Traversal automatically opens router firewall ports, easing the pain of getting "personal cloud" NASes, remote access, gaming and other applications running. While there is a spec for UPnP support in IPv6, not all router manufacturers have implemented it.
If you're using a non VLAN capable router, you're going to use one IPv4 and one IPv6 address range for all VLANs. Thus, simply set up the router for IPv6 as if there aren't VLANs, and set up the switch as described in my article on Segmenting a Small LAN.
If you're using a VLAN capable router in a dual-stack network, you're using different IPv4 address ranges (subnets) and different global IPv6 address ranges (prefixes) for each VLAN. That means you have to configure VLANs for both IPv4 and IPv6, which is another example of the double-the-work nature of a dual stack network.
The examples listed in the Segmenting a Small LAN article linked above have steps for IPv4 addressing with a VLAN capable router. For IPv6 addressing with a VLAN capable router, here are a few useful IPv6 address details:
- IPv6 digits are hexadecimal instead of decimal. (MAC addresses also use hexadecimal digits.)
- An IPv6 address is made up of eight "quartets" of four hexadecimal digits, with each quartet separated by a ":"
- Each digit in an IPv6 address represents four binary bits.
- The prefix length of an IPv6 address represents how many binary bits are fixed.
- You can subnet an IPv6 prefix by using one or more of the non fixed bits. (A /56 prefix has 56 fixed bits, you can use the remain 72 bits for subnetting.)
- Subnetting IPv6 addresses is easier if your subnet ends on a quartet boundary, such as a /64, /80, /96, or /112.
With IPv6 addressing, you need to know when to use SLAAC, Router Advertisements, and DHCPv6. For IPv6 addressing with a VLAN capable router, there are two common scenarios. The scenarios are dictated by the prefix provided by your ISP.
Scenario 1: Your ISP provides a /56 global prefix. Use SLAAC and Router Advertisements
A /56 prefix lends itself well to VLANs. Let's say my ISP provided the following prefix: 2606:a000:1234:2200::/56. The first 56 bits, or 14 digits (2606:a000:1234:22), are fixed. I can use digits 15-16 to create new /64 prefixes for each VLAN. This gives me 8 bits, or 256 possible prefixes. In this case, I could assign 2606:a000:1234:2201::/64 to VLAN1, 2606:a000:1234:2202::/64 to VLAN2, and so on, up to 2606:a000:1234:22FF::/64 for VLAN 256.
My next step would be to statically configure each VLAN interface on the router with the appropriate VLAN and address. For VLAN1, the prefix would be 2606:a000:1234:2201::/64 and the VLAN1 interface IPv6 address would be 2606:a000:1234:2201::1. Further, make sure Router Advertisements are enabled on each VLAN interface. This will allow devices on each VLAN to use SLAAC and derive an address from the appropriate prefix.
Scenario 2: Your ISP provides a /64 global prefix. Use DHCPv6
My ISP, Time Warner, provides a /64 global prefix. In this case, you could create /80 prefixes. SLAAC requires the use of /64 prefixes, so instead of SLAAC, you're going to use DHCPv6 to dynamically provide addresses to PCs in each VLAN.
Let's say the prefix I received from my ISP from my internal network is 2606:a000:1234:2222::/64. The first 64 bits, or 16 digits (2606:a000:1234:2222), are fixed. I can use digits 17-20 to create new /80 prefixes for each VLAN. In this case, I could assign 2606:a000:1234:2222:1::/80 to VLAN1, 2606:a000:1234:2222:2::/80 to VLAN2, all the way up to 2606:a000:1234:2222:FFFF::/80 for a total of 65,536 VLANs (!) on my internal network. (I doubt you need 65,536 VLANs on a small network!)
Here is a configuration example. The screenshots below are from a ZyXEL USG40 router. The below screenshot shows I've enabled SLAAC and DHCPv6 with DHCP-PD (Prefix Delegation) on the WAN interface to receive an IPv6 address, an IPv6 gateway address and an IPv6 prefix from my ISP. As you can see, I've received a /64 IPv6 prefix starting with 2606. (Note, in the following screenshots, portions of the addresses may be blocked for my privacy.)
IPv6 WAN Config
I created VLAN5 on the USG40 for this example. For IPv4, I configured the USG40 using 192.168.5.0 for VLAN5. For IPv6, I statically addressed the VLAN5 interface with an IPv6 address of 2606:a000:1234:2222:5::1/80 and created a DHCPv6 address pool to assign 2606:a000:1234:2222:5::10 to 2606:a000:1234:2222:5::50 to PCs on VLAN5. (Note, the fields in the USG40 displaying the IPv6 address and IPv6 address pool aren't large enough to display all digits at once, so I had to do some image editing.)
IPv6 VLAN Interface Config
With these configurations in place and connecting the USG40's LAN port to a switch properly configured for VLAN tagging, devices connected to switch ports assigned to VLAN5 will get a 2606:a000:1234:2222:5::/80 IPv6 address and a 192.168.5.0/24 IPv4 address. The below screenshot shows the ipconfig output from a Windows machine connected to a switch port assigned to VLAN5. It has an IPv6 address of 2606:a000:1234:2222:5::10 and an IPv4 address of 192.168.5.50.
IPv6 and IPv4 on a PC on VLAN5
In putting this example together, I was surprised to find the Linksys LRT224 doesn't support VLANs with different IPv6 prefixes. Linksys acknowledged this issue and is working on an software update. This quirk is another example where some IPv6 enabled routers may not have equal functionality for IPv4 and IPv6.
Most of us have a lot to learn to fully use IPv6. I hope this article has helped. I think you can see we're pretty far from being able to turn off IPv4 and go IPv6 only on your LAN. While many routers now support IPv6 WAN connection, they may not handle IPv6 in all the places it needs to be including port forwarding, outbound service control, web filtering, VLANs and more. Dual-stack LANs will be with us for quite awhile.