There are many articles about IP v 4 and IP v 6 internet protocol and mostly of articles describes IPv6 more secure internet protocol, but I came across with one article from Cisco and my work I’d like start from not very positive view of IP v6 and later on to find out is the IPv6 more secure or not…

IPv6 security is very similar to IPv4 security. Mechanism which transporting packets in network is almost the same. The mostly unaffected layer is upper layer which is responsible for transporting application data. However, because IPv6 mandates the inclusion of IP Security (IPsec) , it has often been stated that IPv6 is more secure than IPv4. Although this may be true in an ideal environment with well-coded applications, a robust identity infrastructure, and efficient key management, in reality the same problems that plague IPv4 IPsec deployment will affect IPv6 IPsec deployment. IPv6 is not protected with any kind of cryptography. Additionally, because most security breaches occur at the application level, even the successful deployment of IPsec with IPv6 does not guarantee any additional security for those attacks beyond the valuable ability to determine the source of the attack. Of course we have differences between IPv4 and IPv6 addressing schemes. In future we will see differences in attacks in IPv6 networks [1] 

Objectives

In this paper I would like to outer view the main security weaknesses of IPv4.Then find out and what security features has IPv6.And in the conclusion decide which Internet protocol is more secure.

Most common types of attacks in IP communications

There are eight most common attacks on network according CISCO that can occur in these days and in IP v 6 internet protocol those attacks can be easy in some cases can be very difficult, I’d like to outline these eight attacks and describe it

Reconnaissance-This attack executed by an adversary and it attempts to learn about victim network.

Unauthorized Access-This type of attack occurs when attacker tries to exploit the open transport policy in the IPv4 protocol, attacker tries to establish connectivity to upper-layer protocols on network devices

Header manipulation and fragmentation-this type of attack when attacker manipulating with header tries to avoid network security devices or to attack network structure directly by manipulating other header

Layer 3 -Layer 4 spoofing when the attacker manipulates and modify source IP address and port and this packet appears as it would be from another location and destination.

ARP and DHCP attacks- When client sends broadcast message to DHCP or using ARP serves attacker server can intercept message and sent back configuration message to configure incorrect information as default gateway and DNS or IP addresses

Broadcast amplification attacks- Broadcast amplification attacks, commonly referred to as “smurf” attacks, are a DoS attack tool that takes advantage of the ability to send an echo-request message with a destination address of a subnet broadcast and a spoofed source address, using the victim’s IP. All end hosts on the subnet respond to the spoofed source address and flood the victim with echo-reply messages.

Routing attacks-Attacker focus to disrupt or redirect traffic in the network , that attack can be accomplished in various ways from flooding attack to rapid announcement to removal routes.

Viruses and worms- Viruses and worms remain one of the most significant problems in IP networking today, with almost all of the most damaging publicly disclosed attacks in recent years having a virus or worm at its nexus.

Overview of IP v 4 Security

IPv4 addressing based networks suffers from security based problems and the reason why it so first that they created to work with physically secure connections and friendly enviroment.We can say this addressing was created in way that nodes must be concern about security(it is end to end model) and because of that IPv4 have not much or very little security itself. For instance, if an application such as e-mail requires encryption services, it should be the responsibility of such application at the end nodes to provide such services. Today, the original Internet continues to be completely transparent and no security framework provides for resilient against threats such as:

Denial of service attacks (DOS): in this kind of attack certain services are flooded with a large amount of illegitimate requests that render the targeted system unreachable by legitimate users. An example of DOS attack that results from an architectural vulnerability of IPv4 is the broadcast flooding attack or Smurf attack.

Malicious code distribution: viruses and worms can use compromised hosts to infect remote systems. IPv4’s small address space can facilitate malicious code distribution.

Man-in-the-middle attacks: IPv4’s lack of proper authentication mechanisms may facilitate men-in the-middle attacks. Additionally, ARP poisoning and ICM redirects can also be used to perpetrate this type of attacks .

Fragmentation attacks: this type of attacks exploits the way certain operating systems handle large IPv4 packets. An example of this type of attack is the ping of death attack. In a ping of death attack the target system is flooded with fragmented ICMP ping packets. With each fragment, the size of the reassembled ping packet grows beyond the packet size limit of IPv4- therefore, crashing the target system .

Port scanning and other reconnaissance attacks: in this type of attacks a whole section of a network is scanned to find potential targets with open services. Unfortunately, IPv4’s address space is so small that scanning a whole class C network can take a little more than 4 minutes .

ARP poisoning and ICMP redirect: in IPv4 networks, the Address Resolution Protocol (ARP) is responsible for mapping a host’s IP address with its physical or MAC address. This information is stored by each host in a special memory location known as the ARP table. Each time a connection with an unknown host is needed, an ARP request is sent out on the network. Then, either the unknown host responds broadcasting its own IP address or a router does it with the appropriate information. ARP poisoning occurs when forged ARP responses are broadcasted with incorrect mapping information that could force packets to be sent to the wrong destination. A similar approach is used by ICMP redirect attacks .

However, many techniques have been developed to overcome some of the IPv4 security limitations. For instance, although Network Address Translation (NAT)and Network Address Port Translation (NAPT) were introduced to facilitate the re-use and preservation of a rapidly depleting IPv4 address space, these techniques can provide also for certain level of protection against some of the aforementioned threats [11]. Also, the introduction of IPSec facilitated the use of encryption communication, although its implementation is optional and continues to be the sole responsibility of the end nodes. [2] 

Overview of IPv6 internet protocol security features

Security features in IPv6 have been introduced mainly by way of two dedicated extension headers: the Authentication Header (AH) and the Encrypted Security Payload (ESP), with complementary capabilities.

The AH header was designed to ensure authenticity and integrity of the IP packet. Its presence guards against two threats: illegal modification of the fixed fields and packet spoofing. On the other hand, the ESP header provides data encapsulation with encryption to ensure that only the destination node can read the payload conveyed by the IP packet. The two headers can be used together to provide all the security features simultaneously. Both the AH and the ESP headers exploit the concept of security association (SA) to agree on the security algorithms and parameters between the sender and the receiver. In general, each IPv6 node manages a set of SAs, one for each secure communication currently active. The Security Parameters Index (SPI) is a parameter contained in both the AH and ESP headers to specify which SA is to be used in decrypting and/or

authenticating the packet. In unicast transmissions, the SPI is normally chosen by the destination node and sent back to the sender when the communication is set up. In multicast transmissions, the SPI must be common to all the members of the multicast group. Each node must be able to identify the right SA correctly by combining the SPI with the multicast address. The negotiation of an SA (and the related SPI) is an integral part of the protocol for the exchange of security keys. [3] 

Conclusion

As we see Ipv6 more secure, but according the professionals there is more security problems to solve: IPv6 supports many new features including increased address space, autoconfiguration, QoS capabilities, and network-layer security. The IPv6 Authentication Header (AH) provides data integrity and data authentication for the entire IPv6 packet. The IPv6 Encapsulating Security Payload header provides confidentiality and/or authentication and data integrity to the encapsulated payload. Anti-replay protection is provided by both the AH and ESP Header. These security Extension Headers may be used separately or in combination to support different security needs. The security features in IPv6 can be used to prevent various network attack methods including IP spoofing, some Denial of Service attacks (where IP Spoofing has been employed), data modification and sniffing activity. [4]