By Mike Mullins
Windows Server 2003, Windows XP Service Pack 1, and Windows XP Service Pack 2 natively include Internet Protocol version 6 (IPv6), but it's not a default installation. But, while other Windows IPv6 versions are available via third-party add-ons, there is no implementation schedule for a production release of IPv6 for Windows 2000.
The Microsoft implementation of IPv6 provides minor security enhancements to a Windows network for which an organization has properly installed and configured this protocol. However, there are some security issues that organizations need to be aware of before installing this new IP protocol.
Security enhancements gained through the Microsoft IPv6 implementation are modest. Initially, any attacker trying to hack your network must scan the IPv6 address space (which is significantly larger than the IPv4 address space) to find your network. This can slow down a black hat, but you shouldn't rely solely on security through obscurity.
As for security enhancements, that's about it. If you're using the advanced features of IPv4, there are several major security degradations you'll need to consider before upgrading to IPv6.
In my opinion, Microsoft must have designed its IPv6 version before gaining its new-found security focus. The most noticeable breakdown in security is the failure of the Microsoft IPv6 IP Security (IPSec) protocol. IPSec supports the use of Authentication Header (AH) and Encapsulating Security Payload (ESP) for both transport and tunnel modes. However, Microsoft ESP doesn't support data encryption.
In addition, Microsoft IPv6 doesn't support Internet Key Exchange (IKE) to negotiate security associations (SAs). You can't configure IPv6 IPSec security policies through Group Policy; instead, you must manually configure them as well as the keys used to calculate SAs, the Message Digest 5 (MD5), and the Secure Hash Algorithm 1 (SHA-1) for each server.
Manually configuring security keys on every server in your organization and static security algorithms is a recipe for disaster. If your security keys are static and manually configured, your data security will eventually break. Even if you manage to configure every server with the correct keys, those keys will eventually break as the captured sample of encrypted data increases.
You can install IPv6 as an additional network protocol from the properties box for a network connection. Keep in mind that you must have IPv4 installed before you can load IPv6 into the configuration.
To install IPv6, follow these steps:
Microsoft has released an IPv6 technology preview version for Windows 2000, which you can download from the MSDN Web site. However, I recommend testing it fully before implementing it in a production environment.
Finally, don't forget about the rest of your network security devices and their compatibility with IPv6 when you're planning an upgrade. Make sure you do your homework before beginning an implementation.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.