The Information And Network Security Engineering

Published Date: 02 Nov 2017

The internet era is in its 4th decade. It started on the 1980’s, developed mainly in US during the 1990’s, became a must on the world in the 2000’s, and now it is in a tremendous evolution growing to be semantic. All this would be impossible if an addressing scheme didn’t exist to support the growth. At the beginning the IPv4 seemed to be big enough for the project Internet. In the present Internet stands with more than 2billions users in its back, struggling to make the connection. In order to be accurate on a security perspective about the IPv4 versus the IPv6 protocols we have to take a glance on both and how they operate on interconnecting upper and lower layers and also how they manage the outnumbered network layer protocols to deliver the datagrams over the network.

2. Introduction

The aim of this assignment is to compare the two versions of the IP protocol, version 4 (IPv4) and version 6 (IPv6), mainly under the view of security. In order to achieve this we will start with a reference in the IP protocol and its main components. Furthermore, the fourth version of the IP protocol (IPv4) will be presented and analyzed in a security perspective and to create a comparison we will continue with the sixth version of the IP protocol (IPv6), which will also be presented in-depth. For both versions will be a section of associate security protocols: how they implement and what network security incidence may be issued.

3. IP protocol

The IP protocol was first published in 1981 under the RFC 791 number by IETF. IP stands for "Internet Protocol". The IP protocol is designed for packet-switched networks. [1] (IETF. (n.d.). http://tools.ietf.org/html/rfc791)

Information and Network Security Engineering IPv4 vs. IPv6

Kalliopi M. Stara Page | 2

In WAN networks in Layer 1 and Layer 2 there are four types of connections: Leased Lines Circuit-switched connections Packet-switched connections Cell-switched connections

When leased lines and circuit-switched connections are used, a physical circuit exists in order to connect two sites. On the other hand, with packet-switched connection a logic circuit is used. This logic circuit, also known as virtual circuit (VC), has the advantage that there is not a backbone link with a specific physical circuit and moreover, multiple logic circuits could be over a single physical circuit. [2] (Deal, 2008)

In order to support packet-switched architecture in upper Layers of a network stack, IP protocol is implemented in the Layer 3.

In the meantime, IETF published RFC 793 for TCP. TCP stands for "Transmission Control Protocol". TCP designed in order to support multi-network applications under a layered hierarchy of protocols. TCP is a connection-oriented and end-to-end reliable protocol. Since the communication protocols in lower layers below TCP have not in-depth classification in reliability, TCP scope was to obtain an unreliable datagram service to support the communication through a network. Apart from that, TCP aim is to handle a wide variety of communication system, such as from hard-wired connections to circuit-switched or even packet-switched networks. In OSI model, TCP protocols implemented in Layer 4 of the model, the Transport Layer, one upper layer than IP. The functionality of TCP is to send and receive segments of information with a variable-length. The datagram that has been created in layer 3, the internet datagram provides all the information needed for the segmentation in Layer 4, such as security classification and partition rules for segmentation, so as the transport datagram will be appropriate for end-end communication across multiple networks. TCP is core protocol of Internet protocol suite, which is also known as TCP/IP [3]. (IETF. (n.d.). http://tools.ietf.org/html/rfc793)

The TCP/IP suite follows the architectural principles of the Internet, according RFC 1958 publication in 1996. As the internet has been expanded, the need for architectural principles set has been created in order for interconnection to be obtained in a network, independently of the hardware medium and addressing. Apart from hardware issues, the interconnection should be held when transition from one version of IP to another. In practice, when a datagram travels in a network, protocols from more than one layer are implemented. In other words, architecture of a network should follow the appropriate set of principles so as to support any digital transmission of information through a single platform that could be cable to handle a great variety of information infrastructure and services. Furthermore, information about services that are stated in RFC 1958 is about route services, Quality of Service (QoS) guarantees, session information about header compression, instructions for data compression and decompression. These elements can enhance network’s flexibility for interconnection when a topology change occurs, by minimizing the possibility of a Denial of Service to take place. [4] (IETF. (n.d.). http://tools.ietf.org/html/rfc1958)

The three version of IP protocol, IPv1, IPv2, IPv3 were actually part of TCP/IP suite. The forth version, IPv4 stands along for RFC 791.

Information and Network Security Engineering IPv4 vs. IPv6

Kalliopi M. Stara Page | 3

4. IPv4

When two end nodes in an internet environment need to communicate the IPv4 protocol takes a call to implement a host-to-host connection. This is achieved by carrying the internet datagram to the next gateway or destination host. The Internet Protocol (IP) is able to provide addressing and fragmentation. The internet header carries the addresses needed in order for the data frames to reach the destination. The choice of the path that a datagram uses from the source to the destination is called routing. The data are transmitted from one internet module to another through individual networks based on the interpretation of the internet address which is an important mechanism of the internet protocol. The internet header includes fields that are responsible to fragment and reassemble internet data frames to meet the expectations of "small packet" network transmission by the use of internet modules. In order for those internet modules to operate, every gateway that interconnects networks and every host engaged in the internet communication have the internet module. The internet modules have to share common rules, procedures, and mechanisms in order to achieve best results. Those are mentioned below:

1. Interpreting address field (rule)

2. Fragmenting and assembling internet datagrams (rule)

3. Making routing decisions (procedure)

4. Type of Service (mechanism) / Indicates the quality of service (QoS) desired. Helps the gateways selecting the actual transmission parameters like next hop network or next hop gateway when routing an internet datagram.

5. Time to Live (mechanism) / Set by the sender it is a self destruct time limit which decreases at the points along the route where it is processed. It indicates the lifetime of the internet datagram and if it reaches zero before destination it is destroyed.

6. Option (mechanism) / Unnecessary in most common communications. Includes provision for timestamps, security and special routing.

7. Header checksum (mechanism) / Verifies the proper transmission of the internet datagram by checking the header checksum. If the checksum fails the internet datagram is discarded.

Since there is no error control on data, no acknowledgments either by end-to-end or by hop-to-hop, no retransmission or flow-control. There is only a header checksum. So the internet protocol doesn’t offer a trustworthy communication facility. Errors can be reported via Internet Control Message Protocol (ICMP), which is included in the Internet Protocol module.

As for the Addressing, there are some distinctions to do: It is the name, the address, and the route. The name shows what we seek the address indicates where it is and the route shows the way to get there. The IP mainly deals with the addressing procedures. The internet module maps the internet addresses to local net addresses. It is a task of higher-level protocols to translate names to addresses and lower level protocols to create the procedures, which will select the route. An IPv4 address consists of a fixed length of four octets or 32 bits. The address format is specific and has rules. It begins with the network number and is followed by the local address or also called the "rest" field. All together this is the well-known IP address, which is something like our physical home addresses. From a network engineer perspective there are: the Network Address

Information and Network Security Engineering IPv4 vs. IPv6

Kalliopi M. Stara Page | 4

-like the postal code- and the Local Address field -like the street and number address in our world. Those two are even more difficult to distinguish when there is a subnetting implementation on the main network addresses.

There are five general different classes -as we call them- of internet addresses. Below you will find the range of those classes.

1. Class A: 0.0.0.0.0 - 127.255.255.255

2. Class B: 128.0.0.0 - 191.255.255.255

3. Class C: 192.0.0.0 - 223.255.255.255

4. Class D: 224.0.0.0 - 239.255.255.255 (reserved for multicast)

5. Class E: 240.0.0.0 - 255.255.255.255 (reserved for experimental)

On the other hand, for private addresses they are 3 classes:

1. Class A: 0.0.0.0.0 - 10.255.255.255

2. Class B: 172.16.0.0 - 172.31.255.255

3. Class C: 192.168.0.0 - 192.168.255.255

There are also reserved address blocks for specific purposes. The following table showing those reservations:

Reserved address blocks

Range

Description

Reference

0.0.0.0/8

Current network (only valid as source address)

RFC 5735

10.0.0.0/8

Private network

RFC 1918

100.64.0.0/10

Shared Address Space

RFC 6598

127.0.0.0/8

Loopback

RFC 5735

169.254.0.0/16

Link-local

RFC 3927

172.16.0.0/12

Private network

RFC 1918

192.0.0.0/24

IETF Protocol Assignments

RFC 5735

192.0.2.0/24

TEST-NET-1, documentation and examples

RFC 5735

192.88.99.0/24

IPv6 to IPv4 relay

RFC 3068

192.168.0.0/16

Private network

RFC 1918

198.18.0.0/15

Network benchmark tests

RFC 2544

198.51.100.0/24

TEST-NET-2, documentation and examples

RFC 5737

203.0.113.0/24

TEST-NET-3, documentation and examples

RFC 5737

224.0.0.0/4

IP multicast (former Class D network)

RFC 5771

240.0.0.0/4

Reserved (former Class E network)

RFC 1700

255.255.255.255

Broadcast

RFC 919

You might find yourself working on a private IP address -given the above scheme- but you shouldn’t panic, this is totally normal and legitimate. This is one of the reasons that IPv6 has to be implemented. Many telecom organizations are using the private addressing scheme in their internal networks (intranet) and translate those addresses to public when it is needed to communicate with the external network (extranet). IPv4 is capable of handling 2^32 addresses and that stands for 4.294.967.296 more than four billions addresses [1],[5],[6].

(IETF. (n.d.). http://tools.ietf.org/html/rfc791)

(IETF. (n.d.). http://tools.ietf.org/html/rfc792)

(IETF. (n.d.). http://tools.ietf.org/html/rfc796)

Although 2^32 is a huge number, it seems that it isn’t big enough for the progressive demand of addresses on the Internet. Apart from that, the need for hiding network addressing schemes became mandatory, in order to prevent network security incidences. In order to solve the above two issues, in 1994 IETF

Information and Network Security Engineering IPv4 vs. IPv6

Kalliopi M. Stara Page | 5

published RFC 1631, the IP Network Address Translator (NAT) protocol [7]. (IETF. (n.d.). http://tools.ietf.org/html/rfc1631)

NAT protocol sets the principles of how a source and a destination IP address could change. The core though for NAT implementation is the usage of private IP addresses inside a local network, such as a company, to be translated to a range of public IP addresses outside the local network, such as the web. NAT is a very flexible protocol, since could be implemented through various devices (firewalls, routers, and servers) and with diverse modes (dynamic and static address translation). The following table shows the types of IP addresses that are used in NAT protocol [2]. (Deal, 2008)

Address Translation Term

Definition

Inside

Address located on the inside of a network

Outside

Address located on the outside of a network

Local

Address physically assigned to a device

Global

Public address (physically or logically assigned to a device)

Inside local IP address

An inside device, assigned private address

Inside global IP address

An inside device, registered public address

Outside global IP address

An outside device, registered public address

Outside local IP address

An outside device, assigned private address

5. IPv6

The introduction of NAT protocol was a temporarily solution to the upcoming shortage of IPv4 addresses. From the 4.3 billion IP addresses, actually 3.7 billion usable, early-to-mid-1990s about 1.3 billion public addresses were available for new growth. In order to reach to a long-term solution for addressing problem, the addressing format has been included as enhancement of TCP/IP protocol stack. This new addressing format is known as the sixth version of IP protocol, IPv6. In 1998 IETF published the principles of IPv6 protocol, as RFC 2460. [2] (Deal, 2008).

The main feature of IPv6 is the expansion of the IP address space. IPv6 uses a 128-bit address, instead of 32-bit that IPv4 uses. But apart from the addressing issues, IPv6 has been built with the perspective of easy configuration process and interoperability with the previous functional version of IP protocol, IPv4.

Moreover, in an IPv6 addresses the MAC address is included. Regarding to this, the address management is simpler than IPv4 since the capability of autoconfiguration addressing information and plug and play option are available. Furthermore, the end-to-end addressing architecture that IPv6 uses, decreases the cost and complexity of peer-to-peer communication, since address translate does not implemented.

Another feature of IPv6 is the simplification of header format. Some fields of IPv4 header have been obsolete and some other piece of information has been added. By this, the Quality of Service (QoS) is improved since the cost for common-case processing of packet handling and header bandwidth cost are lower, and Advanced Network Services are added in their place. An example of these new capabilities is the Flow Labeling capability. The datagram packets are

Information and Network Security Engineering IPv4 vs. IPv6

Kalliopi M. Stara Page | 6

labeled to a particular traffic flow by sender’s request, such as for "real-time" service [8]. (IETF. (n.d.). http://tools.ietf.org/html/rfc2460)

The following figure shows the difference of header analysis between the two protocols in a visual comparison [9]. (http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html)

Courtesy of is-a.org

To continue with, in IPv6 a security layer has been added, known as IP security (IPSec). IPSec is implemented by default to IPv6 and gives the ability to devices to dynamically manage security parameters so as a secure tunnel to be built without any interference of the user. IPSec will be analyzed in-depth in the following section.

In IPv6, there is no broadcast address and a new type of address is presented, the anycast. Anycast address is used for one-to-the-nearest interface communication. General the types of IPv6 addresses are: Anycast, for one-to-the-nearest interface Multicast, like IPv4 one to a group of devices Unicast, single interface

The way that an address is assigned is also different in IPv6. There are four methods for assignment either statically or dynamically: 128-bits manually assigned. Static EUI-64, specify the subnet id and create interface id, which is part of the address. DHCPv6, like in IPv4 implemented a neighbor discovery process (RFC 3633). [10] (IETF. (n.d.). http://tools.ietf.org/html/rfc3633) Stateless Auto-configuration, an extension of DHCPv6 where clients can obtain their address dynamically, without a server intervention. (RFC 4862) [11] (http://tools.ietf.org/html/rfc4862)

Furthermore, in IPv6 the routing process is the same with the IPv4, finding best path according to metrics. The equivalent routing protocols for IPv6 to ones for IPv4 are: RIPng , RFC 2080 [12] (http://tools.ietf.org/html/rfc4862) OPSFv3 RFC5340 [13] (http://tools.ietf.org/html/rfc5340) IS-IS for IPv6 RFC5340 [14] (http://tools.ietf.org/html/rfc5308)

Information and Network Security Engineering IPv4 vs. IPv6

Kalliopi M. Stara Page | 7

MP-BGP4 RFC2858 [15] (http://tools.ietf.org/html/rfc2858) EIGRP for IPv6 [16]

(http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-eigrp_external_docbase_0900e4b1805a3c5e_4container_external_docbase_0900e4b181b83f78.html)

IPv6 has managed through the years of development to be much more efficient and simple than his predecessor IPv4. So as for the encapsulation -streamlined encapsulation as it is called- there are no checksums (reduced processing at the endpoints) or broadcasts (reduced device processing in the same subnet) and the QoS is implemented in the header where a flow label identifies the traffic. That way the network devices during the routing don’t have to examine the contents of the packet and TCP/UDP headers or any other component in order to classify the traffic for QoS correctly.

In order for those two protocols to coexist there are many solutions. Some of the most common are:

1. Dual Stack - both protocols run at the same time on a single interface.

2. Tunneling – enables transmitting IPv4 inside IPv6 packets and vice-versa

3. Network Address Translation-Protocol Translation (NAT-PT) – certified and implemented by Cisco. [2](Deal,2008)

Subnetting on IPv6 is the same as in IPv4. The only thing that changes is the number of the hosts and sub-networks created. Although there are enough addresses to raise the question: "why do I need to subnet" the answer is simple and obvious: Reduce unnecessary network traffic Security policies Flexibility on design and route summarization

So there are reasons to subnet but they aren’t the same as in IPv4. The subnetting in IPv6 has a maximum of 64-bit for users. So from the 128-bit address the half is going for users and the rest for aggregation upward to the ISP having a 48-bitglobal routing prefix with a 16-bit subnet id. That is a 65535 of individual subnets for the organizations. So it is obvious, that they are subnets with bigger number of addresses than the complete IPv4 scheme had. The following figure shows this [17].

(https://ls-a.org/doku.php?id=school:2b_chapter_7_questions&s%5b%5d=ipv6)

Information and Network Security Engineering IPv4 vs. IPv6

Kalliopi M. Stara Page | 8

6. IPSec

IPSec stands for Internet Protocol Security. It is designed to implement network security by using new and existing elements of IP layer to offer network security services. The interoperability between IPv4 and IPv6 is a mandatory implementation in order to converge between the two addressing protocols. IPSec services include: detection and rejection of replays, access control, data origin authentication, connectionless integrity, confidentiality via encryption, and limited traffic flow confidentiality. Moreover, IPSec is open to implement more sophisticated firewall procedures through the appropriate engineering and to use the IPSec-mandated functionality. Please note that implementing additional firewall mechanisms might harm the traffic flow because of interoperability issues between the IPSec and the negotiated traffic selector features.

Using a firewall and separate cryptographic protection cannot match the security level achieved from the IPSec firewall function that uses cryptographically–enforced authentication and integrity, which is provided for all IPSec traffic. IPSec security services are provided by using cryptographic key management procedures and protocols like the two most common traffic security protocols: Authentication Header (AH) and Encapsulation Security Payload (ESP). Which set of those security protocols will be used in a network context is determined by the administrators of the context. The structure of the IPSec is set to ensure that the services and the management interfaces will be able to handle a broad number of users in compliant implementations and that the security requirements will be met. In order for the IPSec to be correctly implemented and deployed ought to be modular and by permitting to a variety of selected different sets of cryptographic algorithms to be compatible or not affecting each other made it to be interoperable. This way other parts of the implementation are unaffected and users from different communities are able to communicate in the global Internet by using specific sets of protocols. The [Eas05] defines a set of default cryptographic algorithms for use with AH and ESP. On the other hand [Sch05] defines a set of mandatory-to-implement algorithms for use with IKEv2. Those two sets will be updated periodically to be synchronized with computational and cryptologic advances. System and application developers are able to deploy cryptographic security with high quality at the Internet layer by using the IPSec traffic protection in combination with the use of cryptographic algorithms. Those algorithms are defined in separate documents from the AH, ESP and IKEv2 specifications and so they can updated or replaced without affecting the rest of the IPSec standardization document suite [18].(IETF. (n.d.). http://tools.ietf.org/html/rfc4301) IP Authentication Header (RFC4302)

The IP Authentication Header (AH) was created to provide protection against the replays, connectionless integrity and data origin authentication for IP datagrams. The protection against replays is an optional service that may be selected from the receiver once a Security Association (SA) is established.

AH is set to authenticate as much of the IP header as possible and also for the protocols at the next level. The protection provided is fragmented since some

Information and Network Security Engineering IPv4 vs. IPv6

Kalliopi M. Stara Page | 9

IP header fields may change in the way to the receiver. So they can’t be predicted from the sender and the values of such field cannot be protected from AH.

There are three ways AH can be applied. Those are:

1. Stand alone appliance

2. Combined with the IP Encapsulation Security Payload [Ken-ESP]

3. Nested fashion [Ken-Arch]

There are also three ways to provide security. Those are:

1. Between a pair of communicating hosts

2. Between a pair of communication security gateways

3. Between a security gateway and a host

Encapsulation Security Payload (ESP) if used is capable of the same anti-replay and similar integrity services and also an encryption service. The main difference between ESP and AH integrity is that the ESP cannot protect any IP header fields if they aren’t encapsulated with ESP for example consider via use of tunnel mode. [19](IETF. (n.d.). http://tools.ietf.org/html/rfc4302) Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP) (RFC4309)

Advanced Encryption Standard is a cryptographic block that acts as a mechanism in the IPSec ESP (Encapsulation Security Payload) in order to provide authentication for data origin, confidentiality and connectionless integrity [20] (IETF. (n.d.). http://tools.ietf.org/html/rfc4309) Internet Key Exchange (IKEv2) Protocol (RFC4306)

IKEv2 or Internet Key Exchange protocol version 2 is a combination of separate documents and includes:

1. Internet Security Association and Key Management Protocol (ISAKMP, RFC 2408)

2. Internet Domain of Interpretation (DOI RFC 2407)

3. Network Address Translation (NAT) Traversal

4. Legacy authentication

5. Remote Address Acquisition

Please note that, it is not interoperate with version 1 but since both versions share a big part of the header format, they both can undoubtedly run over the same UDP port.

IKE is part of the IPSec and is responsible for authenticating, establishing and maintaining security associations (SAS) [21] (IETF. (n.d.). http://tools.ietf.org/html/rfc4306).

The basic mechanism that the key exchange algorithm is stands for "The OAKLEY Key Determination Protocol" (RFC 2412). Diffie-Hellman key exchange algorithm is used in OAKLEY basic mechanism which is responsible for secure and secret credential material between two authenticated nodes. OAKLEY is compatible with the ISAKMP through the Perfect Forward Secrecy (PFS) which:

1. Manages security associations

2. User-define abstract group structures

3. Key updates

4. Key distributed via out-of-band mechanisms

To continue with, ISAKMP is the framework for the associate security managements. The set of principles that should be obtained in this frameworks, are defined in RFC 2407, "The IP Security Domain of Interpretation for ISAKMP".

Although IPSec DOI (Domain of Interpretation) implementations must support ESP_DES as stated on RFC 2407, updated research on cryptanalysis

Information and Network Security Engineering IPv4 vs. IPv6

Kalliopi M. Stara Page | 10

suggests the use of ESP_3DS since DES may not be sufficiently secure for many applications. IETF is very likely in the near future to deprecate the use of ESP_DES as a mandatory cryptographic suite but it will remain as an option.

The Internet IP Security Domain of Interpretation for ISAKMP (IPSEC DOI for ISAKMP) is a combination of protocols which all together are responsible for:

1. Security association management

2. Cryptographic key implementation for the Internet,

3. Defined data exchanges, payloads

4. Processing guidelines (in a DOI)

5. Negotiate security associations (when IP uses ISAKMP)

[21] (IETF. (n.d.). http://tools.ietf.org/html/rfc2412)

7. Conclusion

To sum up, the goal of this assignment is to present and compare the two prevalent versions of Internet Protocol, IPv4 and IPv6 under security perspective. First of all, it is presented a general recursion of Internet Protocol. To continue with, the fourth version of IP (IPv4) is introduced. In addition to IP protocol, which has been developed for interconnections of packet-switched networks, IPv4 main operations are fragmentation and addressing, independently the network infrastructure and services. IPv4 obtains a 32-bit addressing scheme. Due to the rapid growth of Internet network, the addressing scheme of IPv4 turns out not to be expandable enough to cover the entire addressing demand. In the beginning, short-term solutions were implemented, such as the development of address translation protocol (NAT). The scope of network address translation protocol is to separate a network to a private one, inside a local network, and global one, outside the local network. The inside addresses should be translated in order for an inside host to communicate with the global network. Although introduction of NAT enhances the security level of a network, since the local addressing scheme is hidden, private address collisions may occur during a network or a scheme migration. As a result, the sixth version of IP, IPv6, developed as a long-term solution to addressing scheme issue of IPv4. The sixth version of Internet Protocol has a 128-bit addressing scheme, which provides an expanded space for address assignment. Regardless the fact that the header of IPv6 datagram contains more bits, it’s functionally developed with a simpler format. Since MAC address is included in IPv6 address the configuration for peer-to-peer communications is could be in automatic mode. The significant updated fields in IPv6 header are: traffic class, flow label and payload length. With Flow Label functionality, a label is added to datagram independently fragmentation function, so as for the packet to be forwarded to the appropriate destination with less processing resources used. To continue with, IPv6 addressing scheme does not include broadcast address, so collision domains are reduced. By these, the QoS (Quality of service) is implemented more effectively and efficiency, since the administration management and bandwidth require less resources so as to work properly. Flow Labeling is also known as "the real quality of service (QoS)". The other updated significant field of IPv6 header is the payload length. This field added the base for the security layer that is enhanced to TCP/IP suite with the introduction of IPv6. This security layer is known as IPSec and stands for Internet Protocol Security. IPSec provides network security services

Information and Network Security Engineering IPv4 vs. IPv6

Kalliopi M. Stara Page | 11

based on old and new elements of an address header. IPSec cryptographically–enforced authentication and integrity functions that are implemented inside a data packet, also called Security Associations (SA), could provide a security level much more prior than any combination of separate cryptography and firewall protection. IPSec is a default feature in IPv6 addressing scheme. On the other hand, IPv4 addressing scheme could be configured so as IPSec to be implemented. This was not an option in IPv4 before IPv6 introduction, but become crucial function for the interoperability between the two versions. IPSec header authentication process protects all field of an IP address, apart from the mutable fields. As mutable filed in version 4 are consider the fields such as flags, fragment offset, TTL and Header Checksum, which are traditionally used for performing security services in IPv4. As a result the extra protection mechanism may affect the flow traffic of a network. In IPv6 the mutable fields that are Flow Label and Hop Limit, which obvious do not carry crucial information for authentication. The other main set of principles that IPSec suite includes, it’s the Encapsulation Security Payload (ESP). ESP provides protection services for origin authenticity, integrity and confidentiality, but not for the entire IP packet, leaving unprotected the IPv4 option field in fourth version and for the sixth version only the extension headers. According to all the above, we can conclude to the fact that, security management could reach the same level of protection in the two IP versions, either with minimal configuration (in IPv6) or by interfering flow traffic and performing much complex administration tasks (in IPv4).