{"id":6938,"date":"2021-09-01T13:57:35","date_gmt":"2021-09-01T20:57:35","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6938"},"modified":"2022-10-19T16:26:24","modified_gmt":"2022-10-19T23:26:24","slug":"ipv6-enhances-zero-trust-network-architectures","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/ipv6-coe\/ipv6-enhances-zero-trust-network-architectures\/","title":{"rendered":"IPv6 Enhances Zero-Trust Network Architectures"},"content":{"rendered":"

Enterprise networks have been transforming over the last decade with the Internet now serving as the new de facto<\/em> corporate network.\u00a0 With the shift to cloud-hosted applications, Software-Defined WAN<\/a> (SD-WAN), Secure Access Service Edge<\/a> (SASE), and a socially-distanced remote workforce, the corporate Internet perimeter is all but eroded.\u00a0 Enterprises can no longer assume that if the user is “on the internal corporate network” they are automatically trusted.\u00a0 Corporations are wisely moving from a “most privileged” to a “least privileged” security model.\u00a0 As a result, enterprises and security vendors have locked onto the term “Zero Trust<\/a>“, which is rapidly becoming an overused and overloaded term for a what is essentially a perimeter-less<\/em> (i.e., \u201cno perimeter\u201d) security model.<\/p>\n

With so many of the enterprise end-user population working remotely, using 4G\/5G wireless services and\/or residential broadband, they could likely already be using IPv6\u2014a fact their network or security administrators may be unaware of.\u00a0 Indeed, many organizations are still in denial of how much IPv6 usage there is on the Internet and how many employees, contractors, vendors, and suppliers are already using IPv6. This is a serious blind spot for security and network teams. But IPv6 has some unique characteristics that lend itself to new ways of thinking about network and host security and for facilitating the security of end users and application services.<\/p>\n

Characteristics of a Zero-Trust Architecture<\/h3>\n

The concept of de-perimeterization<\/em> was first introduced 15 years ago by The Open Group<\/a> (formerly the Jericho Forum) which created the concept of an orbital security model wherein the inner rings contain the most important data assets and the outer rings contain the least-trusted or completely untrusted Internet.\u00a0 Concepts like the Cloud Security Alliance<\/a> (CSA) Software-Defined Perimeter<\/a> (SDP) evolved through the work of Google’s BeyondCorp<\/a>.\u00a0 The term Zero-Trust was popularized by John Kindervag, while working at Forrester.<\/p>\n

NIST released their Special Publication 800-207 titled “Zero Trust Architecture<\/a>” in August 2020, which defines the key tenets of a ZTA and describes design components and deployment use cases.\u00a0 Key pillars of Zero-Trust include least-privilege access to applications and data, authentication of end users, validation of their location and device context, and deep visibility to both IPv4 and IPv6 communications.<\/p>\n

Restoration of the End-to-End Communications Model and Zero-Trust Impacts<\/h3>\n

One of the important characteristics of IPv6 is its abundance of global IPv6 addresses, obsoleting the need for NAT to solve the public IPv4 depletion problem.\u00a0 Without NATs in the middle of client-server communications, the application server actually receives the unmodified connection from the source IPv6 address of the client.\u00a0 Coincidentally, the end-to-end model of IP communications was the original way the Internet was intended to function.<\/p>\n

With the constraints of IPv4 addresses, NATs have become plentiful, thus obfuscating client IPv4 addresses. As a result, servers may not be able to validate the identity of client connections. Other forms of authenticating the end user become important.\u00a0 This creates problems for reputation filtering<\/a> and for applications trying to use the client IPv4 address as a method of authentication or detecting and blocking fraudulent transactions.\u00a0 Now, IPv4 addresses have become only “locally significant<\/a>” with the domain or zone where they are used.\u00a0 This makes us question the legitimacy of IPv4 connections and possibly consider IPv6 connections as somehow more trustworthy<\/a>.<\/p>\n

Using the IPv6 Address for Security<\/h3>\n

One of the unique characteristics of IPv6 is its incredibly large 128-bit addresses.\u00a0 The address space is so large that there is potential to use the last 64-bits of the address (the Interface Identifier or IID<\/em>) for security purposes.\u00a0 These techniques are not feasible with the limited supply of IPv4 addresses.\u00a0 Methods of changing the IPv6 node’s IID frequently take a page from the network attacker’s playbook and “fast flux<\/a>” techniques.\u00a0 An example of this is when temporary IPv6 IIDs<\/a> change periodically to help preserve the privacy of the end-user.\u00a0 It is also likely that you might read an older book on IPv6 Security<\/a> where the concepts of Secure Neighbor Discovery<\/a> (SEND) (RFC 3971<\/a>) and Cryptographically Generated Addresses (CGA) (RFC 3972<\/a>) were used to leverage the IPv6 IID to provide privacy and authenticate locally-connected nodes. Neither of these methods were broadly adopted, however.<\/p>\n

One innovative approach, illustrated below, is to have an IPv6-capable DNS service coordinate its responses with a web-tier application front-end.\u00a0 One example of this is a custom DNS function that works with web servers, or load balancers that can have Web Application Firewall (WAF) capabilities.\u00a0 The communication is initiated by a client asking its caching DNS resolver the address of a server’s fully-qualified domain name (FQDN).\u00a0 The authoritative DNS server returns a AAAA record response with an IPv6 address with a seemingly random IID (with a very low TTL value).\u00a0 The IID is actually a unique identifier that is solely specified for that particular client device (or DNS resolver).\u00a0 The authoritative DNS server coordinates the IID selected for the AAAA response with the front-end web-tier application service.\u00a0 The client makes the connection to the IPv6 address with the curated IID.\u00a0 When the connection from the client is initiated, the front-end web server knows that client is the device that made the connection.\u00a0 This method can be used to separate legitimate traffic from DDoS traffic.\u00a0 This technique could be extended to have the IID of the AAAA record response use some type of client-identifier for Zero-Trust application access or as part of a Cloud Access Security Broker<\/a> (CASB) service.<\/p>\n

\"\"<\/p>\n

Another example of how the IPv6 IID can be used for authenticating client connections is the Tosh SSH server<\/a>.\u00a0 Tosh is an IPv6-only SSH server that uses the last 6 hex digits of the IID to create a Time-Based One-Time Password (TOTP) code that changes every 30 seconds.\u00a0 This uses the IID like a Two-Factor-Authentication (2FA) or Multi-Factor-Authentication (MFA) system whereby the server’s IPv6 address is the “something you know” part of MFA.<\/p>\n

The idea of using the vastness of the IPv6 IID isn’t necessarily new.\u00a0 Back in 2011, Moving Target IPv6 Defense (MT6D) was a system created by graduate students in the IT Security Laboratory (ITSL) at Virginia Tech<\/a> to obscure IPv6 addresses and prevent eavesdropping.\u00a0 It uses an algorithm that a pair of hosts use to change their IPv6 addresses dynamically and that allows the hosts to predict the other\u2019s next IPv6 address.\u00a0 The IIDs of both ends of the communications change, based on some algorithm and key only known to the two nodes.\u00a0 This method makes interception of the communications more difficult and prevents any attacker from sending an IPv6 packet to either node because their IPv6 addresses are constantly changing.\u00a0 Moving Target Defense<\/a> (MTD) methods have been considered for many years, but can now be realized with IPv6 because the IID offers far more potential than IPv4’s constrained address space. However, it would likely require that a full \/64 be routed to the host to avoid potential neighbor exhaustion issues if many devices on the same \/64 network were also using this technique.<\/p>\n

Back in 2012, MITRE described a method of leveraging the IPv6 IID for security purposes in what it calls the “Identity-Based Internet Protocol<\/a> (IBIP)”.\u00a0 This technique, described in their factsheet<\/a>, uses Common Access Card (CAC) credentials to form a 40-bit user ID, and uses the computer\u2019s Trusted Platform Module (TPM) to form a 40-bit host ID.\u00a0 These are used to create an IPv6 IID that uniquely identifies the client and is seemingly random, preserving the privacy of the end-user like privacy addresses (RFC 8981<\/a>).\u00a0 This IBIP can be integrated with IEEE 802.1x, Software-Defined Perimeter (SDP), Single-Packet Authorization (SPA), and other security purposes.<\/p>\n

Greenfield IPv6 deployments often start with a newly-minted and elegant IPv6 address plan<\/a>.\u00a0 With the proper IPv6 addressing architecture, an enterprise can have cleaner, less-complicated boundary filters and more granular filtering that facilitates micro-segmentation and host isolation.\u00a0 This allow for security to be a key consideration in all IPv6 address planning endeavors.<\/p>\n

Another creative approach could be to use multiple IPv6 addresses on a local segment.\u00a0 The local first-hop router could send an ICMPv6 type 134 Router Advertisement (RA) with two \/64 IPv6 prefixes.\u00a0 One \/64 prefix could be preferred for outbound Internet communications and a second, less-preferred \/64 prefix could be used for administrative internal-only connectivity to sensitive applications.\u00a0 Alternatively, networks could use a single \/64 prefix but nodes could configure multiple IIDs on their interfaces for various levels of trust.<\/p>\n

Handling the Neighbor Cache Timeout<\/h3>\n

A key consideration with these types of methods, where the server’s IID is changing frequently, or for each individual connection, is that the neighbor cache of the server and its first-hop router will fill up quickly.\u00a0 For example, the Tosh SSH server’s IID changes every 30 seconds, so in 4 hours this would produce 480 neighbor cache entries.\u00a0 There are solutions to this problem, like limiting the number of neighbor-cache entries or setting a very short neighbor-cache timeout, among others.<\/p>\n

On a Cisco router, you can limit the number of entries in the neighbor cache (100, in the example below) of a particular interface using the following command.\u00a0 Note: this command can be applied both to a particular interface (as shown here) or globally, which would apply it to all interfaces on the router.<\/p>\n

interface GigabitEthernet0\/0\/0<\/strong><\/p>\n

\u00a0ipv6 nd cache interface-limit 100<\/strong><\/p>\n

Another option is to reduce the neighbor cache timeout on the interface to less than the default 4 hours (14,400 seconds).\u00a0 Cisco calls this “Enhanced IPv6 Neighbor Cache Management<\/a>“.\u00a0 The first of the following commands learns the neighbor cache entries from observed unsolicited NAs and the second command reduces the neighbor cache expire timeout to 60 seconds (before it expires and deletes STALE cache entries).<\/p>\n

interface GigabitEthernet0\/0\/0<\/strong><\/p>\n

\u00a0ipv6 nd na glean<\/strong><\/p>\n

\u00a0ipv6 nd cache expire 60<\/strong><\/p>\n

Another possible solution to the problem of the server-side neighbor-cache filling up due to changing server IIDs is to dedicate an entire \/64 prefix to the individual web server.\u00a0 There have been proposals to assign a \/64 prefix to individual hosts to facilitate software containers inside that host\/node<\/a>, for improved host isolation, micro-segmentation, and to mitigate security issues like link-local IPv6 host reconnaissance (RFC 7707<\/a>).\u00a0 This technique is defined in the IETF RFC titled “Unique IPv6 Prefix per Host” (RFC 8273<\/a>).\u00a0 An example of this can be found in a recent AWS announcement<\/a> whereby AWS now lets you assign an entire IPv4 or IPv6 prefix to a single EC2 instance.<\/p>\n

Summary<\/h3>\n

For decades we have been constrained by the limited 32-bit IPv4 address space.\u00a0 We have endured and persevered with these limitations, used NAT heavily, and basically assumed this is how the world is and we are powerless to change it.\u00a0 Now, with IPv6, we can shed these old ways of thinking that IP addresses are a preciously scarce commodity.\u00a0 This liberating realization of IPv6’s address abundance allows us to think differently about how IPv6 addresses are used for securing client-server communications.\u00a0 It is certain that IPv6 will facilitate innovation and we will see many more techniques developed along these lines to improve security and help achieve Zero-Trust architectures.<\/p>\n

I am the CTO of HexaBuild.io<\/a>, an IPv6 consulting and training company.\u00a0 Follow HexaBuild on Twitter<\/a> and LinkedIn<\/a>.<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Enterprise networks have been transforming over the last decade with the Internet now serving as the new de facto corporate network.\u00a0 With the shift to cloud-hosted applications, Software-Defined WAN (SD-WAN), Secure Access Service Edge (SASE), and a socially-distanced remote workforce, the corporate Internet perimeter is all but eroded.\u00a0 Enterprises can no longer assume that if […]<\/p>\n","protected":false},"author":321,"featured_media":6737,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[17],"tags":[38,284,283,16,162,167,405,429],"class_list":{"0":"post-6938","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-ipv6-coe","8":"tag-ipv6","9":"tag-ztna","10":"tag-zero-trust-network-architecture","11":"tag-infoblox","12":"tag-sd-wan","13":"tag-sase","14":"tag-zero-trust","15":"tag-casb","16":"entry"},"acf":[],"yoast_head":"\nIPv6 Enhances Zero-Trust Network Architectures<\/title>\n<meta name=\"description\" content=\"There is a growing sense that companies should adopt the Zero-Trust concept. Find out why your company should and how IPv6 can be used to enhance the concept.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/ipv6-coe\/ipv6-enhances-zero-trust-network-architectures\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"IPv6 Enhances Zero-Trust Network Architectures\" \/>\n<meta property=\"og:description\" content=\"There is a growing sense that companies should adopt the Zero-Trust concept. Find out why your company should and how IPv6 can be used to enhance the concept.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/ipv6-coe\/ipv6-enhances-zero-trust-network-architectures\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-09-01T20:57:35+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-10-19T23:26:24+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-38.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"344\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Scott Hogg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Scott Hogg\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/ipv6-coe\\\/ipv6-enhances-zero-trust-network-architectures\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/ipv6-coe\\\/ipv6-enhances-zero-trust-network-architectures\\\/\"},\"author\":{\"name\":\"Scott Hogg\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/ee71ac61fe2ea349f6e991e628d22f4c\"},\"headline\":\"IPv6 Enhances Zero-Trust Network Architectures\",\"datePublished\":\"2021-09-01T20:57:35+00:00\",\"dateModified\":\"2022-10-19T23:26:24+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/ipv6-coe\\\/ipv6-enhances-zero-trust-network-architectures\\\/\"},\"wordCount\":1844,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/ipv6-coe\\\/ipv6-enhances-zero-trust-network-architectures\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-38.jpg\",\"keywords\":[\"IPv6\",\"ZTNA\",\"Zero Trust Network Architecture\",\"Infoblox\",\"SD-WAN\",\"SASE\",\"Zero Trust\",\"CASB\"],\"articleSection\":[\"IPv6 CoE\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/ipv6-coe\\\/ipv6-enhances-zero-trust-network-architectures\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/ipv6-coe\\\/ipv6-enhances-zero-trust-network-architectures\\\/\",\"name\":\"IPv6 Enhances Zero-Trust Network Architectures\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/ipv6-coe\\\/ipv6-enhances-zero-trust-network-architectures\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/ipv6-coe\\\/ipv6-enhances-zero-trust-network-architectures\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-38.jpg\",\"datePublished\":\"2021-09-01T20:57:35+00:00\",\"dateModified\":\"2022-10-19T23:26:24+00:00\",\"description\":\"There is a growing sense that companies should adopt the Zero-Trust concept. Find out why your company should and how IPv6 can be used to enhance the concept.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/ipv6-coe\\\/ipv6-enhances-zero-trust-network-architectures\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/ipv6-coe\\\/ipv6-enhances-zero-trust-network-architectures\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/ipv6-coe\\\/ipv6-enhances-zero-trust-network-architectures\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-38.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-38.jpg\",\"width\":612,\"height\":344,\"caption\":\"Network security concept. Data protection. Cyber security. Communication network.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/ipv6-coe\\\/ipv6-enhances-zero-trust-network-architectures\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"IPv6 CoE\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/ipv6-coe\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"IPv6 Enhances Zero-Trust Network Architectures\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/ee71ac61fe2ea349f6e991e628d22f4c\",\"name\":\"Scott Hogg\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_321_1574118215-96x96.jpg\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_321_1574118215-96x96.jpg\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_321_1574118215-96x96.jpg\",\"caption\":\"Scott Hogg\"},\"description\":\"Scott Hogg has 30 years of network and security experience and is president of Hogg Networking with. Scott Hogg specializes in teaching Internet Protocol version 6 (IPv6) and providing implementation guidance. Scott is CCIE #5133 (Emeritus) and CISSP #4610. Scott is Chair Emeritus of the Rocky Mountain IPv6 Task Force (RMv6TF), a member of the IPv6 Center of Excellence (COE), and co-author of the Cisco Press book on IPv6 Security.\",\"sameAs\":[\"https:\\\/\\\/hexabuild.io\"],\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/scott-hogg\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"IPv6 Enhances Zero-Trust Network Architectures","description":"There is a growing sense that companies should adopt the Zero-Trust concept. Find out why your company should and how IPv6 can be used to enhance the concept.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/ipv6-coe\/ipv6-enhances-zero-trust-network-architectures\/","og_locale":"en_US","og_type":"article","og_title":"IPv6 Enhances Zero-Trust Network Architectures","og_description":"There is a growing sense that companies should adopt the Zero-Trust concept. Find out why your company should and how IPv6 can be used to enhance the concept.","og_url":"https:\/\/www.infoblox.com\/blog\/ipv6-coe\/ipv6-enhances-zero-trust-network-architectures\/","og_site_name":"Infoblox Blog","article_published_time":"2021-09-01T20:57:35+00:00","article_modified_time":"2022-10-19T23:26:24+00:00","og_image":[{"width":612,"height":344,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-38.jpg","type":"image\/jpeg"}],"author":"Scott Hogg","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Scott Hogg","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/ipv6-coe\/ipv6-enhances-zero-trust-network-architectures\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/ipv6-coe\/ipv6-enhances-zero-trust-network-architectures\/"},"author":{"name":"Scott Hogg","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/ee71ac61fe2ea349f6e991e628d22f4c"},"headline":"IPv6 Enhances Zero-Trust Network Architectures","datePublished":"2021-09-01T20:57:35+00:00","dateModified":"2022-10-19T23:26:24+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/ipv6-coe\/ipv6-enhances-zero-trust-network-architectures\/"},"wordCount":1844,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/ipv6-coe\/ipv6-enhances-zero-trust-network-architectures\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-38.jpg","keywords":["IPv6","ZTNA","Zero Trust Network Architecture","Infoblox","SD-WAN","SASE","Zero Trust","CASB"],"articleSection":["IPv6 CoE"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/ipv6-coe\/ipv6-enhances-zero-trust-network-architectures\/","url":"https:\/\/www.infoblox.com\/blog\/ipv6-coe\/ipv6-enhances-zero-trust-network-architectures\/","name":"IPv6 Enhances Zero-Trust Network Architectures","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/ipv6-coe\/ipv6-enhances-zero-trust-network-architectures\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/ipv6-coe\/ipv6-enhances-zero-trust-network-architectures\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-38.jpg","datePublished":"2021-09-01T20:57:35+00:00","dateModified":"2022-10-19T23:26:24+00:00","description":"There is a growing sense that companies should adopt the Zero-Trust concept. Find out why your company should and how IPv6 can be used to enhance the concept.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/ipv6-coe\/ipv6-enhances-zero-trust-network-architectures\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/ipv6-coe\/ipv6-enhances-zero-trust-network-architectures\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/ipv6-coe\/ipv6-enhances-zero-trust-network-architectures\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-38.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-38.jpg","width":612,"height":344,"caption":"Network security concept. Data protection. Cyber security. Communication network."},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/ipv6-coe\/ipv6-enhances-zero-trust-network-architectures\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"IPv6 CoE","item":"https:\/\/www.infoblox.com\/blog\/category\/ipv6-coe\/"},{"@type":"ListItem","position":3,"name":"IPv6 Enhances Zero-Trust Network Architectures"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/ee71ac61fe2ea349f6e991e628d22f4c","name":"Scott Hogg","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_321_1574118215-96x96.jpg","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_321_1574118215-96x96.jpg","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_321_1574118215-96x96.jpg","caption":"Scott Hogg"},"description":"Scott Hogg has 30 years of network and security experience and is president of Hogg Networking with. Scott Hogg specializes in teaching Internet Protocol version 6 (IPv6) and providing implementation guidance. Scott is CCIE #5133 (Emeritus) and CISSP #4610. Scott is Chair Emeritus of the Rocky Mountain IPv6 Task Force (RMv6TF), a member of the IPv6 Center of Excellence (COE), and co-author of the Cisco Press book on IPv6 Security.","sameAs":["https:\/\/hexabuild.io"],"url":"https:\/\/www.infoblox.com\/blog\/author\/scott-hogg\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6938","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/321"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=6938"}],"version-history":[{"count":3,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6938\/revisions"}],"predecessor-version":[{"id":8124,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6938\/revisions\/8124"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/6737"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=6938"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=6938"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=6938"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}