IPv6 and zero-trust networks

The "zero trust" network model, originally developed by Forrester International[1], is a network model that says that:

  • Do not trust anyone just because they're within the network. Always verify access controls prior to allowing access to a protected resource.
  • The security of a firewall or VPN should not be relied upon to establish this model.

So where does IPv6 come into play? Well, one of the main purposes of having a VPN is to allow access to resources on private IP addresses. However, in a zero-trust network model, services that would normally only be accessible through a VPN are now accessed publicly, and in order to do so, each host offering a publicly-accessible service would need a public IP address.

As we all know, IPv4 addresses are starting to run out, so the only way this could be sustainable would be to make those services available over IPv6.

Hurricane Electric offers 6in4 tunnels, and to some extent, IPv6 network access is sort of like a VPN in that you access a part of a computer network that is not normally reachable publicly, but instead of just your network, this would include any endpoint that has an IPv6 address.

  1. I do have to admit that I did independently discover this model myself by playing with SSH tunnels.