About IPv6 Security Considerations

When a new protocol such as IPv6 is introduced in the market, the security status of the protocol is one of the users' considerations, especially in terms of network attacks. Although there is widespread discussion about protocol security, there is usually no single channel to obtain information about potential attacks, research references for attacks, potential counters, and operational challenges. However, in the case of the IPv6 protocol, you can find relevant information by searching the document name: draft-ietf-opsec-v6. This document collects and investigates IPv6 security information provided by the operator. If you have deployed IPv6 or are considering deploying IPv6, then this article may help you.

The draft is divided into four main parts. The first is the longest, which addresses general security considerations. The first thing to consider is whether operators should use provider independent (PI) or provider assigned (PA) address space. One of the dangers of a large address space is the absolute size of the potential routing table in the default availability zone (DFZ). If every network operator chooses IPv6/32, the potential size of the DFZ routing table is 2.4 billion routing entries. If you think it is not good to converge on about 800,000 routes, wait until there are 2.4 billion routes. Of course, the actual PI space is distributed on the /48 boundary, which causes the size of the potential table to grow exponentially. Therefore, in some very important aspects, the PI space is not good for the Internet. This document provides another side of the argument-security is an issue of PA space. Although IPv6 should be renumbered as "easy", in fact, it is far from that. Some reports indicate that IPv6 re-addressing is more difficult than IPv4. The long and difficult renumbering process shows that there are many opportunities for security failure, so the attack surface is also large. The priority of PI space over PA space has become a problem of reducing the operational attack surface.

Another interesting question is whether static addressing should be used for certain services when managing IPv6 networks, or should all addresses be known dynamically. It is generally believed that because the IPv6 address space is too large, it cannot be "scanned" to find the host to be attacked. As the draft pointed out, studies have shown that this is simply incorrect. In addition, static addresses may expose specific servers or services to locations that can be easily identified by attackers. What the author points out here is that no matter which way, endpoint security needs to rely on the actual security mechanism, rather than hiding the address in some way. Other very useful topics considered here include: Unique Local Address (ULA), numbering and management of point-to-point links, privacy extensions of SLAAC, use of /64 per host, extension headers, protection of DHCP, ND/RA filtering and control Plane safety.

IPv6 deployment can be complicated and time consuming, make sure everything is being setup correctly. If you need help in IPv6 deployment, LARUS is providing IPv6 training and guide you step to step on your IPv6 deployment. For further information, contact us through the live chat at bottom right or submit your contact details below.