About IPv6 Security Considerations

Larus Team 2021-01-14 09:20:41 IPv6

When a new protocol such as IPv6 is introduced in the market, the security status of the protocol is one of the users' considerations, especially in terms of network attacks. Although there is widespread discussion about protocol security, there is usually no single channel to obtain information about potential attacks, research references for attacks, potential counters, and operational challenges. However, in the case of the IPv6 protocol, you can find relevant information by searching the document name: draft-ietf-opsec-v6. This document collects and investigates IPv6 security information provided by the operator. If you have deployed IPv6 or are considering deploying IPv6, then this article may help you.


The draft is divided into four main parts. The first is the longest, which addresses general security considerations. The first thing to consider is whether operators should use provider independent (PI) or provider assigned (PA) address space. One of the dangers of a large address space is the absolute size of the potential routing table in the default availability zone (DFZ). If every network operator chooses IPv6/32, the potential size of the DFZ routing table is 2.4 billion routing entries. If you think it is not good to converge on about 800,000 routes, wait until there are 2.4 billion routes. Of course, the actual PI space is distributed on the /48 boundary, which causes the size of the potential table to grow exponentially. Therefore, in some very important aspects, the PI space is not good for the Internet. This document provides another side of the argument-security is an issue of PA space. Although IPv6 should be renumbered as "easy", in fact, it is far from that. Some reports indicate that IPv6 re-addressing is more difficult than IPv4. The long and difficult renumbering process shows that there are many opportunities for security failure, so the attack surface is also large. The priority of PI space over PA space has become a problem of reducing the operational attack surface.


Another interesting question is whether static addressing should be used for certain services when managing IPv6 networks, or should all addresses be known dynamically. It is generally believed that because the IPv6 address space is too large, it cannot be "scanned" to find the host to be attacked. As the draft pointed out, studies have shown that this is simply incorrect. In addition, static addresses may expose specific servers or services to locations that can be easily identified by attackers. What the author points out here is that no matter which way, endpoint security needs to rely on the actual security mechanism, rather than hiding the address in some way. Other very useful topics considered here include: Unique Local Address (ULA), numbering and management of point-to-point links, privacy extensions of SLAAC, use of /64 per host, extension headers, protection of DHCP, ND/RA filtering and control Plane safety.


IPv6 deployment can be complicated and time consuming, make sure everything is being setup correctly. If you need help in IPv6 deployment, LARUS is providing IPv6 training and guide you step to step on your IPv6 deployment. For further information, contact us through the live chat at bottom right or submit your contact details below.

Hot Reading

What is a Dedicated Server?

infrastructure service 2020-10-12 02:00:33

A dedicated server will actually gives you maximum output for all your applications because it enables your owner to have direct access to it and its resources.

Why you need an IP address?

IPv4 2022-07-28 08:39:57

An IP address is a critical piece of your online presence. It's how your device is identified and connected to the internet.

IPv4 lease price 2023

leaseipv4 2022-02-24 06:48:12

It's important to recognize that IPv4 lease prices vary across the market. Here, we delve deeper into the details.

What is IPv4 block?

IPv4 2022-09-29 08:13:13

IPv4 block is a term used to describe a range of IP addresses that are assigned to a specific entity. It is a valuable resource that must be managed carefully.

Related Reading

What is ARIN? Info On The American Registry for Internet Numbers

ARIN 2023-09-23 06:36:35

The American Registry for Internet Numbers (ARIN) is a nonprofit organization that manages Internet resources in the United States, Canada, and some parts of the Caribbean.

What Are IP Transit Services & What Do They Cost

IP Transit 2023-09-13 03:02:41

IP transit is like a bus for information to get from one place on the Internet to the next. They follow rules called Border Gateway Protocol (BGP). BGP helps make sure that these information buses arrive in the correct address.

Dedicated vs. Shared IP Addresses: Best Choice for Email Marketing

dedicated IP address shared ip address 2023-09-08 02:45:07

In this post, we'll look into shared and dedicated IP addresses to work out which one is best suited for you.

What is an IP Transit Provider?

IP Transit 2023-09-04 00:40:19

IP Transit is a service that facilitates the movement of data across the Internet. It is provided by Internet Service Providers (ISPs). In plain speak, an ISP gives you access to all computers on the Internet through their transit service.

Static IP Addresses: What They Are and What You Need to Know

Static IP Addresses 2023-08-25 05:46:43

Static IPs might be crucial for some businesses. Tasks like hosting websites, managing emails, and video conferencing can be enhanced by a static IP. However, it static IP may not be necessary for everyone. Read on to discover if a static IP address is what you need.

Advantages of Having a Static IP Address for Your Business

Static IP Address 2023-08-17 04:42:55

An IP address, short for Internet Protocol address, is a unique set of numbers given by your Internet service provider (ISP) to devices directly connected to the Internet. IP addresses allow devices to exchange data.