NSA Published IPv6 Security Guidance – Cybersecurity Information Sheet

To assist the Department of Defense (DoD) and other system administrators in identifying and minimising security risks related to the transition to Internet Protocol version 6 (IPv6), the National Security Agency (NSA) has released IPv6 Security Guidance.

The most recent IP version, IPv6, offers benefits over the earlier IP version 4 technologies (IPv4). The IPv4 address space, in particular, is insufficient to handle the growing number of networked devices that require routable IP addresses, whereas IPv6 offers a huge address space to fulfill both present and future needs.

The NSA notes that the transition to IPv6 is anticipated to have the most effects on network infrastructure, affecting every networked hardware and software in some way, as well as cybersecurity.

“Operating dual stack increases the operational burden and the attack surface. System owners and administrators should implement cybersecurity mechanisms on both IP protocols to protect the network”, reads the NSA’s IPv6 security guidance.

Federal and DoD networks are expected to operate dual stack, which means they will simultaneously run IPv4 and IPv6. This extends the attack surface and presents additional security issues.

IPv6 Security Guidance

Using stateless address auto-configuration (SLAAC), a host can automatically assign itself an IPv6 address. Static addresses may be preferred in some circumstances, such as for important servers, but allowing devices to automatically self-assign or request an IPv6 address dynamically is simpler.

 “NSA recommends assigning addresses to hosts via a Dynamic Host Configuration Protocol version 6 (DHCPv6) servers to mitigate the SLAAC privacy issue”, states the agency.

“Alternatively, this issue can also be mitigated by using a randomly generated interface ID that changes over time, making it difficult to correlate activity while still allowing network defenders requisite visibility”.

One protocol can be transmitted within another protocol using the transitional method known as tunneling.

“Unless transition tunnels are required, NSA recommends avoiding tunnels to reduce complexity and the attack surface. Configure perimeter security devices to detect and block tunneling protocols that are used as transition methods”, the agency published IPv6 Security Guidance.

The NSA advises implementing IPv6 cybersecurity measures similar to those put in place for IPv4, such as firewall rules, and blocking other transitional measures, including tunneling and translation, for dual-stack networks.

Further, administrators should check access control lists (ACLs) or filtering rules to make sure that only traffic from authorized addresses is allowed because multiple network addresses are frequently assigned to the same interface in IPv6. They should also log all traffic and conduct routine log reviews.

The NSA also advises ensuring that network administrators obtain adequate training and education on IPv6 networks in order to better protect and enhance IPv6 security on a network.

Hence, IPv6 security threats do exist and will be observed, they can be reduced by a combination of strictly following configuration recommendations and system owners’ and administrators’ training throughout the transition.

“The Department of Defense will incrementally transition from IPv4 to IPv6 over the next few years and many DoD networks will be dual-stacked,” said Neal Ziring, NSA Cybersecurity Technical Director. 

“It’s important that DoD system admins use this guide to identify and mitigate potential security issues as they roll out IPv6 support in their networks.”

Network Security Checklist – Download Free E-Book