The National Security Agency (NSA) on Jan. 18 published guidance to help the Department of Defense (DoD) and other system administrators identify and mitigate security issues associated with the transition to Internet Protocol version 6 (IPv6).
Federal and DoD networks in recent years have begun to transition from the legacy Internet Protocol version 4 (IPv4) to IPv6. But during this transition, some agencies continue to use IPv4, and many networks operate dual stack – running both IPv4 and IPv6 protocols simultaneously – arrangements as an interim solution toward an IPv6-only end state.
IPv6 provides a vastly larger address space to meet current and future needs, but it has a broad impact on cybersecurity that organizations should address with due diligence, according to the guidance.
“IPv6 security issues are similar to those from IPv4,” the guidance document says. “Security methods used with IPv4 should [apply] to IPv6 with adaptations required to address the differences with IPv6. Security issues associated with an IPv6 implementation will generally surface in networks new to IPv6 or during the early phases of the transition.”
In addition, agencies operating dual-stack networks have additional security concerns, increased operational burdens, and expanded attack surfaces.
“So, further countermeasures are needed to mitigate these risks due to the increased attack surface of having both IPv4 and IPv6,” the guidance states.
“The Department of Defense will incrementally transition from IPv4 to IPv6 over the next few years, and many DoD networks will be dual-stacked,” Neal Ziring, NSA Cybersecurity Technical Director, said in a press release. “It’s important that DoD system admins use this guide to identify and mitigate potential security issues as they roll out IPv6 support in their networks.”
IPv6 Security Guidance Recommendations
Auto-Configuration
Currently, IPv6 operates via a stateless address auto-configuration (SLAAC), which is an automatic method to self-assign an IPv6 address to a host. However, this leads to privacy concerns by linking movements to a specific device and deducing an individual associated with that equipment. It also exposes the types of equipment used in a network.
“NSA recommends assigning addresses to hosts via a Dynamic Host Configuration Protocol version 6 (DHCPv6) server to mitigate the SLAAC privacy issue,” the guidance states.
Another recommendation NSA made to mitigate this privacy concern is for network operators to use a randomly generated interface ID which changes over time and makes it hard to correlate activity while still allowing network defenders requisite visibility.
Automatic Tunnels
Unless transition tunnels are required, NSA recommends avoiding tunnels to reduce complexity and the attack surface. Tunneling is a transition technique that networks can use to transport IPv6 packets within IPv4 packets. However, some operating systems will automatically establish an IPv6 tunnel when a client connects to a server, potentially causing an unwanted entry point to the host.
“Tunneling protocols can be allowed if required during a transition, but they should be limited to only approved systems where their usage is well understood and explicitly configured,” the document says.
Dual Stack Operating Environment
Many networks operate a dual-stack environment, and NSA acknowledged that this is a preferred method for staged IPv6 deployment. However, it does lead to some security concerns. Therefore, NSA recommends that “when deploying a dual-stack network, organizations should implement IPv6 cybersecurity mechanisms that achieve parity with their IPv4 tools or better.”
Multiple IPv6 Addresses
Multiple network addresses are assigned to an interface in IPv6, widening the attack surface. To mitigate this concern, NSA recommends organizations carefully review these access control lists to ensure “they deny all traffic by default, so only traffic from authorized addresses are permitted through the firewalls and other security devices.”
Educating the Workforce on IPv6
A successfully secured IPv6 network requires, at a minimum, fundamental knowledge of the differences between the IPv4 and IPv6 protocols and how they operate.
The lack of this knowledge could lead to misconfigurations and increased security issues. Therefore, organizations must ensure that all network administrators receive proper training and education to administer and operate IPv6 networks, NSA said.
