Back in 2020, the US Federal Government announced that all government agencies and departments were required to transition to IPv6. The US Department of Defense (DoD) networks had already been transitioning from IPv4 to IPv6-only for several years (in fact, a Government Accountability Office report dates the DoD’s first attempt at IPv6 as 2003).
During this transition, many federal networks will operate as dual-stack. Last week, the US National Security Agency (NSA) noted an ‘increased operational burden and attack surface’ from operating dual-stack and new IPv6 networks and released an IPv6 Security Guidance document to help organizations understand and mitigate these risks.
The document provides an overview of IPv6 and its key features, including its larger address space, ‘improved’ security features, and increased support for mobile devices. It then goes on to discuss the potential security risks associated with
IPv6 IP technologies, including the potential for increased attacks and the difficulty of detecting and mitigating these attacks due to a lack of broad understanding of IPv6.
On securing IPv6 networks, the document includes recommendations for configuring and securing routers and switches, as well as implementing secure services. It also offers instructions on monitoring and identifying IPv6 attacks, as well as on how to respond to and recover from them.
One of the key recommendations is to protect against network-based attacks by implementing firewalls, intrusion detection and prevention systems, and security controls at the application level, such as web application firewalls and secure coding practices to protect against application-level attacks — just like IPv4.
Particularly solid advice (for any IP technology) contained in the document is to maintain visibility into the network and its activity. This includes monitoring network traffic and logs to detect and respond to any suspicious activity. Additionally, organizations should conduct regular vulnerability assessments and penetration testing to help identify any exploitable security weaknesses. The document also notes that regular security awareness training is vital, particularly for employees of transitioning organisations
Perhaps the NSA guidance document’s most valuable message is the subtext — an acknowledgement of the depletion of the IPv4 pool from an official body of an economy absolutely swimming in IPv4 allocations. The document concludes by reiterating what netops the world over have been saying for decades — that deploying IPv6 is necessary to address the growing need for more Internet addresses and improved connectivity. Not in the future. Now.
The NSA guide is not a document that suggests how to deploy IPv6 safely just for interest’s sake, it’s a call to arms — a requirement. But it’s well-trodden advice on how to do it safely because it’s largely similar to IPv4. Regular readers of the APNIC Blog, those who participate in APNIC Academy training, and in fact, most Internet number resource holders in the Asia Pacific region will recognize most of what’s contained in the document as good advice that’s not particularly timely. One can only hope they’ve subscribed.
Begin, or continue, your IPv6 journey here:
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.