IPv6 Security Considerations
Understand the security implications of IPv6 deployment, including new attack surfaces, NDP vulnerabilities, and firewall considerations.
IPv6 Changes the Security Landscape
IPv6 is not inherently more or less secure than IPv4, but it introduces new attack surfaces that many administrators are unprepared for. The most dangerous scenario is having IPv6 enabled on a network without any security controls.
Rogue Router Advertisements
The most common IPv6 attack on local networks. An attacker sends fake Router Advertisements (RAs) to become the default gateway, enabling man-in-the-middle attacks.
Legitimate Router: RA with prefix 2001:db8:1::/64
Attacker: RA with prefix 2001:db8:evil::/64, higher priority
Result: Hosts configure attacker's prefix and route traffic through attacker.
Mitigation:
- RA Guard (RFC 6105) -- Switch-level filtering that blocks RAs from non-router ports.
- DHCPv6 Guard -- Blocks rogue DHCPv6 servers.
- Enable both on all access switch ports.
# Cisco RA Guard example
ipv6 nd raguard policy HOSTS
device-role host
interface GigabitEthernet0/1
ipv6 nd raguard attach-policy HOSTS
NDP Spoofing
Neighbor Discovery Protocol (NDP) replaces ARP in IPv6. Like ARP, it is vulnerable to spoofing -- an attacker can send fake Neighbor Advertisements to redirect traffic.
Mitigation:
- SEND (Secure Neighbor Discovery, RFC 3971) -- Cryptographic protection for NDP. However, adoption is extremely low.
- ND Inspection / Dynamic ARP Inspection equivalent -- Available on enterprise switches.
- Static neighbor entries for critical infrastructure.
Extension Header Abuse
IPv6 extension headers can be used to evade firewalls and IDS:
- Fragmentation attacks -- Sending tiny fragments that prevent firewalls from reassembling and inspecting packets.
- Long extension header chains -- Some firewalls fail to parse deeply nested headers and pass the packet through.
- Routing Header Type 0 -- Deprecated (RFC 5095) due to amplification attack potential. Ensure your devices drop RH0 packets.
Firewall Considerations
Your IPv6 firewall policy should:
- Default deny all inbound traffic (same as IPv4).
- Allow ICMPv6 selectively -- Unlike IPv4 where blocking ICMP is common, IPv6 requires certain ICMPv6 messages to function:
| ICMPv6 Type | Must Allow? | Reason |
|---|---|---|
| 1 (Destination Unreachable) | Yes | Path MTU Discovery |
| 2 (Packet Too Big) | Yes | Path MTU Discovery |
| 3 (Time Exceeded) | Yes | Traceroute, loop detection |
| 128/129 (Echo Request/Reply) | Optional | Ping |
| 133-136 (NDP) | Yes (link-local only) | Neighbor Discovery |
Blocking all ICMPv6 will break IPv6 connectivity.
Dual-Stack Risks
Running both IPv4 and IPv6 doubles your attack surface. Common mistakes:
- Applying strict firewall rules to IPv4 but leaving IPv6 wide open
- Forgetting that IPv6 is enabled by default on most modern operating systems
- Not monitoring IPv6 traffic in SIEM/IDS systems
Rule: If you are not ready to secure IPv6, disable it explicitly on all interfaces rather than leaving it running unsecured.