Now that you have made the decision to deploy IPv6 on your network, I bet the thought of the potential cybersecurity risks this implementation could pose would have crossed your mind, right? If yes, then you are exactly where you need to be at this time. By the way, if you happen to have stumbled on this page and are wondering – “what is going on here?”… *hearty smile*… you are also exactly where you should be, I would however recommend that you kindly check for my previous article in the series – “IPv4 to IPv6, Making a Smooth Transition”, where the IPv4 to IPv6 migration process was discussed in detail.

Cybersecurity is a serious factor to consider when migrating from IPv4 to IPv6, especially since both protocols will likely have to coexist for a period before a complete transition is achieved, thus there are several vulnerabilities that may be exploited – in the operation of the IPv6 protocol itself, in the transitioning process from IPv4 to IPv6 and in the actual implementation of IPv6.

In this article, the focus, while not exhaustive and not representative of all the possible risks, is to help identify and proffer tips on reducing the potential attack surface area, and also provide practical tips to mitigate well known cybersecurity risks on network infrastructures during the different stages of the IPv4 to IPv6 transition. These steps are in line with best practices as per the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) Special Publication 800-119.

Threats To Consider When Setting-up IPv6.
I will be highlighting 5 threats that security engineers need to look out for when IPv6 is being implemented on their networks, they need to be mindful of these to ensure that the risks are neutralized.

Attacker Community
An attacker can take advantage of their versatility in IPv6 to exploit vulnerabilities in a network that is in the early stages of IPv6 deployment, and only just learning about its operations. One of the easiest things they could do would be to bypass firewalls and Intrusion Detection Systems that are not configured to recognize IPv6 traffic.

Dual-Stack Risks
In supporting some of its legacy applications, services, clients etc., an organization may have to deploy a dual stack of IPv4-IPv6, which will increase the network’s complexity. Running the 2 protocols imply double possible risks of errors or attacks in the process of upgrading or installing new equipment. Also, attacks targeted at upper layer protocols would mean the client could be reached via the IPv4/IPv6 stacks.

Anticipated Risk
An organization that has IPv6-enabled devices on hand, may delay their deployment plans due to a popular erroneous conception that the IPv6 by itself introduces many more security vulnerabilities when compared with the IPv4 protocol. This is a false premise since IPv6 is not in any way more, or less secure than IPv4, however it will take several years of practical experience of deploying and running it, for IPv6 to attain the same level that IPv4 has over the last several decades.

Vendor Support
Some hardware/software vendors fully support IPv6 while many others do not or offer only limited support. According to the NIST Special Publication 800-119, many security vendors are waiting for customers to demand for IPv6 before attempting to implement support for it within their establishments, while customers are also waiting for vendors to declare and show evidence of their support for IPv6 before they purchase their software and systems. This has inadvertently resulted in a “chicken and egg” problem.
The best practices being advocated in the next section provide adequate mitigation for most of the above listed vulnerabilities, and security and network managers will do well to adopt them wholeheartedly.

Planning Stage
When planning for IPv6 deployment, organizations should expect that an increase in IPv6-based vulnerabilities could occur due to implementation errors, also vulnerabilities within the IPv6 protocol itself. Organizations should therefore encourage their staff to increase their knowledge and understanding of IPv6, comparatively with their understanding of IPv4. They should also plan a phased deployment using the specific transition mechanism that best suits their business needs. Lastly, they should plan for a long transition period with a dual IPv4-IPv6 coexistence.

Deployment Stage
For organizations implementing IPv6 already, it is important they make use of automated address management tools to avoid manual configuration of IPv6 addresses which could be prone to error due to the length of the addresses. They should also develop appropriate filtering policies for ICMPv6(Internet Control Messaging Protocol, version 6), which should ensure only ICMPv6 messages which are critical to the operation of IPv6 are allowed while all others are blocked. It would be equally important to enable controls that might not have been used largely in IPv4 due to lower threat levels, e.g., routing protocol security, also, security controls deployed on the network should be capable of handling both IPv4 and IPv6 traffic. Lastly, close attention should be paid to the security aspects of transition mechanisms, like the protocols employed in Tunneling.

Still Not Ready to Take the IPv6 Plunge?
You have some work to do, nonetheless.
Organizations that are not yet ready to deploy IPv6 globally, should – block all IPv6 traffic, both native and tunneled, this should be done at the edge firewall for inbound and outbound traffic. They should also disable all IPv6-compatible ports, services and protocols on all software and hardware. They can however begin to acquire familiarity and expertise with the technology through laboratory experimentations and/or limited pilot deployments, while also making organizational web servers located outside their firewall, accessible via IPv6 connections, to facilitate access for IPv6-only users to access the servers and aid learning, research, and development.

Loveline is a tech specialist based in Lagos, Nigeria. She speaks and writes on issues surrounding network engineering and cybersecurity.