NSA offers security guidelines for IPv6 migration • The Register

The US Nationwide Safety Company (NSA) has printed a steering doc for system directors to assist them mitigate potential safety points as their organizations transition to Web Protocol model 6 (IPv6).
The prosaically named “IPv6 Safety Steering” [PDF] was compiled for admins contained in the Division of Protection (DoD), however is more likely to show helpful as a fast reference for anybody managing the transition from IPv4 to IPv6, which might change into a extra drawn-out expertise than was initially anticipated.
“The Division of Protection will incrementally transition from IPv4 to IPv6 over the following few years and lots of DoD networks will probably be dual-stacked,” NSA Cybersecurity Technical Director Neal Ziring mentioned in an announcement accompanying the publication of the doc.

“It is necessary that DoD system admins use this steering to establish and mitigate potential safety points as they roll out IPv6 assist of their networks.”

One of many suggestions is fairly primary: training. Efficiently securing an IPv6 community requires, at a minimal, a basic data of the variations between the IPv4 and IPv6 protocols and the way they function, the NSA says, so all community directors ought to obtain correct coaching.
It advises that safety strategies utilized in IPv4 networks will largely even be used with IPv6, however with variations to deal with the place there are variations.

Safety points related to an IPv6 implementation will typically floor in networks which can be both new to IPv6 or in early phases of the transition. It’s because such networks will lack maturity in IPv6 configuration in addition to possible missing expertise in IPv6 by the admins.
Organizations operating each IPv4 and IPv6 concurrently may have further safety dangers, with additional countermeasures wanted to mitigate these because of the elevated assault floor of getting each IPv4 and IPv6, the doc warns.
There are not any large revelations from the NSA, however recommendation that many admins are more likely to be already conscious of, reminiscent of the advice to assign IP addresses on the community through a DHCPv6 server as a substitute of counting on stateless tackle auto-configuration (SLAAC).

The latter makes use of a self-assigned IPv6 tackle that comes with the mounted MAC tackle from the NIC, resulting in issues that knowledge visitors might be linked to a particular gadget and probably a person related to that gear. Whether or not this can be a main concern to anybody exterior of protection or authorities is one other matter, in fact.

The NSA additionally recommends avoiding using IPv6 tunneling, usually used to move IPv6 packets inside IPv4 packets throughout present community infrastructure, once more to cut back the potential assault floor and reduce complexity. It advises that tunneling protocols could also be allowed if they’re required throughout a transition, however they need to be restricted to permitted methods the place their utilization is properly understood and the place they’re explicitly configured.
Likewise, twin stack environments have a tendency to extend the assault floor and show dearer to function, in accordance with the doc. Nevertheless, as that is an oft-implemented transition methodology, the NSA says that such community configurations ought to implement IPv6 cybersecurity mechanisms that match or exceed the IPv4 mechanisms. For instance, firewall guidelines that filter increased degree protocols reminiscent of TCP or UDP ought to be utilized to each IPv6 and IPv4.
As a result of NICs could have a number of IPv6 addresses assigned to them, the NSA advises that admins rigorously evaluate entry management lists (ACLs) to solely allow visitors from licensed addresses by way of firewalls and different safety units.
Different concerns embrace the community admin’s previous good friend community tackle translation (NAT), which the NSA appears to frown upon. Apart from utilizing NAT64/DNS64, or 464XLAT in IPv6-only networks, tackle translation ought to typically be prevented, it advises.
“IPv6 networks ought to as a substitute use world addresses on all methods that require exterior communications and non-routable addresses contained in the community. If distinctive native addresses are used on inner methods, any system that requires exterior communications also needs to have a worldwide tackle,” the doc states.
The NSA acknowledges, in fact, that unexpected points will inevitably crop up, and so the ultimate piece of recommendation appears to be this: be ready.
“Addressing the problems up entrance in IPv6 implementation plans, configuration steering, and acceptable coaching of directors will support organizations to keep away from safety pitfalls in the course of the transition and to leverage IPv6 advantages correctly,” it states. ®