IPv6 for Dummies: NSA pushes security manual on DoD admins
There's good advice here for any IT pro dealing with the transition
The US National Security Agency (NSA) has published a guidance document for system administrators to help them mitigate potential security issues as their organizations transition to Internet Protocol version 6 (IPv6).
The prosaically named "IPv6 Security Guidance" [PDF] was compiled for admins inside the Department of Defense (DoD), but is likely to prove useful as a quick reference for anyone managing the transition from IPv4 to IPv6, which could turn out to be a more drawn-out experience than was originally anticipated.
"The Department of Defense will incrementally transition from IPv4 to IPv6 over the next few years and many DoD networks will be dual-stacked," NSA Cybersecurity Technical Director Neal Ziring said in a statement accompanying the publication of the document.
"It's important that DoD system admins use this guidance to identify and mitigate potential security issues as they roll out IPv6 support in their networks."
One of the recommendations is pretty basic: education. Successfully securing an IPv6 network requires, at a minimum, a fundamental knowledge of the differences between the IPv4 and IPv6 protocols and how they operate, the NSA says, so all network administrators should receive proper training.
It advises that security methods used in IPv4 networks will largely also be used with IPv6, but with adaptations to address where there are differences.
Security issues associated with an IPv6 implementation will generally surface in networks that are either new to IPv6 or in early phases of the transition. This is because such networks will lack maturity in IPv6 configuration as well as likely lacking experience in IPv6 by the admins.
Organizations running both IPv4 and IPv6 simultaneously will have additional security risks, with further countermeasures needed to mitigate these due to the increased attack surface of having both IPv4 and IPv6, the document warns.
There are no massive revelations from the NSA, but advice that many admins are likely to be already aware of, such as the recommendation to assign IP addresses on the network via a DHCPv6 server instead of relying on stateless address auto-configuration (SLAAC).
The latter uses a self-assigned IPv6 address that incorporates the fixed MAC address from the NIC, leading to concerns that data traffic could be linked to a specific device and potentially an individual associated with that equipment. Whether this is a major concern to anyone outside of defense or government is another matter, of course.
- Cloudflare finds a way through China's network defences
- Reverse DNS queries may reveal too much, computer scientists argue
- Covert malware targets VMware shops for hypervisor-level espionage
- Microsoft to kill off old access rules in Exchange Online
The NSA also recommends avoiding the use of IPv6 tunneling, often used to transport IPv6 packets within IPv4 packets across existing network infrastructure, again to reduce the potential attack surface and lessen complexity. It advises that tunneling protocols may be allowed if they are required during a transition, but they should be limited to approved systems where their usage is well understood and where they are explicitly configured.
Likewise, dual stack environments tend to increase the attack surface and prove more expensive to operate, according to the document. However, as this is an oft-implemented transition method, the NSA says that such network configurations should implement IPv6 cybersecurity mechanisms that match or exceed the IPv4 mechanisms. For example, firewall rules that filter higher level protocols such as TCP or UDP should be applied to both IPv6 and IPv4.
Because NICs may have multiple IPv6 addresses assigned to them, the NSA advises that admins carefully review access control lists (ACLs) to only permit traffic from authorized addresses through firewalls and other security devices.
Other considerations include the network admin's old friend network address translation (NAT), which the NSA seems to frown upon. Other than using NAT64/DNS64, or 464XLAT in IPv6-only networks, address translation should generally be avoided, it advises.
"IPv6 networks should instead use global addresses on all systems that require external communications and non-routable addresses inside the network. If unique local addresses are used on internal systems, any system that requires external communications should also have a global address," the document states.
The NSA recognizes, of course, that unforeseen issues will inevitably crop up, and so the final piece of advice seems to be this: be prepared.
"Addressing the issues up front in IPv6 implementation plans, configuration guidance, and appropriate training of administrators will aid organizations to avoid security pitfalls during the transition and to leverage IPv6 benefits properly," it states. ®