Previous Page
Next Page

Summary of Best Practices for Securing IPv6 Deployments

The similarities between the IPv4- and IPv6-based threats lead to the conclusion that the security measures developed and field proven for IPv4 should be used in the case of IPv6. In review, the best practices that should be considered in securing an IPv6 deployment are as follows:

  • Address management and ND Deploy an addressing scheme for communications with hosts within the internal network and another for communications with hosts outside the internal network. Implement privacy extensions for enterprise hosts only in conjunction with user-tracking mechanisms.

    Assign fixed but nontrivial addresses to key systems.

    When considered necessary, use static neighbors for key systems.

  • Traffic filtering Stop the traffic sourced from the internal addresses (ULA) from exiting the network. Contain the larger-scope multicast traffic from within the network boundaries.

    Filter ICMP traffic, but keep in mind the operational functions of ICMPv6 such as PMTU Discovery.

    Stop traffic with EHs that are not necessary to the deployed services from crossing the network boundaries.

    Filter fragments. Deny IPv6 fragments destined to network elements. Drop fragments of packets for which the upper layer cannot be determined.

    Implement RFC 2847 filtering to contain spoofing attacks.

    Block traffic with a source address that is a multicast address.

    The IPv4 firewalls and filters should block the ports used by tunneling mechanisms not deployed in the network.

  • Application security Implementation at both host and network level (with the help of firewalls until IDS functionality becomes available).

  • Authentication and encryption Applications should use encryption whenever possible.

    Use authentication for BGP and IS-IS routing protocols.

    Use IPsec for OSPFv3 and RIPng.

    Leverage IPv4 IPsec-secured paths for IPv6 tunnels.

    Secure data traffic between routers using IPv6 IPsec.

  • IPv6 deployment options Dual-stack deployments are easier to secure and should be preferred over tunneling.

    If tunneling is used to interconnect IPv6 islands, static tunnels are preferred over dynamic ones because they are more secure.

You should apply these recommendations to hosts, routers, and firewalls as applicable. Before designing the security policies to be applied in an IPv6 deployment, it is important to evaluate the capability of the devices that support them. All the features necessary to implement the above best practices in Cisco IOS software and in Cisco Firewalls are currently available.

The perimeter security topology described in Figure 9-1 is likely to be applied to the IPv6 deployments, too. It has proven itself in the IPv4 networks, and IPv6 services are likely to coexist with the IPv4 ones for a long time and therefore share a significant part of the infrastructure. Under these conditions, a first step in protecting the IPv6 deployments is to match the IPv4 security policies for IPv6. The next step is to implement those policies that are addressing IPv6-specific vulnerabilities.


Previous Page
Next Page