The US National Security Agency (NSA) has published IPv6 security guidance to help the Department of Defense (DoD) and other federal agencies with the transition to IPv6. One concern is dual stacked networks (networks that are running IPv4 and IPv6 at the same time), as this poses additional security risks, including an increased attack surface.
- Not a bad overview, but note that recently released operating systems will use privacy enhanced IPs by default and embedded MAC addresses are rather uncommon these days. Also carefully test the interactions between SLAAC and DHCPv6 for your systems. Just like any feature, it should be enabled if there is a clear business need for it, and if you have the domain expertise to support IPv6.
- Practitioner’s note: Whether you’ve intentionally “transitioned to IPv6” or not, it’s likely already running in your environment. Test it yourself! Penetration testers make easy money from systems with rock-solid IPv4 firewall rulesets and “allow any any *” for IPv6. Also, without the protection of NAT, it’s worth trying to access internal assets from an external host. It might be directly accessible!
Read more in