Not Ready for IPv6? Filter It.

FirewallThe Internet Engineering Task Force creates the fundamental Internet standards, and once ‘rough consensus and working code’ is achieved, they publish the standards in RFC documents. In the area of IPv6 alone, the IETF produces about 20 to 40 RFCs a year. Some are very specialised, but the Informational series of RFCs is much more accessible – a goldmine of experience and wisdom.

IPv6Now provides a listing of the RFCs on IPv6, and this year has seen a number of excellent Informational documents. One is RFC 7123, Security Implications of IPv6 on IPv4 Networks, by F. Gont and W. Liu, February 2014. Certainly the ideal is native IPv6 on all networks, but this changeover takes time.

In IPv4 networks not yet ready to make the transition, IPv6 cannot simply be ignored until the time is right. It is almost certainly in use on many unsuspecting networks, as a number of techniques exist to quietly transfer IPv6 traffic over IPv4. Some are used deliberately, to bypass corporate access policies, or accidently, as modern IPv6-capable operating systems may sometimes default to IPv6. Also, a rising number of malicious external attacks are being carried out using IPv6, simply because so many firewalls aren’t yet configured to recognise it.

So even if you have no interest in adopting IPv6 yet, you need to be aware of the potential for IPv6 on IPv4 networks, and know how to control it. Security Implications of IPv6 on IPv4 Networks provides exactly what you need, with a nice summary table of what to filter for various kinds of IPv6 traffic. Put whatever suggestions seem appropriate into practice while you’re working away (naturally) on your IPv6 transition plan.

Use this exercise as a way of familiarising network personnel with IPv6: start monitoring and filtering IPv6 traffic before you transition even a single network.


Leave a Reply

Your email address will not be published. Required fields are marked *