Department of Defense
High Performance Computing Modernization Program

Organizations that believe Internet Protocol version 6 (IPv6) is not in their future cannot simply ignore it, as this article explains with a touch of irony. Organizations that believe the Internet of Things (IoT) is in their future should read this article. Even organizations that have abandoned efforts to transition to an IPv6-only network (such as Microsoft) will eventually need to make the transition.

Even though you may have decided that your organization, network, or enclave does not need to deploy IPv6 at the present time, you cannot safely and securely ignore IPv6. IPv6 is quite likely already present on your network. As a case in point, there is a good chance that the computer you are using to read this web page has IPv6 enabled by default and is trying to use IPv6 to connect to this IPv6-enabled website.

This 2014 presentation Security in an IPv6 World (Myth and Reality) and the detailed series of 10 IPv6 Security Myth articles:

#1 I'm Not Running IPv6 So I Don't Have to Worry
#2 IPv6 Has Security Designed In
#3 No IPv6 NAT Means Less Security
#4 IPv6 Networks are Too Big To Scan
#5 Privacy Addresses Fix Everything
#6 IPv6 is Too New to be Attacked
#7 96 More Bits, No Magic
#8 It Supports IPv6
#9 There Aren't Any IPv6 Security Resources and
#10 Deploying IPv6 is Too Risky 

discuss the risks of ignoring IPv6 and the benefits of taking action to minimize those risks.

This 2019 article Common Misconceptions about IPv6 Security (video) touches on some of the same myths and adds new ones:

IPv6 is more/less secure than IPv4
IPv6 is IPv4 with longer addresses
IPSec makes IPv6 more secure than IPv4
Address scanning is impossible in IPv6
No NAT makes IPv6 insecure.

This 2018 document from the Internet SOCiety (ISOC) describes some of the global trends that are driving deployment of IPv6. This article describes tools and techniques that can detect the presence of IPv6 on your network. The presence of undetected IPv6 on networks has long been recognized as a concern, as shown by this Federal Information Notice and this warning about Malware Tunneling in IPv6, both issued by the United States-Computer Emergency Readiness Team (US-CERT) in 2005.

The specific steps necessary to disable or uninstall IPv6 on many routers and operating systems are described in articles in the IP Transport section. As a minimum the National Institute for Standards and Technology (NIST) recommends that organizations not yet deploying IPv6 should block all incoming and outgoing IPv6 traffic (native and tunneled) on the organization's perimeter border routers or firewalls. (See Section 6.9 of NIST Special Publication 800-119, Guidelines for the Secure Deployment of IPv6, December, 2010.) These tunneling mechanisms include 6over4, 6to4, IPv6-in-IPv4, ISATAP, and tunnel brokers (which all typically use protocol 41) and the TEREDO tunneling mechanism (which typically uses UDP port 3544 to establish its tunnel). In addition, border routers or firewalls should block packets with a source or destination address prefix of 192.88.99.0/24 (the default prefix for public 6to4 anycast gateways).

ATTENTION: Sites running a Postfix version 2.2 (or later) mail transfer agent (MTA): You must include the following line in your /etc/postfix/main.cf:

inet_protocols = ipv4

Without this line, Postfix defaults to using IPv6 for mail delivery, and when that fails Postfix will stop trying. Postfix will not use IPv4 without it.


Top