Department of Defense
High Performance Computing Modernization Program

This article focuses on tools and techniques that can be used to detect, prevent, or monitor attempts to use networks in unauthorized ways. The focus of this article is different from the focus of the Network Management Recommendations article in the Network Management section. That article focuses on policies and practices recommended for use by network administrators and managers.

For more in-depth information, several books on IPv6 Security are listed in part 3 of the IPv6 Training and Learning Information file in the IPv6 Training and Learning article under the Deployment section.

Many reports, seminars, tutorials, and presentations at past conferences are available on the web which discuss IPv6 Security best practices, including the following:

    1. Guidelines for the Secure Deployment of IPv6, published by National Institute for Standards and Technology (NIST)
    2. The Internet SOCiety (ISOC) provides comprehensive guidance about this subject on its Deploy360 IPv6 Security web page.
    3. The Internet Engineering Task Force (IETF) Operational Security Considerations for IPv6 Networks draft document
    4. A series presented annually at various conferences by Cisco Systems, Inc. (for example: APNIC, Apricot, and Cisco Live 365), entitled “IPv6 Security Threats and Mitigations”.
    5. The Canadian Internet Registration Authority (CIRA) internal IPv6 Policy document
    6. The Infoblox Best Practices for IPv6 Security webinar
    7. IPv6 Deployments, a presentation to the Réseaux IP Européens Network (RIPE)
    8. This 2013 Federal IPv6 Interagency Working Group presentation provides suggestions for mitigating IPv6 security issues.
    9. IPv6 Security Best Practices by Cisco Systems, Inc.
    10. This Monolith Software blog entry provides some best practice tips for monitoring any network
    11. The Grand European Academic NeTwork (Géant) project documented many Network Monitoring recommendations. An example is this Practical IPv6 Monitoring on Campus Best Practice document describing a way to monitor a dual-stack network using a combination of SNMP and Netflow
    12. IPv6 Security (2008), IPv6 Security (2011), and IPv6 Attacks and Countermeasures (2013), presentations from the Rocky Mountain IPv6 Task Force (RMv6TF).
    13. Master Thesis: IPv6 Security Test Laboratory, Johannes Weber (see “Countermeasures & Firewall’s Best Practices” sections)
    14. SearchNetworkingTechTarget.com articles describe mitigations for and ways to avoid Neighbor Discovery Protocol Attacks:
      1. How to avoid IPv6 neighbor discovery threats
      2. How to protect your IPv6 address management
      3. Mitigating IPv6 neighbor discovery attacks
      4. IPv6 attack attempts and how to mitigate them
    15. While not suitable for wide-scale deployment at the enterprise level, articles describing the steps to harden individual servers against a wide variety of attacks are available:
      1. IPv6 Hardening Guide for Linux servers (for Red Hat Linux Enterprise 7 and SUSE Linux Enterprise Server 12)
      2. IPv6 Hardening Guide for Windows servers (for Microsoft Windows Server 2012 R2)

See the IPv6 vulnerability and threat mitigation testing topic in the IPv6 Product Testing Results article in the Testing section for additional reports which discuss tools and techniques that can be used to prevent attempts to use networks in unauthorized ways.

The following are older but still useful discussions:

  1. An IPv6 Security Guide for U.S. Government Agencies, published by Juniper Networks, Inc.
  2. IPv6 and IPv4 Threat Comparison and Best Practice paper from Cisco Systems, Inc.
  3. Secure IPv6 Operation: Lessons learned from 6NET report from the European IPv6 deployment. (The 6NET project completed Jun 2005, followed by the 6DISS project which completed Sept 2007; followed by 6DEPLOY and 6DEPLOY-2 (www.6deploy.eu) which completed Feb 2013. A more recent European IPv6 project was Governments Enabled with IPv6 (GEN6) which completed May 2015. Deliverables and Presentations under the Publications tab of the GEN6 website provide additional material.) The current European IPv6 project is IPv6 Framework for European Governments.

Websites which contain articles discussing tools and techniques that can be used to detect, prevent, or monitor attempts to use networks in unauthorized ways include:

  1. The United States Computer Emergency Readiness Team (US-CERT) issues a continuing series of security publications, with dissemination sometimes limited by a publication’s designated Traffic Light Protocol (TLP) color. Some of these publications are specific to IPv6, such as Fundamental Filtering of IPv6 Network Traffic and Malware Tunneling in IPv6, while others are protocol neutral.
  2. While specific to the Department of Defense (DoD), the publicly available Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGS) include guidance for IPv6. They are available on the DISA website.
  3. The National Security Agency (NSA) Security Configuration Guides are available here (hover over the "LIBRARY" keyword on the row of keywords at the top of the screen to see other available subject areas). Older NSA Security Configuration Guides are available here.

Top