Organizations that believe Internet Protocol version 6 (IPv6) is not in their future cannot simply ignore it, as this article explains with a touch of irony, while this article ends with the warning: “the question is not when you should begin managing IPv6, but what should you be doing right now!”.
This article from the American Registry for Internet Numbers (ARIN) describes the business case for IPv6. This document from the Internet SOCiety (ISOC) describes some of the global trends that are driving deployment of IPv6. This article goes even further, explaining why IPv4 will not be in your future.
Organizations that believe the Internet of Things (IoT) is in their future should read this article. Even organizations that abandoned earlier efforts to transition to an IPv6-only network (such as Microsoft) will eventually make such a transition.
Even though you may have decided that your organization, network, or enclave does not need to deploy IPv6 at the present time, you cannot safely and securely ignore IPv6. IPv6 is quite likely already present on your network. As a case in point, if you have ever watched a YouTube video, you have used IPv6. If you used a cellphone to view this web page, IPv6 was used when connecting to the IPv6 Knowledge Base website, as this article explains.
The title of this article 7 points your security team needs to know about IPv6 (but probably doesn’t) speaks for itself.
The presentation Security in an IPv6 World (Myth and Reality) and the detailed series of 10 IPv6 Security Myth articles:
#1 I'm Not Running IPv6 So I Don't Have to Worry
#2 IPv6 Has Security Designed In
#3 No IPv6 NAT Means Less Security
#4 IPv6 Networks are Too Big To Scan
#5 Privacy Addresses Fix Everything
#6 IPv6 is Too New to be Attacked
#7 96 More Bits, No Magic
#8 It Supports IPv6
#9 There Aren't Any IPv6 Security Resources and
#10 Deploying IPv6 is Too Risky
discuss the risks of ignoring IPv6 and the benefits of taking action to minimize those risks.
This article Common Misconceptions about IPv6 Security (video available here) touches on the same myths and adds some new ones:
IPv6 is more/less secure than IPv4
IPv6 is IPv4 with longer addresses
IPsec makes IPv6 more secure than IPv4
Address scanning is impossible in IPv6
No NAT makes IPv6 insecure.
The articles It’s fake news and It’s fake news (cont) along with an article asserting that quantum computing successfully merges IPv4 and IPv6 to form IPv5 provide yet another perspective on IPv6. (By the way, this article explains why there was no IPv5.)
This article describes tools and techniques that can detect the presence of IPv6 on your network. The presence of undetected IPv6 on networks has long been recognized as a concern, as shown by this Federal Information Notice and this warning about Malware Tunneling in IPv6, both issued by the United States-Computer Emergency Readiness Team (US-CERT) in 2005.
The specific steps necessary to disable or uninstall IPv6 on many routers and operating systems are described in articles in the IP Transport section. As a minimum the National Institute for Standards and Technology (NIST) recommends that organizations not yet deploying IPv6 should block all incoming and outgoing IPv6 traffic (native and tunneled) on the organization's perimeter border routers or firewalls. (See Section 6.9 of NIST Special Publication 800-119, Guidelines for the Secure Deployment of IPv6, December, 2010.) These tunneling mechanisms include 6over4, 6to4, IPv6-in-IPv4, ISATAP, and tunnel brokers (which all typically use protocol 41) and the TEREDO tunneling mechanism (which typically uses UDP port 3544 to establish its tunnel). In addition, border routers or firewalls should block packets with a source or destination address prefix of 192.88.99.0/24 (the default prefix for public 6to4 anycast gateways).
Sites running a Postfix version 2.2 (or later) mail transfer agent (MTA): You must
include the following in your /etc/postfix/main.cf:
inet_protocols = ipv4
Without this line, Postfix defaults to using IPv6 for mail delivery, and when that fails
Postfix will stop trying. Postfix will not use IPv4 without it.