The National Security Agency (NSA) has published guidance to help the Department of Defense (DoD) and other system administrators identify and mitigate cyber risks associated with transitioning to Internet Protocol version 6 (IPv6).
Developed by the Internet Engineering Task Force (IETF), IPv6 is the latest iteration of the protocol that is used to identify and locate systems and route traffic across the internet, offering technical benefits and security improvements over its predecessor, IPv4.
The transition to IPv6 is expected to have the biggest impact on network infrastructure, with all networked hardware and software affected, and will also impact cybersecurity. The NSA points out that IPv6 security issues are similar to those from IPv4, and that security methods used with IPv4 should typically be applied to IPv6 with adaptations as required to address the differences.
Issues that networks new to IPv6 are expected to encounter include the lack of mature configuration and network security tools and the lack of administrator experience in IPv6. Federal and DoD networks are expected to operate dual stack, by running both IPv4 and IPv6 simultaneously, which raises additional security concerns and increases attack surface.
The NSA recommends assigning addresses to hosts via a Dynamic Host Configuration Protocol version 6 (DHCPv6) server to mitigate privacy issues, avoiding the use of tunnels to transport packets, and deploying IPv6 cybersecurity mechanisms that correspond to those implemented for IPv4.
Additionally, the NSA recommends ensuring that network administrators receive proper training and education regarding IPv6 networks to better protect and improve IPv6 security on a network.
