NSA offers security guidelines for IPv6 migration • The Register

The US Nationwide Safety Company (NSA) has printed a steerage doc for system directors to assist them mitigate potential safety points as their organizations transition to Web Protocol model 6 (IPv6).

The prosaically named “IPv6 Security Guidance” [PDF] was compiled for admins contained in the Division of Protection (DoD), however is more likely to show helpful as a fast reference for anybody managing the transition from IPv4 to IPv6, which may grow to be a extra drawn-out experience than was initially anticipated.

“The Division of Protection will incrementally transition from IPv4 to IPv6 over the subsequent few years and plenty of DoD networks will likely be dual-stacked,” NSA Cybersecurity Technical Director Neal Ziring stated in an announcement accompanying the publication of the doc.

“It is vital that DoD system admins use this steerage to determine and mitigate potential safety points as they roll out IPv6 help of their networks.”

One of many suggestions is fairly fundamental: schooling. Efficiently securing an IPv6 community requires, at a minimal, a basic data of the variations between the IPv4 and IPv6 protocols and the way they function, the NSA says, so all community directors ought to obtain correct coaching.

It advises that safety strategies utilized in IPv4 networks will largely even be used with IPv6, however with variations to deal with the place there are variations.

Safety points related to an IPv6 implementation will usually floor in networks which can be both new to IPv6 or in early phases of the transition. It’s because such networks will lack maturity in IPv6 configuration in addition to doubtless missing expertise in IPv6 by the admins.

Organizations working each IPv4 and IPv6 concurrently may have extra safety dangers, with additional countermeasures wanted to mitigate these as a result of elevated assault floor of getting each IPv4 and IPv6, the doc warns.

There are not any huge revelations from the NSA, however recommendation that many admins are more likely to be already conscious of, resembling the advice to assign IP addresses on the community through a DHCPv6 server as an alternative of counting on stateless address auto-configuration (SLAAC).

The latter makes use of a self-assigned IPv6 tackle that comes with the fastened MAC tackle from the NIC, resulting in considerations that knowledge visitors may very well be linked to a selected gadget and probably a person related to that gear. Whether or not this can be a main concern to anybody exterior of protection or authorities is one other matter, in fact.

The NSA additionally recommends avoiding using IPv6 tunneling, typically used to move IPv6 packets inside IPv4 packets throughout current community infrastructure, once more to scale back the potential assault floor and reduce complexity. It advises that tunneling protocols could also be allowed if they’re required throughout a transition, however they need to be restricted to accepted methods the place their utilization is effectively understood and the place they’re explicitly configured.

Likewise, twin stack environments have a tendency to extend the assault floor and show costlier to function, in response to the doc. Nevertheless, as that is an oft-implemented transition technique, the NSA says that such community configurations ought to implement IPv6 cybersecurity mechanisms that match or exceed the IPv4 mechanisms. For instance, firewall guidelines that filter increased degree protocols resembling TCP or UDP needs to be utilized to each IPv6 and IPv4.

As a result of NICs could have a number of IPv6 addresses assigned to them, the NSA advises that admins fastidiously overview entry management lists (ACLs) to solely allow visitors from approved addresses by firewalls and different safety gadgets.

Different issues embody the community admin’s outdated good friend network address translation (NAT), which the NSA appears to frown upon. Aside from utilizing NAT64/DNS64, or 464XLAT in IPv6-only networks, tackle translation ought to usually be prevented, it advises.

“IPv6 networks ought to as an alternative use world addresses on all methods that require exterior communications and non-routable addresses contained in the community. If distinctive native addresses are used on inside methods, any system that requires exterior communications also needs to have a worldwide tackle,” the doc states.

The NSA acknowledges, in fact, that unexpected points will inevitably crop up, and so the ultimate piece of recommendation appears to be this: be ready.

“Addressing the problems up entrance in IPv6 implementation plans, configuration steerage, and acceptable coaching of directors will help organizations to keep away from safety pitfalls through the transition and to leverage IPv6 advantages correctly,” it states. ®