Slash Boxes

SoylentNews is people

posted by janrinok on Thursday January 26 2023, @09:16PM   Printer-friendly
from the just-wait-and-see-how-long-it-takes-to-migrate-to-IPv8 dept.

NSA offers security guidelines for IPv6 migration:

The US National Security Agency (NSA) has published a guidance document for system administrators to help them mitigate potential security issues as their organizations transition to Internet Protocol version 6 (IPv6).

The prosaically named "IPv6 Security Guidance" [PDF] was compiled for admins inside the Department of Defense (DoD), but is likely to prove useful as a quick reference for anyone managing the transition from IPv4 to IPv6, which could turn out to be a more drawn-out experience than was originally anticipated.

"The Department of Defense will incrementally transition from IPv4 to IPv6 over the next few years and many DoD networks will be dual-stacked," NSA Cybersecurity Technical Director Neal Ziring said in a statement accompanying the publication of the document.

"It's important that DoD system admins use this guidance to identify and mitigate potential security issues as they roll out IPv6 support in their networks."

One of the recommendations is pretty basic: education. Successfully securing an IPv6 network requires, at a minimum, a fundamental knowledge of the differences between the IPv4 and IPv6 protocols and how they operate, the NSA says, so all network administrators should receive proper training.

It advises that security methods used in IPv4 networks will largely also be used with IPv6, but with adaptations to address where there are differences.

Security issues associated with an IPv6 implementation will generally surface in networks that are either new to IPv6 or in early phases of the transition. This is because such networks will lack maturity in IPv6 configuration as well as likely lacking experience in IPv6 by the admins.

Organizations running both IPv4 and IPv6 simultaneously will have additional security risks, with further countermeasures needed to mitigate these due to the increased attack surface of having both IPv4 and IPv6, the document warns.

There are no massive revelations from the NSA, but advice that many admins are likely to be already aware of, such as the recommendation to assign IP addresses on the network via a DHCPv6 server instead of relying on stateless address auto-configuration (SLAAC).

The latter uses a self-assigned IPv6 address that incorporates the fixed MAC address from the NIC, leading to concerns that data traffic could be linked to a specific device and potentially an individual associated with that equipment. Whether this is a major concern to anyone outside of defense or government is another matter, of course.

The NSA also recommends avoiding the use of IPv6 tunneling, often used to transport IPv6 packets within IPv4 packets across existing network infrastructure, again to reduce the potential attack surface and lessen complexity. It advises that tunneling protocols may be allowed if they are required during a transition, but they should be limited to approved systems where their usage is well understood and where they are explicitly configured.

Original Submission

This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Touché) by Anonymous Coward on Thursday January 26 2023, @09:19PM (1 child)

    by Anonymous Coward on Thursday January 26 2023, @09:19PM (#1288800)

    only use official NSA approved DNS

    • (Score: 2) by Freeman on Thursday January 26 2023, @11:26PM

      by Freeman (732) on Thursday January 26 2023, @11:26PM (#1288818) Journal

      Seems legit. Where's the gag order, though? Wrong topic?

      Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
  • (Score: 2) by MostCynical on Thursday January 26 2023, @11:51PM (1 child)

    by MostCynical (2589) on Thursday January 26 2023, @11:51PM (#1288823) Journal

    some parts of any organisation will be bad, some good, and some maybe downright evil

    One part of the NSA may actually be trying to be helpful, here.

    The problem is that we can't trust any part.

    "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
    • (Score: 1, Funny) by Anonymous Coward on Friday January 27 2023, @01:45PM

      by Anonymous Coward on Friday January 27 2023, @01:45PM (#1288905)

      So . . . stay on IPv4 then?

  • (Score: 2) by dltaylor on Thursday January 26 2023, @11:59PM

    by dltaylor (4693) on Thursday January 26 2023, @11:59PM (#1288824)

    I cheated: I not only read the summary, but the PDF. The information is pretty basic, not including specific rule sets, but it made sense to me. The problem that I see is getting sysadmins, and supervisors, to read the thing. Getting the executive summary understood by executives, and getting them to pay for the implementation, including some strategic new network boxes and updating older ones, is going to be the difficult part. Proper PEN and other robustness testing is also not going to be free. I've spent too many person-years trying to get that message through, and sometimes had to finesse the time/materials budget of other projects to include bits and pieces of needed infrastructure.

  • (Score: 5, Funny) by driverless on Friday January 27 2023, @01:14AM (4 children)

    by driverless (4770) on Friday January 27 2023, @01:14AM (#1288829)

    World IPv6 Day was in 2011 and we all switched over from IPv4, after over a decade of universal adoption of IPv6 it's a bit late for them to start talking about how to secure it.

    • (Score: 0) by Anonymous Coward on Friday January 27 2023, @03:28AM (2 children)

      by Anonymous Coward on Friday January 27 2023, @03:28AM (#1288847)
      In terms of security it clearly was not ready in 2011. Things are better in 2023. I see a few more people with a clue and some useful things added.

      Most of the IPv6 proponents don't care or don't know that much about security.

      They'll say obviously wrong and stupid stuff like NAT doesn't add any security.

      Even within an organization we might not want everyone to know the IPv6 addresses of everything. And if someone somehow bypasses a layer of protection we don't want them to still be able to easily talk to the protected stuff behind it.

      When we think IPv6 is ready then sure more of us will switch over. Meanwhile the IPv6 stack for Windows etc doesn't look well tested enough. Still see too many vulnerabilities found over the years up to recent years.
      • (Score: 3, Interesting) by janrinok on Friday January 27 2023, @11:06AM

        by janrinok (52) Subscriber Badge on Friday January 27 2023, @11:06AM (#1288893) Journal

        When we think IPv6 is ready then sure more of us will switch over.

        If you think 'being ready' is the same as learning how to do it then you will be waiting for a long time.

        SoylentNews switched over in 2016. My own ISP switched in 2018. I am not aware of any security issues that can be attributed to IPv6 specifically which are not also issues with IPv4 - incorrect configuration being the main common problem. But there are just as many IPv4 mis-configurations as there are IPv6.

        This is because such networks will lack maturity in IPv6 configuration as well as likely lacking experience in IPv6 by the admins.

        Some people won't learn until they are forced to do so but they will eventually have to learn. They won't get any experience by waiting.

        I have 18 different devices on my internal network ranging from desktops, laptops and servers all the way to IoT devices. It is a mix of ethernet and WiFi. They are all IPv6 and they take no more administration than my previous IPv4 network. Every Linux distro that I have used has a perfectly good IPv6 stack.

        I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
      • (Score: 3, Interesting) by isostatic on Friday January 27 2023, @11:48AM

        by isostatic (365) on Friday January 27 2023, @11:48AM (#1288896) Journal

        ipv6 has some security benefits -- I can break into you computer and do a ping/tcp/udp/etc sweep of quite easily. Can't do that on a /48 ipv6 network. Sure I can listen for machines sending arp requests, but that's only on the local subnet

        (security only through obscurity is not security, but obscurity can play a part in security)

        I'd be OK if I could just change to ipv6, but I don't like the requirement for dual stack. Double the workload for 5% gain?

        If ipv6 tooling had been built originally to be able to cope with ipv4 addresses natively it would be fine. I could have an ipv6 only device, I'd send a ping to, it would be translated by the tool or kernel to ::FFFF:, the message sent to wherever my route for ::ffff:/whatever goes to, and once it reaches a dual stack router it gets mapped via NAT to transmit to

        That way I can change an entire network to ipv6 only and still be able to reach ipv4 with no change to my user applications.

        But instead I have to make choices at the application layer, and that is far harder than just deploying an ipv6 network

        (there's then all the ipv6 addons and changes from ipv4, meaning I can't simply keep using the same techniques, but I can't forget my ipv4 stuff, so I have to have more plates to spin to maintain both ipv4 and ipv6 architectures)

    • (Score: 2) by isostatic on Friday January 27 2023, @11:37AM

      by isostatic (365) on Friday January 27 2023, @11:37AM (#1288895) Journal

      Took more than 10 years before anyone talked about securing ipv4!

  • (Score: 3, Interesting) by VLM on Friday January 27 2023, @02:35PM

    by VLM (445) on Friday January 27 2023, @02:35PM (#1288913)

    It's interesting they suggest IPv6 training but don't provide any links.

    Hurricane Electric has run the "ipv6 sage" program since, I think, before the turn of the century and its still online at: []

    "Back in the day" around the turn of the century they sent out pretty cool graphic tee shirts to the first "X" people who passed and I still have mine about two decades later. Still fits too, I'm pretty thin.

    "Back in the day" the ipv6 sage certification was a capture-the-flag type of experiment where you'd set up a AAAA record and ask them to check it then move on to the next step type of project, show me a domain with a valid ipv6 accessible MX record and SMTP port, then move on to the next question, etc. It was pretty cool for turn of the century. It was not exactly a sought after certification pretty sure I never got a job or contract off that LOL, but "everyone knows" that in a couple years ipv6 will be a big deal just like electric cars and fusion reactors.

    There security implications of IPv6 tend to be higher level than mere protocol exploits or whatever. So... most ipv4 devices have "a" ip address, but most ipv6 devices have a couple. So... if you do autoconfiguration based on the /56 your ISP gave you, every time your "WAN" address changes then literally every address on your LAN will also change. If you do autoconfiguration based on the /56 your ISP gave you, you probably don't do NAT, and some ipv4 legacy admins TOTALLY freak out about the concept of stateful firewalls being separated from address translation and will argue like morons that its theoretically impossible to have a stateful firewall that doesn't change addresses so you'll get infini-FUD about how ipv6 makes firewalls and security "impossible" which is pretty ignorant. At a personal level humans can yell four small numbers at each other all day quite successfully its easier than phone numbers IMHO so you can yell across a room "hey its" so ipv4 is "human", however most human's can't deal with yelling "2001:db8:3abc:4def:5012:6123:7456:89ab" across a room so human's can't "do" ipv6 in normal day to day life making sysadmin / netadmin configuration exciting. For awhile (as in a couple decades if you have the $$$$) you can buy ethernet switches with ipv4 filtering that will eat DHCP packets unless you permit it, which stops rando attackers from knocking out a LAN with a raspi on a bare ethernet port, bonus points if they knock out your ethernet management network so you can't even log into the switch to find it LOL; I don't know the state of the art WRT cheapass switches blocking ipv6 network configuration packets.