Making Sure IPv6 and IPv4 Co-exist Reliably and Securely

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Last week's World IPv6 Day went as well as can be expected, as Google, Yahoo and other Internet giants kicked the tires on the relatively small number of existing IPv6 connections and found that they held up. (Our Carl Weinschenk has a great write-up on the event in his blog).


The test's primary goal was to establish that the expanded Internet naming protocol can successfully co-exist with IPv4, which some experts say may run out of available addresses by the end of this year. Near-term stability concerns focus on ISPs and other large providers, but ultimately organizations will also need to roll out IPv6 internally. When they do, they will need to make sure that both versions of the Internet Protocol play nicely for a long time.


The National Institute of Standards and Technology (NIST) has provided a framework for organizations to strategically evaluate and implement IPv6 deployments. You can find an extensive discussion of the framework and tips for a secure IPv6 deployment in our IT Downloads library in the NIST special publication, "Guidelines for the Secure Deployment of IPv6."


We say "deployment" - not "transition" - since even the largest organizations will need to support both IPv4 and IPv6 for the foreseeable future, and making the ultimate transition as seamless as possible to users should be a primary goal. The report states

The use of a phased implementation will enable an organization to implement IPv6 with as little disruption to the current environment as possible. Existing users should be unaware of the new protocol until they require its use. The phased approach will minimize the affect on day-to-day operations.

The NIST report outlines two deployment models:


  • Pervasive, in which IPv6 equipment is rolled out in parallel to IPv4 equipment throughout the enterprise.
  • Sparse, in which "islands" of IPv6 equipment exist on an otherwise IPv4-dominated network.


Pervasive deployments have a shorter lifecycle; sparse deployments have longer lifecycles and require more tunneling mechanisms. The NIST paper suggests that the applications you run, moreso than your hardware, should dictate the deployment approach you select.


The report also has several tips for securing your IPv6 deployment, including:


  • Apply different types of IPv6 addressing (privacy addressing, unique local addressing, sparse allocation, etc.) to limit access and knowledge of IPv6-addressed environments.
  • Develop a granular ICMPv6 filtering policy for the enterprise.
  • Use IPsec to authenticate and provide confidentiality to assets that can be tied to a scalable trust model (an example is access to Human Resources assets by internal employees that make use of an organization's Public Key Infrastructure (PKI) to establish trust).
  • On networks that are IPv4-only, block all IPv6 traffic.


    The extensive 175-page special publication includes technical breakdowns of the mechanics of the IPv6 address scheme expanded header types and fields. You can see the level of detail evidenced in the following flowchart, which tracks routing based on header type.



    Be sure to check out these additional IPv6 resources in the IT Downloads library:


    A Profile for IPv6 in the U.S. Government - This document recommends a technology acquisition profile for common IPv6 devices to be procured and deployed in operational U.S. government IT systems. This standards profile is meant to define a simple taxonomy of common network devices; define their minimal mandatory IPv6 capabilities and identify significant configuration options; and provide the basis to further define the technical meaning of specific governmental policies.


    Malware Tunneling in IPv6 - IPv6 can be misused to deliver malware in a way that eludes detection by firewalls and intrusion-detection systems (IDS). This guide addresses minimizing those malware-oriented risks.