Department of Defense
High Performance Computing Modernization Program

Even though you may have decided that your organization, network, or enclave does not need to deploy Internet Protocol version 6 (IPv6) at the present time, you cannot safely and securely ignore IPv6. IPv6 is quite likely already present on your network. As a case in point, if you have ever watched a YouTube video, you have used IPv6. If you used a cellphone to view this web page, IPv6 was used when connecting to the IPv6 Knowledge Base website, as this article explains.

Organizations that believe Internet Protocol version 6 (IPv6) is not in their future cannot simply ignore it, as this article explains with a touch of irony. This article goes even further, explaining why IPv4 will not be in their future. Organizations that believe the Internet of Things (IoT) is in their future should read this article. Even organizations that have abandoned efforts to transition to an IPv6-only network (such as Microsoft) will eventually need to make the transition.

The title of this 2020 article 7 points your security team needs to know about IPv6 (but probably doesn’t) speaks for itself.

This 2014 presentation Security in an IPv6 World (Myth and Reality) and the detailed series of 10 IPv6 Security Myth articles:

#1 I'm Not Running IPv6 So I Don't Have to Worry
#2 IPv6 Has Security Designed In
#3 No IPv6 NAT Means Less Security
#4 IPv6 Networks are Too Big To Scan
#5 Privacy Addresses Fix Everything
#6 IPv6 is Too New to be Attacked
#7 96 More Bits, No Magic
#8 It Supports IPv6
#9 There Aren't Any IPv6 Security Resources and
#10 Deploying IPv6 is Too Risky 

discuss the risks of ignoring IPv6 and the benefits of taking action to minimize those risks.

This 2019 article Common Misconceptions about IPv6 Security (video available here) touches on some of the same myths and adds new ones:

IPv6 is more/less secure than IPv4
IPv6 is IPv4 with longer addresses
IPsec makes IPv6 more secure than IPv4
Address scanning is impossible in IPv6
No NAT makes IPv6 insecure.

These 2018 articles [It’s fake news and It’s fake news (cont) ] provide yet another perspective on common misconceptions about IPv6.

This 2018 document from the Internet SOCiety (ISOC) describes some of the global trends that are driving deployment of IPv6. This article describes tools and techniques that can detect the presence of IPv6 on your network. The presence of undetected IPv6 on networks has long been recognized as a concern, as shown by this Federal Information Notice and this warning about Malware Tunneling in IPv6, both issued by the United States-Computer Emergency Readiness Team (US-CERT) in 2005.

The specific steps necessary to disable or uninstall IPv6 on many routers and operating systems are described in articles in the IP Transport section. As a minimum the National Institute for Standards and Technology (NIST) recommends that organizations not yet deploying IPv6 should block all incoming and outgoing IPv6 traffic (native and tunneled) on the organization's perimeter border routers or firewalls. (See Section 6.9 of NIST Special Publication 800-119, Guidelines for the Secure Deployment of IPv6, December, 2010.) These tunneling mechanisms include 6over4, 6to4, IPv6-in-IPv4, ISATAP, and tunnel brokers (which all typically use protocol 41) and the TEREDO tunneling mechanism (which typically uses UDP port 3544 to establish its tunnel). In addition, border routers or firewalls should block packets with a source or destination address prefix of (the default prefix for public 6to4 anycast gateways).

postscript   Sites running a Postfix version 2.2 (or later) mail transfer agent (MTA): You must  
   include the following in your /etc/postfix/

            inet_protocols = ipv4

   Without this line, Postfix defaults to using IPv6 for mail delivery, and when that fails
                                    Postfix will stop trying. Postfix will not use IPv4 without it.