Department of Defense
High Performance Computing Modernization Program

Introduction

This article focuses on tools and techniques that can be used to detect, prevent, or monitor attempts to use networks in unauthorized ways. The focus of this article is different from the focus of the Network Management Recommendations article in the Network Management section. That article focuses on policies and practices recommended for use by network administrators and managers.

When changing the security infrastructure of a network that currently supports Internet Protocol version 4 (IPv4)-only to either dual-stack (IPv4 and IPv6 are both supported) or IPv6-only, there are no easy or quick solutions. Network security and network management in both environments have been the subject of numerous Internet Engineering Task Force (IETF) Request For Comments (RFC) documents, including:

  • RFC 4057 IPv6 Enterprise Network Scenarios
  • RFC 4942 IPv6 Transition/Coexistence Security Considerations, 
  • IETF draft document Operational Security Considerations for IPv6 Networks (which complements RFC 4942),
  • RFC 6418 Multiple Interfaces and Provisioning Domains Problem Statement
  • RFC 7381 Enterprise IPv6 Deployment Guidelines, 
  • RFC 7556 Multiple Provisioning Domain Architecture
  • RFC 8043 Source-Address-Dependent Routing and Source Address Selection for IPv6 Hosts
  • IETF draft document Recommendations on the Filtering of IPv6 Extension Headers, and
  • IETF draft document Discovering Provisioning Domain Names and Data.

While not limited to the specific topic of networks supporting IPv6, this article provides a comprehensive overview of best practices to establish and maintain security for many risk management areas of Information Technology. For more in-depth information, several books on IPv6 Security are listed in part 3 of the IPv6 Training and Learning Information file in the IPv6 Training and Learning article under the Deployment section. 

Best Practices Resources

IPv6 network security specific examples, general recommendations, and product information to help deploy IPv6 in an existing network or transition to an IPv6-only network are provided by the following articles, reports, papers, seminars, tutorials, presentations and websites:

  1. Guidelines for the Secure Deployment of IPv6, published by National Institute for Standards and Technology (NIST) 
  2. The IETF RFC 4301 Security Architecture for the Internet Protocol and draft document Operational Security Considerations for IPv6 Networks 
  3. The ERNW Security and Privacy for Multi-Prefix and Provisioning Domains in IPv6 presentation and video
  4. The IPv6 Vulnerability Scanning and Penetration Testing article in the Security section
  5. A series presented annually at various conferences by Cisco Systems, Inc. (for example: APNIC, Apricot, and Cisco Live 365), entitled “IPv6 Security Threats and Mitigations”.
  6. The Canadian Internet Registration Authority (CIRA) internal IPv6 Policy document
  7. The Infoblox Best Practices for IPv6 Security webinar
  8. Although written for the home network, the recommendations contained in Best Practices for Keeping Your Home Network Secure also apply when administering user systems in the workplace
  9. IPv6 Deployments, a presentation to the Réseaux IP Européens Network (RIPE)
  10. This 2013 Federal IPv6 Interagency Working Group presentation provides suggestions for mitigating IPv6 security issues.
  11. IPv6 Security Best Practices by Cisco Systems, Inc.
  12. This Monolith Software blog entry provides some best practice tips for monitoring any network
  13. The Grand European Academic NeTwork (Géant) project documented many Network Monitoring recommendations. An example is this Practical IPv6 Monitoring on Campus Best Practice document describing a way to monitor a dual-stack network using a combination of SNMP and Netflow
  14. IPv6 Security (2008), IPv6 Security (2011), and IPv6 Attacks and Countermeasures (2013), presentations from the Rocky Mountain IPv6 Task Force (RMv6TF).
  15. Master Thesis: IPv6 Security Test Laboratory, Johannes Weber (see “Countermeasures & Firewall’s Best Practices” sections)
  16. SearchNetworkingTechTarget.com articles describe mitigations for and ways to avoid Neighbor Discovery Protocol Attacks:
    1. How to avoid IPv6 neighbor discovery threats
    2. How to protect your IPv6 address management
    3. Mitigating IPv6 neighbor discovery attacks
    4. IPv6 attack attempts and how to mitigate them
  17. A collection of guides, best practices, checklists, benchmarks, tools, and other resources describing the steps to harden numerous commercial and open source operating systems against a wide variety of attacks are available on this github project webpage.

The following are older but still useful reports and papers:

  1. An IPv6 Security Guide for U.S. Government Agencies, published by Juniper Networks, Inc.
  2. IPv6 and IPv4 Threat Comparison and Best Practice paper from Cisco Systems, Inc.
  3. Secure IPv6 Operation: Lessons learned from 6NET report from the European IPv6 deployment. (The 6NET project completed Jun 2005, followed by the 6DISS project which completed Sept 2007; followed by 6DEPLOY and 6DEPLOY-2 (www.6deploy.eu) which completed Feb 2013. A more recent European IPv6 project was Governments Enabled with IPv6 (GEN6) which completed May 2015. Deliverables and Presentations under the Publications tab of the GEN6 website provide additional material.) The current European IPv6 project is IPv6 Framework for European Governments.

The following websites contain articles discussing tools and techniques that can be used to detect, prevent, or monitor attempts to use networks in unauthorized ways:

  1. The United States Computer Emergency Readiness Team (US-CERT) issues a continuing series of security publications, with dissemination sometimes limited by a publication’s designated Traffic Light Protocol (TLP) color. Some of these publications are specific to IPv6, such as Fundamental Filtering of IPv6 Network Traffic and Malware Tunneling in IPv6, while others are protocol neutral.
  2. While specific to the Department of Defense (DoD), the publicly available Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGS) include guidance for IPv6. They are available on the DISA website.
  3. The National Security Agency (NSA) Security Configuration Guides are available here (hover over the "LIBRARY" keyword on the row of keywords at the top of the screen to see other available subject areas). Older NSA Security Configuration Guides are available here.

Top