Special Publication 800-119
Guidelines for the Secure
Deployment of IPv6
Recommendations of the National Institute
of Standards and Technology
Sheila Frankel
Richard Graveman
John Pearce
Mark Rooks
NIST Special Publication 800-119
Guidelines for the
Secure Deployment of IPv6
Recommendations of the National
Institute of Standards and Technology
Sheila Frankel
Richard Graveman
John Pearce
Mark Rooks
C O M P U T E R
S E C U R I T Y
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930
December 2010
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Dr. Patrick D. Gallagher, Director
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of
concept implementations, and technical analysis to advance the development and productive use of
information technology. ITL’s responsibilities include the development of technical, physical,
administrative, and management standards and guidelines for the cost-effective security and privacy of
sensitive unclassified information in Federal computer systems. This Special Publication 800-series
reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative
activities with industry, government, and academic organizations.
National Institute of Standards and Technology Special Publication 800-119
Natl. Inst. Stand. Technol. Spec. Publ. 800-119, 188 pages (Dec. 2010)
Certain commercial entities, equipment, or materials may be identified in this
document in order to describe an experimental procedure or concept adequately.
Such identification is not intended to imply recommendation or endorsement by the
National Institute of Standards and Technology, nor is it intended to imply that the
entities, materials, or equipment are necessarily the best available for the purpose.
iii
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
Acknowledgments
The authors, Sheila Frankel of the National Institute of Standards and Technology (NIST), Richard
Graveman of RFG Security, John Pearce of Booz Allen Hamilton and Mark Rooks of L-1 Identity
Solutions (formerly of Booz Allen Hamilton) wish to thank their colleagues who reviewed drafts of this
document and contributed to its technical content.
The authors would like to acknowledge Tim Grance of NIST for his keen and insightful assistance and
encouragement throughout the development of the document. The authors particularly want to thank
Mark Carson, Doug Montgomery and Stephen Nightingale of NIST and Scott Hogg for their careful
review and valuable contributions to improving the quality of this publication.
The authors also appreciate the efforts of those individuals, agencies, and other organizations that
contributed input during the public comment period, including John Baird, DREN; Alistair de B
Clarkson, nCipher; Vint Cerf, Google; John Curran, ARIN; Terry Davis, Boeing; Francois Donze and
Michael Scott Pontillo, HP; Jeffrey Dunn, Chern Liou, and Jeffrey Finke, Mitre; Fernando Gont, the UK
Centre for the Protection of National Infrastructure (UK CPNI); Bob Grillo, US Army; Cecilia Hall, Don
Radeke and Joseph Bertrand, USMC; J. Holland, David Leach, Sam Nguyen, M. Roed, Beth Scruggs, D.
Wellington and Joe Williams, Aerospace Corp.; Ed Jankiewicz, SRI International; Ralph Kenyon, Caida;
Lovell King II, Dept. of State; Joe Klein, IPv6 Security Researcher; Dan Luu, VA; Trung Nguyen, FAA;
Carroll Perkins, Serco-NA; and Martin Radford, University of Bristol.
iv
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
Table of Contents
Executive Summary ................................................................................................................. 1
1.
Introduction ................................................................................................................... 1-1
1.1
1.2
1.3
1.4
2.
Introduction to IPv6 ....................................................................................................... 2-1
2.1
2.2
2.3
2.4
2.5
3.
Authority .................................................................................................................1-1
Purpose and Scope ................................................................................................1-1
Audience ................................................................................................................1-1
Document Structure ...............................................................................................1-1
Early History of IPv6 ...............................................................................................2-1
Limitations of IPv4 ..................................................................................................2-1
Major Features of the IPv6 Specification ................................................................2-2
2.3.1 Extended Address Space ........................................................................... 2-3
2.3.2 Autoconfiguration ....................................................................................... 2-3
2.3.3 Header Structure ........................................................................................ 2-3
2.3.4 Extension Headers ..................................................................................... 2-4
2.3.5 Mandatory Internet Protocol Security (IPsec) Support ................................ 2-4
2.3.6 Mobility ....................................................................................................... 2-4
2.3.7 Quality of Service (QoS)............................................................................. 2-5
2.3.8 Route Aggregation ..................................................................................... 2-5
2.3.9 Efficient Transmission ................................................................................ 2-5
IPv4 and IPv6 Threat Comparison ..........................................................................2-5
Motivations for Deploying IPv6 ...............................................................................2-7
IPv6 Overview ................................................................................................................ 3-1
3.1
3.2
3.3
3.4
3.5
3.6
IPv6 Addressing .....................................................................................................3-2
3.1.1 Shorthand for Writing IPv6 Addresses ........................................................ 3-5
3.1.2 IPv6 Address Space Usage ....................................................................... 3-6
3.1.3 IPv6 Address Types ................................................................................... 3-7
3.1.4 IPv6 Address Scope................................................................................... 3-7
3.1.5 IPv4 Addressing ......................................................................................... 3-9
3.1.6 IPv4 Classless Inter-Domain Routing (CIDR) Addressing ........................ 3-10
3.1.7 Comparing IPv6 and IPv4 Addressing ...................................................... 3-11
IPv6 Address Allocations ......................................................................................3-12
3.2.1 IPv6 Address Assignments ...................................................................... 3-12
3.2.2 Obtaining Globally Routable IPv6 Address Space .................................... 3-14
IPv6 Header Types, Formats, and Fields..............................................................3-16
IPv6 Extension Headers .......................................................................................3-18
Internet Control Message Protocol for IPv6 (ICMPv6) ..........................................3-22
3.5.1 ICMPv6 Specification Overview ............................................................... 3-22
3.5.2 Differences between IPv6 and IPv4 ICMP ................................................ 3-25
3.5.3 Neighbor Discovery .................................................................................. 3-26
3.5.4 Autoconfiguration ..................................................................................... 3-28
3.5.5 Path Maximum Transmission Unit (PMTU) Discovery .............................. 3-29
3.5.6 Security Ramifications .............................................................................. 3-30
IPv6 and Routing ..................................................................................................3-34
3.6.1 Specification Overview ............................................................................. 3-34
3.6.2 Security for Routing Protocols .................................................................. 3-35
v
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
3.7
4.
IPv6 Advanced Topics .................................................................................................. 4-1
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
5.
3.6.3 Unknown Aspects .................................................................................... 3-36
IPv6 and the Domain Name System (DNS) ..........................................................3-36
3.7.1 DNS Transport Protocol ........................................................................... 3-37
3.7.2 DNS Specification Overview .................................................................... 3-37
3.7.3 Security Impact and Recommendations ................................................... 3-39
Multihoming ............................................................................................................4-1
4.1.1 Differences between IPv4 and IPv6 Multihoming........................................ 4-1
4.1.2 Site Multihoming by IPv6 Intermediation (SHIM6) Specification Overview .. 4-2
4.1.3 Security Ramifications for Multihoming ....................................................... 4-4
IPv6 Multicast .........................................................................................................4-5
4.2.1 IPv6 Multicast Specifications ...................................................................... 4-6
4.2.2 Differences between IPv4 and IPv6 Multicast ............................................. 4-8
4.2.3 Multicast Security Ramifications ................................................................. 4-9
4.2.4 Unresolved Aspects of IPv6 Multicast ........................................................ 4-9
IPv6 Quality of Service (QoS) ...............................................................................4-10
4.3.1 IPv6 QoS Specifications ........................................................................... 4-10
4.3.2 Differences between IPv4 and IPv6 QoS ................................................. 4-11
4.3.3 Security Ramifications .............................................................................. 4-11
4.3.4 Unresolved Aspects of IPv6 QoS ............................................................. 4-12
Mobile IPv6 (MIPv6) .............................................................................................4-12
4.4.1 MIPv6 Specification Overview .................................................................. 4-12
4.4.2 Differences from IPv4 Standards .............................................................. 4-16
4.4.3 Security Ramifications .............................................................................. 4-16
4.4.4 Unknown Aspects .................................................................................... 4-26
Jumbograms ........................................................................................................4-27
4.5.1 Specification Overview ............................................................................. 4-27
4.5.2 Security Ramifications .............................................................................. 4-27
Address Selection ................................................................................................4-28
4.6.1 Specification Overview ............................................................................. 4-28
4.6.2 Differences from IPv4 Standards .............................................................. 4-30
4.6.3 Security Ramifications .............................................................................. 4-30
4.6.4 Unknown Aspects .................................................................................... 4-31
Dynamic Host Configuration Protocol (DHCP) for IPv6 .........................................4-31
4.7.1 Specification Overview ............................................................................. 4-32
4.7.2 Differences from IPv4 Standards .............................................................. 4-34
4.7.3 Security Ramifications .............................................................................. 4-34
4.7.4 Unknown Aspects .................................................................................... 4-35
IPv6 Prefix Renumbering ......................................................................................4-35
4.8.1 Specification Overview ............................................................................. 4-36
4.8.2 Differences from IPv4 Standards .............................................................. 4-38
4.8.3 Security Ramifications .............................................................................. 4-38
4.8.4 Unknown Aspects .................................................................................... 4-39
IPv6 Security Advanced Topics ................................................................................... 5-1
5.1
5.2
5.3
Privacy Addresses..................................................................................................5-1
Cryptographically Generated Addresses ................................................................5-3
IPsec in IPv6 ..........................................................................................................5-4
5.3.1 Specification Overview ............................................................................... 5-5
5.3.2 Differences from IPv4 Standards ................................................................ 5-8
vi
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
5.4
6.
5.3.3 Support for Multicast .................................................................................. 5-8
5.3.4 Status of IPsec and On-Going Work........................................................... 5-9
5.3.5 Security Ramifications .............................................................................. 5-15
5.3.6 Unknown Aspects .................................................................................... 5-16
Secure Stateless Address Autoconfiguration and Neighbor Discovery .................5-17
5.4.1 Using IPsec to Secure Autoconfiguration and ND .................................... 5-18
5.4.2 Using SEND to Secure Autoconfiguration and ND ................................... 5-19
5.4.3 Current Status and Unknown Aspects ...................................................... 5-19
IPv6 Deployment ........................................................................................................... 6-1
6.1
6.2
6.3
6.4
6.5
6.6
6.7
6.8
6.9
Security Risks ........................................................................................................6-1
6.1.1 Attacker Community ................................................................................... 6-1
6.1.2 Unauthorized IPv6 Clients .......................................................................... 6-2
6.1.3 Vulnerabilities in IPv6 ................................................................................. 6-2
6.1.4 Dual Operations ......................................................................................... 6-4
6.1.5 Perceived Risk ........................................................................................... 6-4
6.1.6 Vendor Support .......................................................................................... 6-4
Addressing Security ...............................................................................................6-5
6.2.1 Numbering Plan ......................................................................................... 6-5
6.2.2 Hierarchical Addressing to Support Security Segmentation ........................ 6-6
6.2.3 Problems with EUI-64 Addresses ............................................................... 6-7
6.2.4 Address Management ................................................................................ 6-7
6.2.5 Privacy Extensions ..................................................................................... 6-8
Transition Mechanisms...........................................................................................6-8
Dual Stack IPv4/IPv6 Environments .......................................................................6-9
6.4.1 Deployment of a Dual Stack Environment .................................................. 6-9
6.4.2 Addressing in a Dual Stack Environment ................................................. 6-10
6.4.3 Security Implications of a Dual Stack Environment ................................... 6-11
Tunneling .............................................................................................................6-11
6.5.1 General Security Considerations for Tunneling ........................................ 6-13
6.5.2 Configured Tunneling ............................................................................... 6-15
6.5.3 Automatic Tunneling ................................................................................ 6-16
6.5.4 6over4 Protocol ........................................................................................ 6-16
6.5.5 6to4 and 6rd Protocols ............................................................................. 6-17
6.5.6 Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) ..................... 6-19
6.5.7 Teredo Protocol........................................................................................ 6-22
6.5.8 Tunnel Brokers ......................................................................................... 6-27
6.5.9 Automatic Tunneling of IPv4 over IPv6 (Dual Stack Transition Mechanism
[DSTM]) ............................................................................................................... 6-28
6.5.10 Carrier-Grade NAT and Dual-Stack Lite ................................................... 6-30
Translation ...........................................................................................................6-32
6.6.1 SIIT .......................................................................................................... 6-33
6.6.2 NAT-PT .................................................................................................... 6-33
6.6.3 Replacing NAT-PT ................................................................................... 6-34
6.6.4 TRT .......................................................................................................... 6-35
6.6.5 Application Layer Translation ................................................................... 6-36
Other Transition Mechanisms ...............................................................................6-37
The IPv6 Deployment Planning Process for Security ............................................6-37
IPv6 Deployment ..................................................................................................6-38
6.9.1 Initiation Phase ........................................................................................ 6-39
6.9.2 Acquisition / Development Phase ............................................................. 6-41
vii
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
6.9.3 Implementation Phase.............................................................................. 6-44
6.9.4 Operations / Maintenance Phase ............................................................. 6-46
6.9.5 Disposition Phase .................................................................................... 6-46
6.10 Summary ..............................................................................................................6-47
List of Appendices
Appendix A— Acronyms and Abbreviations ...................................................................... A-1
Appendix B— References and Other IPv6 Resources ....................................................... B-1
List of Figures
Figure 2-1. The IPv6 Packet Header Format (Field Sizes in Bits) ............................................ 2-4
Figure 3-1. IPv6 Address Format ........................................................................................... 3-3
Figure 3-2. 32-Bit Network Prefix ........................................................................................... 3-4
Figure 3-3. 48-Bit Network Prefix ........................................................................................... 3-4
Figure 3-4. 64-Bit Network Prefix ........................................................................................... 3-5
Figure 3-5. A Comparison of IPv4 and IPv6 Addressing ....................................................... 3-11
Figure 3-6. The IPv6 Packet Header Format (Field Sizes in Bits) (RFC 2460) ..................... 3-16
Figure 3-7. Example IPv6 Packet Header ............................................................................ 3-18
Figure 3-8. Next Header Fields in IPv6 and Extension Headers ........................................... 3-18
Figure 3-9. IPv6 Extension Header Chaining ....................................................................... 3-19
Figure 3-10. ICMPv6 Message Format................................................................................. 3-23
Figure 3-11. Example of Neighbor Discovery ....................................................................... 3-27
Figure 3-12. Example of Stateless Address Autoconfiguration (SLAAC) .............................. 3-29
Figure 3-13. Significance of MTU under IPv6 ....................................................................... 3-30
Figure 4-1. SHIM6 Protocol Stack .......................................................................................... 4-4
Figure 4-2. The Main MIPv6 Components ............................................................................ 4-14
Figure 4-3. IKEv1 Identifiers used between a MN and its HA ............................................... 4-20
Figure 4-4. IKEv2 identifiers used between a MN and its HA ............................................... 4-20
Figure 4-5. Return Routability—Init Messages ..................................................................... 4-22
Figure 4-6. Return Routability—Keygen Replies .................................................................. 4-23
Figure 4-7. Reverse Routability—BU and BUA Protected with Kbm ..................................... 4-24
Figure 5-1. Example of IPv6 Privacy Addressing.................................................................... 5-2
Figure 5-2. Generating Cryptographic Addresses from Public-Private Key Pairs .................... 5-3
viii
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
Figure 5-3. IPsec in the TCP/IP Protocol Stack ...................................................................... 5-5
Figure 5-4. Encryption and Authentication Algorithms for the IPsec Protocol ......................... 5-9
Figure 5-5. Cryptographic Algorithms for Use in IKEv2 ........................................................ 5-10
Figure 6-1. Example of Tunneling IPv6 over IPv4 Networks .................................................. 6-12
Figure 6-2. IPv6 over IPv4 Tunnels Transparent to the IPv4 Infrastructure .......................... 6-14
Figure 6-3. Example - Tunneling IPv6 over IPv4 Networks with ISATAP .............................. 6-21
Figure 6-4. Example - Tunneling IPv6 over IPv4 Networks with Teredo ............................... 6-23
Figure 6-5. Teredo Address .................................................................................................. 6-24
List of Tables
Table 3-1. Differences between IPv4 and IPv6....................................................................... 3-1
Table 3-2. IPv6 Address Types .............................................................................................. 3-6
Table 3-3. Assignment of Leftmost, Centermost, and Rightmost Bits ................................... 3-13
Table 3-4. IPv6 Extension Headers and Upper Layer Protocols ........................................... 3-21
Table 3-5. ICMPv6 Error Messages and Code Type ............................................................ 3-24
Table 3-6. ICMPv6 Informational Messages ......................................................................... 3-24
Table 3-7. ICMPv6 Recommended Filtering Actions – Must Not Drop & Should Not Drop ... 3-33
Table 4-1. IPv6 Scoped Multicast Values (from RFC 4291).................................................... 4-7
ix
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
Executive Summary
Due to the exhaustion of IPv4 (Internet Protocol version 4) address space, and the Office of Management
and Budget (OMB)1 mandate that U.S. federal agencies begin to use the IPv6 (Internet Protocol version 6)
protocol, NIST undertook the development of a guide to help educate federal agencies about the possible
security risks during their initial IPv6 deployment. This document provides guidelines for organizations
to aid in securely deploying IPv6. Since the majority of organizations will most likely run both IPv6 and
IPv4 on their networks for the foreseeable future, this document speaks about the deployment of IPv6
rather than the transition to IPv6.2
The deployment of IPv6 can lead to new challenges and types of threats facing an organization. The goals
of this document are:
To educate the reader about IPv6 features and the security impacts of those features
To provide a comprehensive survey of mechanisms that can be used for the deployment of IPv6
To provide a suggested deployment strategy for moving to an IPv6 environment
The migration to IPv6 services is inevitable as the IPv4 address space is almost exhausted. IPv6 is not
backwards compatible with IPv4, which means organizations will have to change their network
infrastructure and systems to deploy IPv6. Organizations should begin now to understand the risks of
deploying IPv6, as well as strategies to mitigate such risks. Detailed planning will enable an organization
to navigate the process smoothly and securely.
Federal agencies will most likely face security challenges throughout the deployment process, including:
An attacker community that most likely has more experience and comfort with IPv6 than an
organization in the early stages of deployment
Difficulty in detecting unknown or unauthorized IPv6 assets on existing IPv4 production networks
Added complexity while operating IPv4 and IPv6 in parallel
Lack of IPv6 maturity in security products when compared to IPv4 capabilities
Proliferation of transition-driven IPv6 (or IPv4) tunnels, which complicate defenses at network
boundaries even if properly authorized, and can completely circumvent those defenses if unauthorized
(e.g. host-based tunnels initiated by end users)
Organizations planning the deployment of IPv6 should consider the following during the planning
process:
IPv6 is a new protocol that is not backward compatible with IPv4
In most cases IPv4 will still be a component of IT (Information Technology) infrastructure.
As such, even after the deployment of IPv6, organizations will require mechanisms for IPv6
and IPv4 co-existence.
1
2
OMB Memo M-05-22, Transition Planning for Internet Protocol Version 6 (IPv6), August 2005; OMB Memo, Transition
to IPv6, September 2010
Since many of the IPv6-related protocols, tools and mechanisms are typically referred to as transition mechanisms, this
document does use the word transition in that context.
ES-1
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
IPv6 can be deployed just as securely as IPv4, although it should be expected that
vulnerabilities within the protocol, as well as with implementation errors, will lead to an initial
increase in IPv6-based vulnerabilities. As a successor to IPv4, IPv6 does incorporate many of
the lessons learned by the Internet Engineering Task Force (IETF) for IPv4.
IPv6 has already been deployed and is currently in operation in large networks globally.
To overcome possible obstacles associated with deploying IPv6, organizations should consider the
following recommendations:
Encourage staff to increase their knowledge of IPv6 to a level comparable with their current
understanding of IPv4
Plan a phased IPv6 deployment utilizing appropriate transition mechanisms to support
business needs; don’t deploy more transition mechanisms than necessary
Plan for a long transition period with dual IPv4/IPv6 co-existence
Organizations that are not yet deploying IPv6 globally should implement the following recommendations:
Block all IPv6 traffic, native and tunneled, at the organization's firewall. Both incoming and
outgoing traffic should be blocked.
Disable all IPv6-compatible ports, protocols and services on all software and hardware.
Begin to acquire familiarity and expertise with IPv6, through laboratory experimentation
and/or limited pilot deployments.
Make organization web servers, located outside of the organizational firewall, accessible via
IPv6 connections. This will enable IPv6-only users to access the servers and aid the
organization in acquiring familiarity with some aspects of IPv6 deployment.
Organizations that are deploying IPv6 should implement the following recommendations to mitigate IPv6
threats:
Apply an appropriate mix of different types of IPv6 addressing (privacy addressing, unique
local addressing, sparse allocation, etc) to limit access and knowledge of IPv6-addressed
environments.
Use automated address management tools to avoid manual entry of IPv6 addresses, which is
prone to error because of their length.
Develop a granular ICMPv6 (Internet Control Protocol for IPv6) filtering policy for the
enterprise. Ensure that ICMPv6 messages that are essential to IPv6 operation are allowed, but
others are blocked.3
Use IPsec (Internet Protocol Security) to authenticate and provide confidentiality to assets that
can be tied to a scalable trust model (an example is access to Human Resources assets by
3
NIST SP 500-267, A Profile for IPv6 in the US Government, specifies the capability to perform selective ICMPv6 filtering
as a mandatory function. However, currently, that capability is not available in all products.
ES-2
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
internal employees that make use of an organization’s Public Key Infrastructure (PKI) to
establish trust).
Identify capabilities and weaknesses of network protection devices in an IPv6 environment.
Enable controls that might not have been used in IPv4 due to a lower threat level during initial
deployment (implementing default deny access control policies, implementing routing
protocol security, etc).
Pay close attention to the security aspects of transition mechanisms such as tunneling
protocols.
Ensure that IPv6 routers, packet filters, firewalls, and tunnel endpoints enforce multicast scope
boundaries and make sure that Multicast Listener Discovery (MLD) packets are not
inappropriately routable.
Be aware that switching from an environment in which NAT (Network Address Translation)
provides IP (Internet Protocol) addresses to unique global IPv6 addresses could trigger a
change in the FISMA (Federal Information Security Management Act) system boundaries.
After reviewing this document, the reader should have a reasonable understanding of IPv6 and how it
compares to IPv4, as well as security impacts of IPv6 features and capabilities, and increased knowledge
and awareness about the range of IPv4 to IPv6 transition mechanisms.
ES-3
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
1.
Introduction
1.1
Authority
The National Institute of Standards and Technology (NIST) developed this document in furtherance of its
statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002,
Public Law 107-347.
NIST is responsible for developing standards and guidelines, including minimum requirements, for
providing adequate information security for all agency operations and assets; but such standards and
guidelines shall not apply to national security systems. This guideline is consistent with the requirements
of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), ―Securing Agency
Information Systems,‖ as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental
information is provided in A-130, Appendix III.
This guideline has been prepared for use by Federal agencies. It may be used by nongovernmental
organizations on a voluntary basis and is not subject to copyright, though attribution is desired.
Nothing in this document should be taken to contradict standards and guidelines made mandatory and
binding on Federal agencies by the Secretary of Commerce under statutory authority, nor should these
guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce,
Director of the OMB, or any other Federal official.
1.2
Purpose and Scope
The purpose of Guidelines for the Secure Deployment of IPv6 is to provide information security guidance
to organizations that are planning to deploy IPv6 technologies or are simply seeking a better
understanding of IPv6. The scope of this document encompasses the IPv6 protocol and related protocol
specifications. IPv6-related security considerations are discussed with emphasis on deployment-related
security concerns. The document also includes general guidance on secure IPv6 deployment and
integration planning.
1.3
Audience
This document is intended primarily for network engineers and administrators who are responsible for
planning, building, and operating IP networks, as well as security engineers and administrators who are
responsible for providing Information Assurance support. Anyone interested in deploying IPv6
technologies and related security implications may also find the document useful. It includes a discussion
of the major features and protocols that constitute IPv6. For each of these, the description is comprised of
an introductory section, a more in-depth description, and three analytical sections: differences between
the IPv4 and the IPv6 versions, security ramifications and unknown aspects. Managers or users who are
trying to understand IPv6 might want to skip the in-depth descriptions but read the other sections
(Introduction, Differences, Security Ramifications and Unknown Aspects). They should also read Section
1 (Introduction) and Sections 6.8-6.9 (IPv6 Deployment). It is assumed that readers are already familiar
with basic IPv4, data networking, and network security concepts.
1.4
Document Structure
The remainder of this document is composed of the following sections and appendices:
1-1
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
Section 2 provides an introduction to IPv6, including its history, features, and comparisons
with IPv4.
Section 3 discusses in more detail IPv6 addressing, allocation, packet organization, and
ICMPv6.
Section 4 examines some of the more advanced features of IPv6 and their security
implications, including multihoming, multicast, QoS (Quality of Service), Mobile IPv6,
Jumbograms and address selection.
Section 5 provides an introduction to some of the advanced security features included in IPv6,
including privacy addresses; IPsec; and secure stateless address autoconfiguration and
neighbor discovery.
Section 6 covers the process of securely deploying IPv6 and discusses the risks, addressing
security, various transition mechanisms and the deployment process.
Appendix A provides a list of acronyms and abbreviations used in this document.
Appendix B lists references and other resources related to IPv6.
1-2
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
2.
Introduction to IPv6
Internet Protocol version 6 (IPv6) is a new network layer protocol. It is an enhancement to Internet
Protocol version 4 (IPv4), the protocol in use since the 1980s. There are numerous upgrades in IPv6.
Most significantly, in comparison with IPv4, IPv6 has increased its network address size from 32 bits to
128. This provides more than enough addresses to satisfy the global demand for unique IP addresses.
This chapter provides an overview of IPv6 as a foundation for later sections. The section starts with the
early history of IPv6 and the limitations of IPv4, followed by descriptions of the major features of the
IPv6 specifications. This is followed by a threat comparison between IPv4 and IPv6 and concludes with
motivations for deploying to IPv6.
2.1
Early History of IPv6
IPv4 was developed in the 1970s and early 1980s for use in government and academic communities in the
United States to facilitate communication and information sharing. Today’s networking demand, in
particular web pages, email, peer-to-peer services, and the use of mobile devices, has grown well beyond
its originators’ expectations. Widespread deployment and growth of networking technologies and mobile
communications have surpassed IPv4’s ability to provide adequate globally unique address space4.
Efforts to develop a successor to IPv4 started in the early 1990s within the Internet Engineering Task
Force (IETF)5. The objective was to solve the address space limitations as well as provide additional
functionality. The IETF started the Internet Protocol Next Generation (IPng) work in 1993 to investigate
different proposals and to make recommendations for further actions. The IETF recommended IPv6 in
1994. (The name IPv5 had previously been allocated to an experimental stream protocol.) Their
recommendation is specified in RFC 1752, The Recommendation for IP Next Generation Protocol.
Several proposals followed; the Internet Engineering Steering Group approved the IPv6 recommendation
and drafted a Proposed Standard on November 17, 1994. RFC 1883, Internet Protocol, Version 6 (IPv6)
Specification, was published in 1995. The core set of IPv66 protocols became an IETF Draft Standard on
August 10, 1998. This included RFC 2460, which replaced RFC 1883.
IPv6 is a protocol designed to handle the growth rate of the Internet and to cope with the demanding
requirements of services, mobility, and end-to-end security. The following sections describe the
limitations of IPv4, the major features of IPv6, and motivations for deploying IPv6.
2.2
Limitations of IPv4
IPv4 (RFC 791) was designed over 30 years ago for a relatively small number of users. At that time, it
seemed unlikely that personal computing technology would become as widespread as it is today in the
United States and worldwide. The rapid, universal adoption and growth of personal computing
technologies, including IP networking, were unforeseen in 1981. At that time, the Internet was used
almost exclusively by scholars and researchers, and IPv4’s 4.3 billion theoretically available addresses
were considered to be more than sufficient.
4
5
6
Hagen, IPv6 Essentials 2nd Edition.
The IETF is an open international community charged with the evolution of the Internet architectures and standards. An
Internet standard begins as an Internet Draft, which generally evolves during the publication of successive versions. It may
then be published as a Request for Comments (RFC) document. Some RFCs define IETF standards; others are informational
documents or describe experimental protocols.
Two current IETF working groups that concentrate on IPv6 operations and protocols are the IPv6 Operations (v6ops)
Working Group and the IPv6 Maintenance (6man ) Working group.
2-1
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
As a result of growing Internet use, IPv4’s address capacity could not meet the demand. In practice, the
supply of available IPv4 addresses has been limited since the early 1990s. Previously, an organization
could apply for and receive an order of magnitude more IPv4 addresses than it could actually justify.
However, as a result of regulatory advances, IP address allocations are now bound by strict policies that
include formal justification to a Regional Internet Registry (RIR). During the 1990s, address allocation
policies, along with address reuse and restriction technologies, were put into place to conserve IPv4
addresses.
Technologies widely adopted in response to the constrained supply of IPv4 addresses are network address
translation (NAT [RFC 3022]) and classless inter-domain routing (CIDR [RFC 4632]); both are discussed
in detail in Chapter 3. NAT essentially makes private IPv4 addresses (also known as non-routable
addresses) at least partially functional on the global Internet. Despite their adaptation to other uses,
private IPv4 addresses were designed for testing and other non-production purposes and never intended to
be usable on the Internet. Nevertheless, a NAT-capable router positioned at an organization’s boundary
has the ability to connect an entire network of privately addressed nodes within the organization to the
Internet via a single routable IP address.
This technology saves IPv4 address space because nodes bearing private addresses are essentially ―on‖
the Internet but do not have globally unique IP addresses. Nevertheless, this address conservation
technology can actually defeat certain aspects of the design intent of IPv4: network layer end-to-end
security, peer-to-peer (host-to-host connectivity), and interoperability. A host using private addressing
behind a NAT device cannot have a full peer-to-peer relationship with another host via the Internet or
backbone enterprise network using globally unique addressing. This is because NAT does not allow
communication sessions to be initiated from globally addressed nodes to the privately addressed nodes.
NAT traversal technologies are available to work around some of these barriers. They typically work in
one of two ways: (1) by maintaining stateful address lookup tables and redirecting inbound traffic to
appropriate private addresses; (2) by employing application layer gateways that listen for specific port
numbers and redirect traffic according to pre-configured parameters. Neither of these approaches to NAT
traversal lends itself to scalability or guarantees compatibility with all forms of NAT, not to mention the
efforts put into each of these work-arounds. In addition, neither approach lends itself to dynamic
configuration when, for example, hosts move or networks are renumbered.
Another limitation of IPv4 is that its design favored interoperability over security and did not contain
features that protected the confidentiality, integrity, or availability of communications. For example, IPv4
could not cryptographically protect data from eavesdropping or manipulation, and IPv4 did not provide a
method for endpoints to authenticate each other. Over time, the open nature of IPv4 was increasingly a
target of exploitation. The multi-path nature of the Internet, which was designed for high availability,
also allows multiple attack vectors for a variety of threats. As a response, new technologies were added
to IPv4 to provide needed security functionality. With IPv6, these features were designed into the new
protocol as mandatory components.
2.3
Major Features of the IPv6 Specification
IPv6 has many new or improved features that make it significantly different from its predecessor. These
features include extended address space, autoconfiguration, header structure, extension headers, IPsec,
mobility, quality of service, route aggregation, and efficient transmission. This section discusses these
features and compares specific aspects of IPv4 and IPv6 to help establish an understanding of the
protocols’ similarities and differences.
2-2
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
2.3.1
Extended Address Space
Each IPv4 address is typically 32 bits long and is written as four decimal numbers representing 8-bit
octets and separated by decimal points or periods. An example address is 172.30.128.97. Each IPv6
address is 128 bits long (as defined in RFC 4291) and is written as eight 16-bit fields in colon-delimited
hexadecimal notation (an example is fe80:43e3:9095:02e5:0216:cbff:feb2:7474). This new 128-bit
address space provides an enormous number of unique addresses, 2128 (or 3.4 x 1038) addresses, compared
with IPv4’s 232 (or 4.3 x 109) addresses. That is enough for many trillions of addresses to be assigned to
every human being on the planet. Moreover, these address bits are divided between the network prefix
and the host identifier portions of the address. The network prefix designates the network upon which the
host bearing the address resides. The host identifier identifies the node or interface within the network
upon which it resides. The network prefix may change while the host identifier can remain static. The
static host identifier allows a device to maintain a consistent identity despite its location in a network.
This enormous number of addresses allows for end-to-end communication between devices with globally
unique IP addresses and can better support the delivery of peer-to-peer services with data-rich content
such as voice and video. Chapter 3 describes IPv6 addressing in detail.
2.3.2
Autoconfiguration
Essentially plug-and-play networking, autoconfiguration, defined in RFC 4862, IPv6 Stateless Address
Autoconfiguration, is one of the most interesting and potentially valuable addressing features in IPv6.
This feature allows devices on an IPv6 network to configure themselves independently using a stateless
protocol. In IPv4, hosts are configured manually or with host configuration protocols like Dynamic Host
Configuration Protocol (DHCP); with IPv6, autoconfiguration takes this a step further by defining a
method for some devices to configure their IP addresses and other parameters without the need for a
server. Moreover, it also defines a method, renumbering, whereby the time and effort required to
renumber a network by replacing an old prefix with a new prefix are vastly reduced. Section 3.5.4
describes autoconfiguration in detail.
2.3.3
Header Structure
The IPv6 header is much simpler than the IPv4 header and has a fixed length of 40 bytes (as defined in
RFC 2460).
Even though this header is almost twice as long as the minimum IPv4 header, much of the header is taken
up by two 16-byte IPv6 addresses, leaving only 8 bytes for other header information. This allows for
improved fast processing of packets and protocol flexibility. IPv6 datagrams use a structure that always
includes a 40-byte base header and, optionally, one or more extension headers. This base header is like
the header of IPv4 datagrams, though it has a different format. Five IPv4 header fields have been
removed: IP header length, identification, flags, fragment offset, and header checksum. The IPv6 header
fields are as follows: version (IP version 6), traffic class (replacing IPv4’s type of service field), flow
label (a new field for Quality of Service (QoS) management), payload length (length of data following the
fixed part of the IPv6 header), next header (replacing IPv4’s protocol field), hop limit (number of hops,
replacing IPv4’s time to live field), and source and destination addresses. The IPv6 header format is
illustrated in Figure 2-1. The payload can be up to 64KB in size in standard mode, or larger with a jumbo
payload option. Section 3.3 describes these headers in detail.
2-3
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
Version (4)
Traffic Class (8)
Flow Label (20 bits)
Payload length (16)
Next Header (8)
Hop Limit (8)
Source Address (128 bits)
Destination Address (128 bits)
Figure 2-1. The IPv6 Packet Header Format (Field Sizes in Bits)7
2.3.4
Extension Headers
An IPv4 header can be extended from 20 bytes to a maximum of 60 bytes, but this option is rarely used
because it impedes performance and is often administratively prohibited for security reasons. IPv6 has a
new method to handle options, which allows substantially improved processing and avoids some of the
security problems that IPv4 options generated. IPv6 RFC 2460 defines six extension headers: hop-byhop option header, routing header, fragment header, destination options header, authentication header
(AH), and encapsulating security payload (ESP) header. Each extension header is identified by the Next
Header field in the preceding header. Section 3.4 describes extension headers in detail.
2.3.5
Mandatory Internet Protocol Security (IPsec) Support
IP security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by
authenticating the sender and providing integrity protection plus optionally confidentiality for the
transmitted data. This is accomplished through the use of two extension headers: the Encapsulating
Security Payload (ESP) and the Authentication Header (AH). The negotiation and management of IPsec
security protections and the associated secret keys is handled by the Internet Key Exchange (IKE)
protocol. IPsec is a mandatory part of an IPv6 implementation; however, its use is not required. IPsec is
also specified for securing particular IPv6 protocols (e.g., Mobile IPv6 and OSPFv3 [Open Shortest Path
First version 3]). Section 5.3 describes IPsec in detail.
2.3.6
Mobility
Mobile IPv6 (MIPv6) is an enhanced protocol supporting roaming for a mobile node, so that it can move
from one network to another without losing IP-layer connectivity (as defined in RFC 3775). RFC 3344,
IP Mobility Support for IPv4, describes Mobile IP concepts and specifications for IPv4. Nevertheless,
using Mobile IP with IPv4 has various limitations, such as limited address space, dependence on address
resolution protocol (ARP), and challenges with handover when a device moves from one access point to
another. Mobile IPv6 uses IPv6’s vast address space and Neighbor Discovery (RFC 4861) to solve the
handover problem at the network layer and maintain connections to applications and services if a device
changes its temporary IP address. Mobile IPv6 also introduces new security concerns such as route
optimization (RFC 4449) where data flow between the home agent and mobile node will need to be
appropriately secured.
7
Additional illustration and explanation of the major differences between the IPv6 and IPv4 headers can be found in the GAO
report, Internet Protocol Version 6: Federal Agencies Need to Plan for Transition and Manage Security Risks.
2-4
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
Section 4.4 describes Mobile IPv6 in detail.
2.3.7
Quality of Service (QoS)
IP (for the most part) treats all packets alike, as they are forwarded with best effort treatment and no
guarantee for delivery through the network. TCP (Transmission Control Protocol) adds delivery
confirmations but has no options to control parameters such as delay or bandwidth allocation. QoS offers
enhanced policy-based networking options to prioritize the delivery of information. Existing IPv4 and
IPv6 implementations use similar QoS capabilities, such as Differentiated Services and Integrated
Services, to identify and prioritize IP-based communications during periods of network congestion.
Within the IPv6 header two fields can be used for QoS, the Traffic Class and Flow Label fields. The new
Flow Label field and enlarged Traffic Class field in the main IPv6 header allow more efficient and finer
grained differentiation of various types of traffic. The new Flow Label field can contain a label
identifying or prioritizing a certain packet flow such as voice over IP (VoIP) or videoconferencing, both
of which are sensitive to timely delivery. IPv6 QoS is still a work in progress and security should be
given increased consideration in this stage of development. Section 4.3 describes QoS in detail.
2.3.8
Route Aggregation
IPv6 incorporates a hierarchal addressing structure and has a simplified header allowing for improved
routing of information from a source to a destination. The large amount of address space allows
organizations with large numbers of connections to obtain blocks of contiguous address space.
Contiguous address space allows organizations to aggregate addresses under one prefix for identification
on the Internet. This structured approach to addressing reduces the amount of information Internet
routers must maintain and store and promotes faster routing of data77. Additionally, it is envisioned that
IPv6 addresses will primarily be allocated only from Internet Service Providers (ISPs) to customers. This
will allow for ISPs to summarize route advertisements to minimize the size of the IPv6 Internet routing
tables. This is covered in more detail in Section 3.2.
2.3.9
Efficient Transmission
IPv6 packet fragmentation control occurs at the IPv6 source host, not at an intermediate IPv6 router.
With IPv4, a router can fragment a packet when the Maximum Transmission Unit (MTU) of the next link
is smaller than the packet it has to send. The router does this by slicing a packet to fit into the smaller
MTU and sends it out as a set of fragments. The destination host collects the fragments and reassembles
them. All fragments must arrive for the higher level protocol to get the packet. Therefore, when one
fragment is missing or an error occurs, the entire transmission has to be redone. In IPv6, a host uses a
procedure called Path Maximum Transmission Unit (PMTU) Discovery to learn the path MTU size and
eliminate the need for routers to perform fragmentation. The IPv6 Fragment Extension Header is used
when an IPv6 host wants to fragment a packet, so fragmentation occurs at the source host, not the router,
which allows efficient transmission. PMTU is discussed in Section 3.5.5, and Section 4.5 describes
efficient transmission in detail.
2.4
IPv4 and IPv6 Threat Comparison
The deployment of IPv6 can lead to new challenges with respect to the types of threats facing an
organization. This section provides a high-level overview as to how threats differ from an IPv4
environment to an IPv6 environment and combined IPv4-IPv6 environment. The following chapters
provide additional details to these threats as required. It should be noted that many IPv6 threat
discussions rely on IPsec to provide protection against attack. Due to issues with key management and
overall configuration complexity (including applications), it is possible that IPsec will not be deployed
2-5
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
much more than it is with IPv4 today for initial IPv6 use. IPsec is covered in detail in Section 5.3.
Network reconnaissance is typically the first step taken by an attacker to identify assets for exploitation
(RFC 5157).8 Reconnaissance attacks in an IPv6 environment differ dramatically from current IPv4
environments. Due to the size of IPv6 subnets (264 in a typical IPv6 environment compared to 28 in a
typical IPv4 environment), traditional IPv4 scanning techniques that would normally take seconds could
take years on a properly designed IPv6 network. This does not mean that reconnaissance attacks will go
away in an IPv6 environment; it is more likely that the tactics used for network reconnaissance will be
modified. Attackers will still be able to use passive techniques, such as Domain Name System (DNS)
name server resolution, to identify victim networks for more targeted exploitation. Additionally, if an
attacker is able to obtain access to one system on an IPv6 subnet, the attacker will be able to leverage
IPv6 neighbor discovery to identify hosts on the local subnet for exploitation. Neighbor discovery-based
attacks will also replace counterparts on IPv4 such as ARP spoofing.
Prevention of unauthorized access to IPv6 networks will likely be more difficult in the early years of IPv6
deployments. IPv6 adds more components to be filtered than IPv4, such as extension headers, multicast
addressing, and increased use of ICMP. These extended capabilities of IPv6, as well as the possibility of
an IPv6 host having a number of global IPv6 addresses, potentially provides an environment that will
make network-level access easier for attackers due to improper deployment of IPv6 access controls.
Moreover, security related tools and accepted best practices have been slow to accommodate IPv6. Either
these items do not exist or have not been stress tested in an IPv6 environment. Nevertheless, global
aggregation of IPv6 addresses by ISPs should allow enhanced anti-spoofing filtering across the Internet
where implemented.
Attacks that focus on exploitation above the IP layer, such as application-based attacks and viruses, will
not see a difference in the types of threats faced in an IPv6 environment. Most likely, some worms will
use modified IPv6 reconnaissance techniques for exploitation. Additionally, because many IPv4
broadcast capabilities have been replaced with IPv6 multicast functionality, broadcast amplification
attacks will no longer exist in an IPv6 environment.
From this comparison of IPv4 and IPv6 threats, one can surmise that IPv6 will not inherently be either
more or less secure than IPv4. While organizations are in the process of deploying IPv6, the lack of
robust IPv6 security controls (described in Section 6) and a lack of overall understanding of IPv6 by
security staff may allow attackers to exploit IPv6 assets or leverage IPv6 access to further exploit IPv4
assets. There is a very likely possibility that many IPv6 services will rely on tunneling IPv6 traffic in
IPv4 for infrastructures that do support the protocol, which will also increase the complexity for security
staff. Additionally, since IPv6 systems and capabilities are not yet widely used in production
environments, there is a distinct possibility that the number of vulnerabilities in software from
implementing IPv6 capabilities could rise, as IPv6 networks are increasingly deployed.
Based on of the threat comparison between IPv4 and IPv6, the following actions are recommended to
mitigate IPv6 threats during the deployment process:
Apply different types of IPv6 addressing (privacy addressing, unique local addressing, sparse
allocation, etc) to limit access and knowledge of IPv6-addressed environments.
Assign subnet and interface identifiers randomly to increase the difficulty of network scanning.
8
Bellovin, Cheswick and Keromytis, Worm propagation strategies in an IPv6 Internet.
2-6
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
Develop a granular ICMPv6 filtering policy for the enterprise. Ensure that ICMPv6 messages that are
essential to IPv6 operation are allowed, but others are blocked.
Use IPsec to authenticate and provide confidentiality to assets that can be tied to a scalable trust
model (an example is access to Human Resources assets by internal employees that make use of an
organization’s Public Key Infrastructure (PKI) to establish trust).
Identify capabilities and weaknesses of network protection devices in an IPv6 environment.
Enable controls that might not have been used in IPv4 due to a lower threat level during initial
deployment (implementing default deny access control policies, implementing routing protocol
security, etc).
Pay close attention to the security aspects of transition mechanisms such as tunneling protocols.
On networks that are IPv4-only, block all IPv6 traffic.
2.5
Motivations for Deploying IPv6
IP technologies were invented in the United States, and the early adoption of those technologies occurred
predominantly in the United States. As mentioned in Section 2.2, early address allocation policies were
relatively relaxed and large quantities of IPv4 addresses were assigned upon request, even when those
allocations were not thoroughly justified. This resulted in a high concentration of IPv4 address
allocations in the United States, with more than half of all routable IPv4 addresses assigned to U.S.-based
organizations. Some large U.S.-based Internet backbone service providers have more IPv4 addresses than
all of the nations that comprise the Asian region of the world.
These circumstances have left most of the world, especially Asia, with little choice other than to adopt the
IPv6 specification if they are to become pervasive participants in IP technologies or the global Internet at
large. Nations such as Japan have built IPv6-capable Internet infrastructures to support their growing
demand for Internet connectivity. Further, the advanced state of wireless telecommunications in Asia
produced an environment where globally unique IP addresses are required to enable the features of Third
Generation (3G) wireless technologies. In essence, every mobile 3G device becomes a mobile personal
computing platform, and each of those devices requires true end-to-end connectivity to realize its full
potential.
All organizations making use of IP networking should study and consider IPv6’s feature set when
designing and managing their networks. Even with no intent to replace IPv4, the IPv6 security controls
discussed later in this document should be planned and deployed to detect unauthorized use of IPv6.
Fundamental knowledge of IPv6—what it is, what its attributes are, and how it operates—is critical to
any organization.
As the IPv6 protocol becomes increasingly ubiquitous, all enterprise and Internet-connected networks
need to be prepared for specific threats and vulnerabilities that the new protocol will bring. For example,
an IPv4-only network segment may contain several newly installed hosts that are both IPv4 and IPv6capable, as well as hosts that have IPv6 enabled by default. This circumstance can come about simply as
a result of the normal systems life cycles. Additionally, IPv6 could be enabled on a host by an attacker to
circumvent security controls that may not be IPv6-aware; these hosts can then be leveraged to create
covert or backdoor channels. Taken further, IPv6 traffic could be encapsulated within IPv4 packets using
readily available tools and services and exchanged with malicious hosts via the Internet.
Interoperability of geographically dispersed Internet-connected nodes may become a profit motivation for
some organizations to deploy IPv6. For instance, content providers are making more multimedia features
2-7
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
available via a diverse set of customer platforms. Mobile phones, handheld personal computers, notebook
computers, desktop PCs, and home multimedia and gaming centers are all IPv4-capable today.
Delivering multimedia content to those platforms is increasingly viable given the broadband network
bandwidths available. Nevertheless, IPv4 clearly cannot address all of these devices without using an
address conservation technology like NAT, and NAT by its nature denies true end-to-end IP connectivity.
Multimedia service offerings and ultimately the market for those offerings are likely always to be
constrained by IPv4, while IPv6 may prove to be an enabling technology.
If an organization is not constrained by IPv4 address availability or the disruption that NAT causes to true
end-to-end connectivity between nodes, it should still plan for a world in which IPv6 will eventually be
ubiquitous. All major vendors of IT products are shipping IPv6-capable products. Wholesale
replacement of computing platforms and network infrastructure as a deployment requirement is less likely
now than only five years ago, since many operating systems and networking products contain a native
IPv6 protocol stack. Also, tunneling IPv6 over the existing IPv4 Internet is possible today by using free,
readily available tunnel clients. An end user may download client software, obtain a routable IPv6
address, and begin tunneling IPv6 over IPv4 networks with few technical or administrative barriers.
Many open source IP networking tools are IPv6-capable, as are many consumer-oriented wireless access
points. Many consumers of personal computing and home networking equipment are IPv6-capable, even
if they do not use the features.
Because of the increasing availability and use of IPv6, as well as many years of coexistence between IPv6
and IPv4, management and technical experts within any organization should understand IPv6
technology—its background, basis, and capabilities, and how they can mitigate risks associated with
running dual stack IPv4 and IPv6 networks. In the context of this document, dual stack means that nodes
are running both IPv4 and IPv6 protocols concurrently. The remainder of this document examines certain
aspects of the IPv6 specification in detail, and discusses threats, vulnerabilities, and the mitigation of
risks, in detail.
2-8
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
3.
IPv6 Overview
From the standpoint of header design, IPv6 is both more powerful and more flexible than its IPv4
predecessor. Section 2.3 introduced a number of enhancements and features in IPv6. Most significant is
the vast amount of address space, along with support for orderly address assignment and efficient network
address aggregation on the Internet. Illustrated in Table 3-1 are some of the major differences between
IPv4 and IPv6 followed by basic IPv6 terminology used later in this guide. These differences can have
implications for IPv6 security and are discussed throughout this and subsequent sections.
Table 3-1. Differences between IPv4 and IPv69
Property
IPv4
IPv6
Address size and
32 bits,
128 bits,
network size
network size 8-30 bits
network size 64 bits
Packet header size
20-60 bytes
40 bytes
Header-level extension
limited number of small IP options
unlimited number of IPv6
extension headers
Fragmentation
sender or any intermediate router
allowed to fragment
only sender may fragment
Control protocols
mixture of non-IP (ARP), ICMP,
and other protocols
all control protocols based on
ICMPv6
Minimum allowed MTU
576 bytes
1280 bytes
Path MTU discovery
optional, not widely used
strongly recommended
Address assignment
usually one address per host
usually multiple addresses per
interface
Address types
use of unicast, multicast, and
broadcast address types
broadcast addressing no longer
used, use of unicast, multicast
and anycast address types
Address configuration
devices configured manually or
with host configuration
protocols like DHCP
devices configure themselves
independently using stateless
address autoconfiguration
(SLAAC) or use DHCP
Basic Terms (RFC 2460, RFC 4862)
The following basic IPv6 definitions are important for any IPv6 discussion.
Address. An IPv6-layer identifier for an interface or a set of interfaces.
Node. A device on the network that sends and receives IPv6 packets
Deprecated address. An address, assigned to an interface, whose use is discouraged, but not
forbidden (e.g., site-local addresses such as FEC0::/10). A deprecated address should no
9
NSA Report, Router Security Configuration Guide Supplement – Security for IPv6 Routers.
3-1
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
longer be used as a source address in new communications, but packets sent from or to
deprecated addresses are delivered as expected.
Router. A node that sends and receives packets, and also accepts packets and forwards them
on behalf of other nodes.
Host. A node that may send and receive packets but does not forward packets for other nodes.
Link. A communication facility or medium over which nodes can communicate at the link
layer, i.e., the layer immediately below IPv6. Examples are Ethernets (simple or bridged);
Point-to-Point Protocol (PPP); X.25, Frame Relay, or Asynchronous Transfer Mode (ATM)
networks; and layer three (or higher) tunnels, such as tunnels over IPv4 or IPv6 itself.
Link MTU. The maximum transmission unit (MTU), i.e., maximum packet size in octets,
which can be conveyed over a link.
Path MTU. The minimum link MTU of all the links in a path between a source node and a
destination node.
Upper Layer. A protocol layer immediately above IPv6. Examples are transport protocols
such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), control
protocols such as Internet Message Control Protocol (ICMP), routing protocols such as Open
Shortest Path First (OSPF), and internet or lower-layer protocols being tunneled over (i.e.,
encapsulated in) IPv6 such as Internetwork Packet Exchange (IPX), AppleTalk, or IPv6 itself.
Interface. The point at which a node connects to a link. Unicast IPv6 addresses are always
associated with interfaces.
Packet. An IPv6 header plus payload.
Neighbors. Nodes attached to the same link.
This section provides general information about IPv6 as a foundation for later sections. The rest of this
section is a resource for understanding the similarities and differences between IPv4 and IPv6, with a
focus on addressing (RFC 4291). Section 3.1 discusses IPv6 addresses, how the IPv6 address space is
used, and IPv6 address types and scope. This is followed by a review of IPv4 addressing and IPv4
Classless Inter-Domain Routing (CIDR) addressing. Then IPv4 and IPv6 addressing are summarized and
compared. Section 3.2 covers IPv6 address allocation. IPv6 headers, their formats, and fields are
discussed in Section 3.3. Sections 3.4 through 3.7 cover extension headers, ICMPv6, IPv6 routing, and
IPv6 Domain Name System (DNS) respectively.
3.1
IPv6 Addressing
Described in RFC 4291, IPv6 addresses are 128 bits long and are written in what is called colon-delimited
hexadecimal notation. An IPv6 address is comprised of eight distinct numbers representing 16 bits each
and written in base-16 (hexadecimal or hex) notation. The valid hex digits are 0 through 9 and A through
F and together with the colon separator are the only characters that can be used for writing an IPv6
address. A comparison of IPv4 and IPv6 addressing conventions is illustrated in Figure 3-5 and discussed
in more detail in Section 3.1.7.
An example of an IPv6 address is:
3-2
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
2001:0db8:9095:02e5:0216:cbff:feb2:7474
Note that the address contains eight distinct four-place hex values, separated by colons. Each of these
values represents 16 bits, for a total of 128 bits in the entire address.
IPv6 addresses are divided among the network prefix, the subnet identifier and the host identifier portions
of the address. The network prefix is the high-order bits of an IP address, used to identify a specific
network and, in some cases, a specific type of address (see Table 3-2). The subnet identifier (ID)
identifies a link within a site. The subnet ID is assigned by the local administrator of the site; a single site
can have multiple subnet IDs. This is used as a designator for the network upon which the host bearing
the address is resident. The host identifier (host ID) of the address is a unique identifier for the node
within the network upon which it resides. It is identified with a specific interface of the host. Figure 3-1
depicts the IPv6 address format with the network prefix, subnet identifier and host identifier.
128 bits
n bits
64 - n bits
64 bits
Network Prefix
Subnet ID
Host ID
Identifies the address
range assigned to a
site
Identifies a link
within a site
Interface ID, 64 bits
Figure 3-1. IPv6 Address Format
RFC 4291 also describes the notation for prefixes. The network prefix is analogous, but not equivalent,
to the subnet mask in IPv4. IPv4 addresses are written in Classless Inter-domain Routing (CIDR)
notation, with a subnet mask that contains ―1‖s in the bit positions that identify the network ID (see
Section 3.1.6). There is no subnet mask in IPv6, although the slash notation used to identify the network
address bits is similar to IPv4’s subnet mask notation. The IPv6 notation appends the prefix length and is
written as a number of bits with a slash, which leads to the following format:
IPv6 address/prefix length
The prefix length specifies how many of the address’s left-most bits comprise the network prefix. An
example address with a 32-bit network prefix is:
2001:0db8:9095:02e5:0216:cbff:feb2:7474/32
Quantities of IPv6 addresses are assigned by the international registry services and Internet service
providers (ISP) (see Section 3.2.2) based in part upon the size of the entity receiving the addresses.
Large, top-tier networks may receive address allocations with a network prefix of 32 bits as long as the
need is justified. In this case, the first two groupings of hex values, separated by colons, comprise the
network prefix for the assignee of the addresses. The remaining 96 bits are available to the local
3-3
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
administrator primarily for reallocation of the subnet ID and the host ID. The subnet ID identifies a link
within a site, which can have multiple subnet IDs. The host ID within a network must be unique and
identifies an interface on a subnet for the organization, similar to an assigned IPv4 address. Figure 3-2
depicts an IPv6 address with 32 bits allocated to the network prefix.
32 bits
96 bits
2001:0db8:
9095:02e5:
0216:cbff:feb2:7474
Network Prefix
Subnet ID
Host ID
Figure 3-2. 32-Bit Network Prefix
Government, educational, commercial, and other networks typically receive address allocations from toptier providers (ISPs) with a network prefix of 48 bits (/48), leaving 80 bits for the subnet identifier and
host identifier. Figure 3-3 depicts an IPv6 address with 48 bits allocated to the network prefix.
48 bits
2001:0db8:9095:
Network Prefix
80 bits
02e5:
0216:cbff:feb2:7474
Subnet ID
Host ID
Figure 3-3. 48-Bit Network Prefix
Subnets within an organization often have network prefixes of 64 bits (/64), leaving 64 bits for allocation
to hosts’ interfaces. The host ID should use a 64-bit interface identifier that follows EUI-64 (Extended
Unique Identifier) format when a global network prefix is used (001 to 111), except in the case when
multicast addresses (1111 1111) are used10. Figure 3-4 depicts an IPv6 address with 64 bits allocated to
the network prefix.
10
IEEE EUI-64, Guidelines for 64-Bit Global Identifier (EUI-64) Registration Authority.
3-4
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
64 bits
2001:0db8:9095:
Network Prefix
64 bits
02e5:
0216:cbff:feb2:7474
Subnet ID
Host ID
Figure 3-4. 64-Bit Network Prefix
3.1.1
Shorthand for Writing IPv6 Addresses
Due to their length, IPv6 addresses do not lend themselves to human memorization. Administrators of
IPv4 networks typically can recall multiple IPv4 network and host addresses; remembering multiple IPv6
network and host addresses is more challenging. The notation for IPv6 addresses may be compressed and
simplified under specific circumstances.
One to three zeroes that appear as the leading digits in any colon-delimited hexadecimal grouping may be
dropped. This simplifies the address and makes it easier to read and to write. For example:
2001:0db8:0aba:02e5:0000:0ee9:0000:0444/48 becomes
2001:db8:aba:2e5:0:ee9:0:444/48
It is important to note that trailing zeroes may not be dropped, because they have intrinsic place value in
the address format.
Further efficiency is gained by combining all-zero portions of the address. Any colon-delimited portion
of an address containing all zeros may be compressed so that nothing appears between the leading and
trailing colons. For example:
2001:0db8:0055:0000:cd23:0000:0000:0205/48 becomes
2001:db8:55:0:cd23::205/48
In this example, the sixth and seventh 16-bit groupings contain all zeroes; they were compressed by
eliminating the zeroes completely, as well as the colon that divided the two groupings. Nevertheless,
compressing an address by removing one or more consecutive colons between groups of zeroes may only
be done once per address. The fourth 16 bit-grouping in the example also contains all zeroes, but in the
condensed form of the address, it is represented with a single zero. A choice had to be made as to which
group of zeroes was to be compressed. The example address could be written:
2001:db8:55::cd23:0:0:205/48, but this is not as efficient as 2001:db8:55:0:cd23::205/48.
It is important to note that both of the addresses in the preceding paragraph are properly formatted, but the
latter address is shorter. Compression is just a convention for writing addresses, it does not affect how an
address is used, and it makes no difference whether compression falls within the network prefix, host
identifier, or across both portions of the address.
3-5
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
3.1.2
IPv6 Address Space Usage
This section introduces the different types of IPv6 addresses, their scope, and use. It introduces IPv6
addressing as basic information needed for secure adoption and deployment of the protocol. RFC 4291,
IP Version 6 Addressing Architecture, is the authoritative source for information on IPv6 addressing, and
it should be referenced for comprehensive details. Mechanisms for generating and assigning IPv6
addresses are discussed in detail in subsequent sections of this document.
Table 3-2. IPv6 Address Types
Address Type
Binary Prefix
Embedded IPv4
address
00…1111 1111
1111 1111
IPv6 notation
Uses
::FFFF/96
Prefix for embedding IPv4 address in an
IPv6 address
::1/128
Loopback address on every interface [RFC
2460]
(96 bits)
Loopback
00…1
(128 bits)
Global unicast
001
2000::/3
Global unicast and anycast (allocated) [RFC
4291]
Global unicast
01 – 1111 1100 0
4000::/2 –
FC00::/9
Global unicast and anycast (unallocated)
Teredo
0010 0000 0000
0001 0000
0000 0000
0000
2001:0000::/32
Teredo [RFC 4380]
Nonroutable
0010 0000 0000
0001 0000
1101 1011
1000
2001:DB8::/32
Nonroutable. Documentation purposes only
[RFC 3849]
6to4
0010 0000 0000
0010
2002::/16
6to4 [RFC 3056]
6Bone
0011 1111 1111
1110
3FFE::/16
Deprecated. 6Bone testing assignment,
1996 through mid-2006 [RFC 3701]
Link-local unicast
1111 1110 10
FE80::/10
Link local unicast
Reserved
1111 1110 11
FEC0::/10
Deprecated. Formerly Site-local address
space, unicast and anycast
[RFC 3879]
Local IPv6
address
1111 110
FC00::/7
Unicast Unique local address space, unicast
and anycast
[RFC 4193]
Multicast
1111 1111
FF00::/8
Multicast address space [RFC 4291]
IPv6 addressing differs from IPv4 in several ways aside from the address size. In both IPv4 and IPv6,
addresses specifically belong to interfaces, not to nodes. However, because IPv6 addresses are not in
short supply, interfaces often have multiple addresses. As discussed in 3.1, IPv6 addresses consist of a
network prefix in the higher order bits and an interface identifier in the lower order bits. Moreover, the
prefix indicates a subnet or link within a site, and a link can be assigned multiple subnet IDs.
Many IPv6 address ranges are reserved or defined for special purposes by the IETF’s IPv6 standards and
by the Internet Assigned Number Authority (IANA). Table 3-2 lists the major assignments and how to
identify the different types of IPv6 address from the high-order bits.
3-6
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
All address ranges not listed in Table 3-2 are reserved or unassigned. IANA currently assigns only out of
the binary range starting with 001.11
3.1.3
IPv6 Address Types
IPv6 uses the notion of address types for different situations. These different address types are defined
below:
Unicast Addresses. Addresses that identify one interface on a single node; a packet with a
unicast destination address is delivered to that interface.
Multicast Addresses. RFC 4291 defines a multicast address as, ―An identifier for a set of
interfaces (typically belonging to different nodes). A packet sent to a multicast address is
delivered to all interfaces identified by that address.‖ Although multicast addresses are
common in both IPv4 and IPv6, in IPv6 multicasting has new applications. The single most
important aspect of multicast addressing under IPv6 is that it enables fundamental IPv6
functionality, including neighbor discovery (ND) and router discovery. Multicast addresses
begin with FF00::/8. They are intended for efficient one-to-many and many-to-many
communication. The IPv6 standards prohibit sending packets from a multicast address;
multicast addresses are valid only as destinations. Multicast Addressing is discussed in
Section 4.2.
Anycast Addresses. Addresses that can identify several interfaces on one or more nodes; a
packet with an anycast destination address is delivered to one of the interfaces bearing the
address, usually the closest one as determined by routing protocols. Anycast addressing was
introduced as an add-on for IPv4, but it was designed as a basic component of IPv6.
The format of anycast addresses is indistinguishable from unicast addresses.
n bits
128 n bits
subnet prefix
00000000000000
The subnet prefix in an anycast address is the prefix that identifies a specific link. Anycast addresses
are intended for efficiently providing services that any one of a number of nodes can perform (e.g., a
Home Agent for a Mobile IP node). Anycast addresses may not be used as source addresses and, as
of the writing of this guide, may only be assigned to routers. It should be noted that there are no
defined mechanisms for security or registration for anycast, nor is there a way to verify that a
response to a packet sent to an anycast address was sent by an interface authorized to do so. This
leaves open the possibility of impersonating anycast servers.
Broadcast Addresses. Broadcast addressing is a common attribute of IPv4, but is not defined
or implemented in IPv6. Multicast addressing in IPv6 meets the requirements that broadcast
addressing formerly fulfilled.
3.1.4
IPv6 Address Scope
The shortage of IPv4 addresses led to the designation of non-routable addresses in RFC 1918 and the
11
IANA, Internet Protocol Version 6 Address Space.
3-7
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
widespread use of Network Address Translation (NAT) to share globally routable addresses (with certain
limits placed on the hosts using so-called RFC 1918 addresses). IPv6 has no such shortage, so the use of
NAT is unnecessary; nevertheless, the usefulness of addresses with limited scope was identified and
maintained in IPv6. IPv6 addresses with different scopes were defined. In the original design for IPv6,
link local, site local, and global addresses were defined; later, it was realized that site local addresses were
not well enough defined to be useful. Site local addresses were abandoned and replaced with unique local
addresses. Older implementations of IPv6 may still use site local addresses, so IPv6 firewalls need to
recognize and handle site local addresses correctly.
The IPv6 standards define several scopes for meaningful IPv6 addresses:
Interface-local. This applies only to a single interface; the loopback address has this scope.
Link-local. This applies to a particular LAN (Local Area Network) or network link; every
IPv6 interface on a LAN must have an address with this scope. Link-local addresses start with
FE80::/10. Packets with link-local destination addresses are not routable and must not be
forwarded off the local link.
Link-local address:
10 bits
54 bits
64 bits
1111 1110 10
0000………………0000
Interface ID
FE80/10
0000………………0000
Interface ID
Link-local addresses are used for administrative purposes such as neighbor and router discovery.
Site-local. This scope was intended to apply to all IPv6 networks or a single logical entity
such as the network within an organization. Addresses with this scope start with FEC0::/10.
They were intended not to be globally routable but potentially routed between subnets within
an organization. Site local addresses have been deprecated and replaced with unique local
addresses.
Unique local unicast. This scope is meant for a site, campus, or enterprise’s internal
addressing. It replaces the deprecated site-local concept. Unique local addresses (ULAs) may
be routable within an enterprise. Use of unique local addresses is not yet widespread; see RFC
4193, Unique Local IPv6 Unicast Addresses, for more information.
Global. The global scope applies to the entire Internet. These are globally unique addresses
that are routable across all publicly connected networks.
Embedded IPv4 Unicast. The IPv6 specification has the ability to leverage existing IPv4
addressing schemes. The transition to IPv6 will be gradual, so two special types of addresses
have been defined for backward compatibility with IPv4: IPv4-compatible IPv6 addresses
(rarely used and deprecated in RFC 4291) and IPv4-mapped IPv6 addresses. Both allow the
protocol to derive addresses by embedding IPv4 addresses in the body of an IPv6 address. An
IPv4-mapped IPv6 address is used to represent the addresses of IPv4-only nodes as an IPv6
address, which allows an IPv6 node to use this address to send a packet to an IPv4-only node.
3-8
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
IPv4-compatible IPv6 address:
80 bits
16 bits
32 bits
0000………………………….……..0000
0000
IPv4 address
80 bits
16 bits
32 bits
0000………………………….……..0000
FFFF
IPv4 address
IPv4-mapped IPv6 address:
The two IPv4 embedded address types are similar. The only difference is the sixth group of 16 bits.
IPv4-compatible addresses set these to 0; IPv4-mapped addresses set these to 1.
A more generalized form of IPv4-embedded IPv6 addresses has been defined (RFC 6052), to aid the
process of automated translation from one type of address to the other. Two new variants of IPv4embedded IPv6 addresses are:
IPv4-converted IPv6 addresses: "IPv6 addresses used to represent IPv4 nodes in an
IPv6 network"
IPv4-translatable IPv6 addresses: "IPv6 addresses assigned to IPv6 nodes for use with
stateless transition"
It is quite likely that additional special-use variants will be defined in the future.
Other address or Special Address types. IPv6 makes use of addresses other than those
shown above. The unspecified address consists of all zeros (0:0:0:0:0:0:0:0 or simply ::) and
may be the source address of a node soliciting its own IP address from an address assignment
authority (such as a DHCPv6 [DHCP for IPv6] server). IPv6-compliant routers never forward
a packet with an unspecified address. The loopback address is used by a node to send a packet
to itself. The loopback address, 0:0:0:0:0:0:0:1 (or simply ::1), is defined as being interfacelocal. IPv6-compliant hosts and routers never forward packets with a loopback destination.
An essential design consideration for IPv6 is to simplify routing in enterprise and global networks. One
of the intents of the IPv6 address schema is to facilitate hierarchical routing. Hierarchical routing in turn
accelerates the end-to-end routing function, and routing table convergence and maintenance are vastly
simplified.
A typical IPv6 interface is configured to receive packets sent to several addresses. In addition to its link
local and global unicast addresses, it may have a unique local address. It can also receive multicast
messages sent to the all hosts and solicited node multicast addresses, as well as possibly to other multicast
addresses. Finally, because of renumbering, multiple instances of some of these addresses may be active
at once. How these addresses are selected is covered in the Sections 4.6, Address Selection, and 4.2,
Multicast.
3.1.5
IPv4 Addressing
Each IPv4 address is 32 bits long and is typically written as four decimal numbers (0-255) representing
eight bits each and separated by decimal points or periods. This is called dotted decimal. An example of
an IPv4 address is 172.30.128.97. Each IPv4 address is associated with an additional component called a
3-9
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
subnet mask, which denotes how many high-order bits of the address are assigned to the network address
(RFC 950). The remaining lower-order bits are used to identify the node.
Three primary subnet types or network classifications were designed for IPv4: Class A, Class B, and
Class C (RFC 791). Typically, Class A networks were assigned to the early pioneers of the Internet.
Class B networks typically were assigned to larger enterprises and service providers, and Class C network
addresses usually were allocated to smaller organizations and treated as subnets of larger networks. The
following are examples of IPv4 network addresses and their related subnet masks:
Class A: 10.0.0.0 netmask 255.0.0.0 The first octet denotes the network and the remaining
three octets (24 bits) are available to identify a node on that network. This means that over 16
million host addresses are available on this single Class A network. Class A allocations were
often made to organizations that could never put 16 million distinct host addresses to use.
Class B: 172.30.0.0 netmask 255.255.0.0 The first two octets denote the network and the
remaining two octets (16 bits) are available to identify a node on that network. More than
65,000 distinct addresses are available to network nodes in each Class B network. As with
Class A allocations, this also produced a wasteful situation, because many recipients of Class
B address allocations did not need to employ more than a small fraction of the addresses.
Class C: 192.168.1.0 netmask 255.255.255.0 The first three octets denote the network and
the final octet (8 bits) is available to identify a node on that network. This provides 254
addresses for allocation to network nodes (the all ones and all zeros addresses are reserved for
other uses). More than two million Class C networks were available. Class C was the
smallest, most granular network and host address allocation possible until the introduction of
CIDR in 1993.
3.1.6
IPv4 Classless Inter-Domain Routing (CIDR) Addressing
CIDR addresses do not follow the Class A/B/C model. Netmasks in CIDR addresses are not confined to
the octet boundaries of an IPv4 address. For example, the CIDR address 192.168.1.1/27 indicates that the
IP address is 192.168.1.1 and the netmask splits the address after the 27th bit.12 The first 27 bits are
designated for the network address, and the final five bits are available to provide 30 node or host
addresses within that network. This allows for a much more granular approach to address allocation
because ranges of addresses can be sized appropriately to the organization receiving them. Of equal
importance to address conservation is the related mechanism for routing efficiency that CIDR brings.
CIDR addressing allows multiple subnets, defined by common netmasks and having adjacent addresses,
to be supernetted together. This means that multiple networks are aggregated and reachable under one
routing table entry.
The Internet and many large enterprise networks are comprised of core routers (also known as backbone
routers) that move vast amounts of data between networks. These routers connect disparate networks and
thus make the Internet what it truly is: a network of networks. This same concept applies to large,
geographically dispersed enterprise networks. Core routers maintain large, complex routing tables that
contain accurate and timely information about how to reach nearly every network that is a part of the
global Internet.
The number of entries in these backbone routing tables has increased dramatically since CIDR addressing
was introduced in 1993 (RFC 4632), despite the best intentions of supernetting CIDR address space
12
If written in the classful notation described previously, it would be represented as 192.168.1.1 netmask 255.255.255.224.
3-10
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
together. As a result, core routers are burdened with ever increasing demands on their memory and
processing capacities. In short, IPv4 does not lend itself to a highly scalable and efficient Internet
backbone infrastructure.
Routing prefix aggregation allows contiguous groupings of CIDR addresses to be advertised to the global
Internet as a single network rather than as multiple, distinct networks. Separate routing table entries no
longer need to be made for each allocation of address space. Much like the concept of supernetting, this
means that two distinct organizations sharing only one common attribute, their Internet Service Provider
(ISP), can be attached to the Internet with unique IP addresses from an appropriately sized allocation. Yet
those two distinct entities are reachable through the global Internet using only one globally unique
network route. The two concepts discussed here, scalability of address allocations and routing efficiency
through prefix aggregation, are integral aspects of the design of IPv6.
3.1.7
Comparing IPv6 and IPv4 Addressing
IPv6 was designed to provide sufficient numbers of globally unique IP addresses to enable true peer-topeer communication between nodes on interconnected networks. It was also designed to provide a
simplified hierarchical routing architecture across the Internet backbone—one that does not suffer from
inefficiencies and increasing demands for memory and processing capacities on backbone Internet
routers. Several accommodations have been made to retrofit these concepts onto IPv4, while these same
concepts are native to the IPv6 specification.
IPv6 provides an enormous number of unique addresses, about 3.4 x 1038 compared with IPv4’s roughly
4.3 x 109 addresses. The number of possible IPv6 addresses is so large that many analogies and
metaphors have been created that attempt to convey its magnitude. For example, if each IPv6 address
weighed one gram, the sum total weight of all IPv6 addresses would be greater than the weight of 56
Earths. The available address space under IPv6 is generally considered to be sufficient for the foreseeable
future, even considering the historical growth of the Internet and the devices expected to connect to it in
the future. See Figure 3-5 for a comparison of IPv4 and IPv6 addressing conventions.
Figure 3-5. A Comparison of IPv4 and IPv6 Addressing7
3-11
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
The constraints of IPv4 addressing were major considerations when IPv6 addressing was designed. The
IPv6 addressing architecture is different not only in terms of address length, but also in terms of address
types, address notation, and address aggregation. As discussed in Section 2, as well as later in Sections 3
and 4, each of these differences enables new features in IPv6.
In both IPv4 and IPv6, Dynamic Host Configuration Protocol (DHCP) and the Domain Name System
(DNS) can be used to assign, monitor, administer, and change IP addresses. IPv6 also includes an
autoconfiguration capability for assigning IP addresses to hosts. Due to the smaller amount of address
space available with IPv4, address management was often not complex, with some organizations
manually tracking address assignments. The longer, more complex IPv6 addresses, as well as the much
larger amount of address space, will most likely require the use of address management tools to avoid
errors. In IPv4, it is customary to allocate addresses sequentially, whether they are allocated manually or
using DHCP. In IPv6, with an address space large enough to defeat attackers’ scanning attempts,
addresses should be allocated non-sequentially (e.g., randomly), to preserve that advantage.
3.2 IPv6 Address Allocations
IPv6 addresses have a flexible structure for address assignments. This enables registries, ISPs, network
designers, and others to assign address ranges to organizations and networks based on different criteria,
such as size of networks and estimated growth rate. Often, an initial assignment does not scale well if a
small network becomes larger than expected and hence needs more addresses. The assignment authority
may not be able to allocate contiguous addresses if they were already assigned to another network.
Section 3.2.1 describes address assignments using leftmost, rightmost, and centermost strategies. With
these methods, organizations have the flexibility to aggregate their IPv6 address allocations efficiently.
Section 3.2.2 explains how organizations can obtain IPv6 addresses allocations globally through several
regional registry services.
3.2.1
IPv6 Address Assignments
IPv6 network prefix assignment is the first step in network deployment. Understanding several methods
such as leftmost, rightmost, and centermost helps provide for flexibility and efficient aggregation of an
assigned IPv6 block, as described in RFC 3531, A Flexible Method for Managing the Assignment of Bits
of an IPv6 Address Block. If done without foresight, boundaries between sub-allocations become difficult
to move, and future increases in the use of address space cannot be kept contiguous.
The easiest but least flexible solution is to make block address assignment in order from the beginning of
the organization’s allocated IPv6 block. For example, if an organization is assigned the prefix
2001:0db8:9095::/48, prefixes can be distributed in simple sequential order:
2001:0db8:9095:0001::/64
2001:0db8:9095:0002::/64
2001:0db8:9095:0003::/64
This is the simplest way to distribute address assignments, but it lacks consideration for future needs and
does not take into account grouping networks by site for clean routing aggregation. Additionally, this
method makes it impossible to make an existing network assignment larger and keep its address space
contiguous.
3-12
GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6
RFC 3531 proposes a method to manage the assignment of bits of an IPv6 address block or range. First,
the scheme defines parts of the IP address as p1, p2, p3, ….pN in order, so that an IP address is composed
of these parts contiguously. Boundaries between each part are based on the prefix assigned by the next
level authority. Part (p1) is the leftmost part probably assigned to a registry, Part (p2) can be allocated to
a large ISP or national registry. Part (p3) can be allocated to a large customer or a smaller provider, etc.
Each part can be of different length.
p1
p2
p3
p4
….
pN
IPv6 addresses
The algorithm for allocating addresses is as follows: (p1) for the left-most part, assign addresses using the
leftmost bits first; (pN) for the rightmost part, assign addresses using the rightmost bits first; and for all
other parts (center parts), predefine an arbitrary boundary (prefix) and then assign addresses using center
bits of the part being assigned first.
This algorithm increases the assigned bits in such way that it keeps unassigned bits near the boundaries
between the parts. This means that the boundary between any two parts can be changed forward or
backward, later on, up to the assigned bits. ...
Purchase answer to see full
attachment