How Do I Secure My IPv6 Network?

Overview

Securing an IPv6 network requires a comprehensive approach that addresses both traditional networking security concerns and IPv6-specific vulnerabilities. While IPv6 was designed with security improvements like mandatory IPsec support (though rarely used in practice), it also introduces new attack vectors through features like Neighbor Discovery Protocol (NDP), Router Advertisements (RA), and the massive address space that can complicate monitoring.

The Golden Rule: Your IPv6 security policies must achieve parity with your IPv4 security mechanisms—or better. Attackers will exploit whichever protocol has weaker defenses, making dual-stack networks particularly vulnerable if IPv6 security is neglected.

Before implementing security measures, verify your current IPv6 connectivity status using test-ipv6.run to understand your network's baseline configuration.

1. Firewall Configuration for IPv6

Core Principles

IPv6 firewalls must enforce the same security policies as IPv4 while accounting for protocol-specific differences. Many organizations make the critical mistake of implementing robust IPv4 firewalls while leaving IPv6 traffic unfiltered.

Essential Firewall Rules

Default Deny Policy

• Start with an implicit deny-all stance
• Explicitly permit only required IP:port combinations
• Apply rules to both ingress and egress traffic
• Ensure parity between IPv4 and IPv6 rulesets

ICMPv6 Special Handling Unlike IPv4, ICMPv6 is essential for network operations. According to RFC 4890, specific ICMPv6 message types must be permitted:

# Essential ICMPv6 Types (RFC 4890)
Type 1   - Destination Unreachable (allow inbound/outbound)
Type 2   - Packet Too Big (allow inbound/outbound)
Type 3   - Time Exceeded (allow inbound/outbound)
Type 4   - Parameter Problem (allow inbound/outbound)
Type 128 - Echo Request (allow as needed)
Type 129 - Echo Reply (allow as needed)
Type 133 - Router Solicitation (allow on internal networks)
Type 134 - Router Advertisement (filter carefully)
Type 135 - Neighbor Solicitation (allow on local segments)
Type 136 - Neighbor Advertisement (allow on local segments)

Example IPv6 ACL Configuration (Cisco)

ipv6 access-list EDGE-INBOUND
 ! Permit established connections
 permit tcp any any established

 ! Permit essential ICMPv6
 permit icmp any any destination-unreachable
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 permit icmp any any parameter-problem

 ! Permit specific services
 permit tcp any host 2001:db8::100 eq 443
 permit tcp any host 2001:db8::101 eq 80

 ! Deny Router Advertisements from external sources
 deny icmp any any router-advertisement

 ! Log and deny everything else
 deny ipv6 any any log

! Apply to interface
interface GigabitEthernet0/0
 ipv6 traffic-filter EDGE-INBOUND in

Extension Header Filtering

IPv6 extension headers can be exploited for evasion and DoS attacks. Your edge devices should:

• Enforce recommended extension header order (RFC 8200)
• Limit maximum occurrences of each header type
• Drop packets with excessive or malformed headers
• Log anomalous extension header usage

Border Protection Checklist

• Block all IPv6 traffic at the border if IPv6 is not deployed
• Block IPv6-in-IPv4 tunnels (protocol 41) unless explicitly required
• Filter bogon IPv6 addresses (documentation ranges, reserved space)
• Drop packets with unspecified source addresses (::)
• Block multicast traffic from crossing security boundaries
• Implement ingress/egress filtering (BCP 38/RFC 2827 for IPv6)

2. [Router Advertisement (RA) Guard](ra-guard-explained) Implementation

The Threat

Router Advertisements are the Achilles' heel of IPv6 networks. Because they're unsecured by default, any device can broadcast RAs and:

• Redirect traffic through malicious gateways
• Perform man-in-the-middle attacks
• Cause denial of service by advertising invalid configurations
• Inject malicious DNS servers

RA Guard Deployment

RA Guard operates at Layer 2 on switches to block unauthorized router advertisements from reaching end hosts.

Stateless Mode Configuration (Cisco)

ipv6 nd raguard policy HOST-POLICY
 device-role host

ipv6 nd raguard policy ROUTER-POLICY
 device-role router
 trusted-port

interface range GigabitEthernet1/0/1 - 48
 description Access Ports - End Users
 ipv6 nd raguard attach-policy HOST-POLICY

interface GigabitEthernet1/0/49
 description Uplink to Core Router
 ipv6 nd raguard attach-policy ROUTER-POLICY

Key Implementation Points:

• Deploy RA Guard on all access switches
• Configure ports as either host-facing or router-facing
• Use stateful mode for dynamic learning during initial deployment
• Monitor logs for dropped RAs indicating attack attempts or misconfigurations

Advanced RA Security

For enterprise environments, consider:

• SEcure Neighbor Discovery (SEND) - Uses cryptographic signatures to authenticate RAs (RFC 3971)
• DHCPv6 Guard - Similar protection for DHCPv6 servers
• IPv6 Snooping - Builds a binding table of IPv6 addresses to MAC addresses

3. Neighbor Discovery Protocol (NDP) Security

NDP Vulnerabilities

NDP replaces ARP in IPv6 but inherits similar security weaknesses:

• NDP spoofing - Fake neighbor advertisements redirect traffic
• DAD DoS - Attackers respond to Duplicate Address Detection, preventing legitimate address assignment
• Neighbor table exhaustion - Flooding attacks fill the NDP table

NDP Security Measures

IPv6 Device Tracking

ipv6 neighbor binding vlan 100
ipv6 neighbor binding max-entries 1000
ipv6 neighbor tracking

IPv6 Snooping Configuration

ipv6 snooping policy SNOOPING-POLICY
 security-level guard
 device-role node
 trusted-port

interface range GigabitEthernet1/0/1 - 48
 ipv6 snooping attach-policy SNOOPING-POLICY

Neighbor Advertisement Validation:

• Enable ND inspection to validate source MAC addresses
• Implement binding table limits to prevent exhaustion
• Use gleaning to learn legitimate IPv6-to-MAC mappings
• Monitor for anomalous NDP traffic patterns

Layer 2 Security Best Practices

• Enable IPv6 First-Hop Security (FHS) features
• Implement port security to limit MAC addresses per port
• Use IPv6 RA Guard on all access layer switches
• Deploy IPv6 DHCP Guard on switch ports
• Enable IPv6 Source Guard to prevent address spoofing
• Configure NDP inspection with binding table tracking

4. IPv6 Access Control Lists (ACLs)

ACL Architecture

Unlike IPv4, IPv6 has a unified ACL model—no distinction between standard and extended ACLs. All IPv6 ACLs are named and can match on any combination of headers.

Strategic ACL Placement

Infrastructure Protection ACL

ipv6 access-list INFRASTRUCTURE-PROTECT
 ! Permit BGP from known peers
 permit tcp host 2001:db8:100::1 host 2001:db8:200::1 eq bgp
 permit tcp host 2001:db8:100::1 eq bgp host 2001:db8:200::1

 ! Permit SSH from management network
 permit tcp 2001:db8:mgmt::/48 any eq 22

 ! Permit essential ICMPv6
 permit icmp any any nd-na
 permit icmp any any nd-ns
 permit icmp any any packet-too-big

 ! Deny and log everything else
 deny ipv6 any any log

Anti-Spoofing ACL

ipv6 access-list ANTI-SPOOF
 ! Deny traffic with source from your own prefixes
 deny ipv6 2001:db8::/32 any log

 ! Deny special-use addresses
 deny ipv6 ::/128 any
 deny ipv6 ::1/128 any
 deny ipv6 ::/96 any
 deny ipv6 ::ffff:0.0.0.0/96 any
 deny ipv6 fe80::/10 any

 ! Permit everything else
 permit ipv6 any any

ACL Best Practices

• Use descriptive ACL names that indicate purpose
• Document each ACL entry with inline comments
• Implement ACLs closest to the traffic source
• Review and audit ACLs quarterly
• Use object groups for easier management at scale
• Test ACL changes in lab environment first

5. Monitoring and Logging

What to Log

IPv6 introduces monitoring complexity due to multiple addresses per interface and varying address formats. Comprehensive logging must capture:

Flow Data:

• Source and destination IPv6 addresses (use pkt-srcaddr/pkt-dstaddr fields)
• Protocol and port information
• Packet and byte counts
• Timestamps with microsecond precision

Security Events:

• Dropped packets with deny log entries
• Failed authentication attempts
• Unauthorized RA/DHCP messages
• NDP anomalies and spoofing attempts
• Extension header violations

Logging Infrastructure

NetFlow/IPFIX for IPv6

flow exporter NETFLOW-COLLECTOR
 destination 2001:db8:monitor::10
 transport udp 2055

flow record IPv6-RECORD
 match ipv6 source address
 match ipv6 destination address
 match transport source-port
 match transport destination-port
 collect counter bytes
 collect counter packets

interface GigabitEthernet0/0
 ipv6 flow monitor IPv6-FLOW input

Centralized Syslog

logging host ipv6 2001:db8:syslog::1
logging trap informational
logging facility local6
logging source-interface Loopback0

Monitoring Best Practices

• Enable VPC Flow Logs or equivalent for all IPv6 traffic
• Collect IPv6 neighbor table snapshots periodically
• Correlate multiple IPv6 addresses to MAC/user identity
• Monitor for IPv6 tunnel traffic (6to4, Teredo, ISATAP)
• Track prefix delegation and address assignment events
• Alert on ICMPv6 rate anomalies
• Dashboard dual-stack traffic ratios to detect imbalances
• Use SIEM with IPv6-aware correlation rules

Forensic Readiness

IPv6's complexity requires enhanced forensic capabilities:

• Maintain historical IPv6-to-MAC-to-user binding tables
• Normalize IPv6 addresses in logs (expand to full notation)
• Index logs with both compressed and expanded formats
• Retain neighbor discovery cache snapshots
• Document temporary address rotation patterns

6. Security Policy Development

IPv6 Security Framework

Phase 1: Discovery and Assessment

1. Inventory all IPv6-capable devices and systems
2. Identify IPv6 traffic flows (intended and unintended)
3. Audit existing IPv4 security controls for IPv6 gaps
4. Test connectivity at test-ipv6.run

Phase 2: Policy Definition

1. Establish IPv6 security parity with IPv4 as minimum baseline
2. Define acceptable use for IPv6 addresses and protocols
3. Specify transition mechanism policies (tunnels, NAT64, etc.)
4. Document ICMPv6 filtering requirements
5. Create incident response procedures for IPv6 attacks

Phase 3: Implementation

1. Deploy firewall rules and ACLs in audit mode first
2. Enable RA Guard and NDP security on access layer
3. Configure logging and monitoring infrastructure
4. Implement security controls in production
5. Validate with security scanning and penetration testing

Phase 4: Maintenance

1. Review security logs weekly
2. Update threat intelligence for IPv6-specific attacks
3. Audit ACLs and firewall rules quarterly
4. Test incident response procedures semi-annually
5. Reassess security posture annually

Policy Template Checklist

• IPv6 address allocation and assignment policy
• Firewall rule parity between IPv4 and IPv6
• Transition mechanism usage guidelines
• ICMPv6 filtering standards
• Router Advertisement security requirements
• NDP security controls and monitoring
• IPv6 logging and retention requirements
• Incident detection and response procedures
• Vulnerability management for IPv6 stacks
• Compliance mapping (NIST, ISO 27001, etc.)

7. Layer 2 vs Layer 3 Security

Layer 2 Security (Access Layer)

Primary Focus: First-Hop Security

Layer 2 attacks in IPv6 primarily target the Neighbor Discovery Protocol and Router Advertisements. These occur within the same broadcast domain and can compromise entire network segments.

Critical Layer 2 Controls:

• RA Guard to prevent rogue router advertisements
• IPv6 Snooping to build trusted binding tables
• DHCPv6 Guard to protect against rogue DHCP servers
• NDP Inspection to validate address resolution
• Port Security to limit addresses per physical port
• DAD (Duplicate Address Detection) protection

Layer 2 Implementation Priority: Deploy these controls on access switches where end-user devices connect. This is your first and most critical line of defense against local attacks.

Layer 3 Security (Network/Border)

Primary Focus: Traffic Filtering and Segmentation

Layer 3 security controls traffic between subnets, VLANs, and across network boundaries. This is where traditional firewall and ACL policies are enforced.

Critical Layer 3 Controls:

• Stateful firewalls with IPv6 awareness
• Access Control Lists (ACLs) on routers and L3 switches
• Route filtering to prevent prefix hijacking
• Anti-spoofing with uRPF (Unicast Reverse Path Forwarding)
• Border gateway filtering
• Extension header validation

Defense-in-Depth Strategy:

Internet Border
├─ Layer 3: Border firewall with strict ingress/egress filtering
│
Campus Core
├─ Layer 3: ACLs between security zones
│
Distribution Layer
├─ Layer 3: Inter-VLAN routing with filtering
├─ Layer 2: RA Guard enabled
│
Access Layer (Critical)
└─ Layer 2: Full FHS suite (RA Guard, Snooping, NDP Inspection)

The most effective IPv6 security posture combines both layers—Layer 2 controls prevent local attacks within segments, while Layer 3 controls manage traffic between segments and to external networks.

Testing and Validation

Connectivity Verification

After implementing IPv6 security controls:

1. Test basic connectivity: Visit test-ipv6.run from different network segments to verify dual-stack operation
2. Verify dual-stack operation: Ensure both IPv4 and IPv6 work correctly
3. Validate DNS resolution: Test AAAA record lookups
4. Check latency: Compare IPv4 vs IPv6 performance

Security Testing

• Attempt to send rogue RAs from unauthorized ports
• Test NDP spoofing detection mechanisms
• Validate firewall rule effectiveness with security scanners
• Conduct IPv6-specific penetration testing
• Verify logging captures security events correctly

Common Pitfalls to Avoid

1. Forgetting IPv6 exists - The most common vulnerability is simply ignoring IPv6 while focusing only on IPv4
2. Blocking all ICMPv6 - This breaks path MTU discovery and neighbor discovery
3. Not deploying RA Guard - Leaves networks vulnerable to trivial local attacks
4. Inconsistent dual-stack policies - Attackers exploit the weaker protocol
5. Neglecting logging - IPv6 incidents can't be investigated without proper logs
6. Trusting IPv6 privacy extensions for security - They provide privacy, not security

Conclusion

Securing an IPv6 network requires diligent implementation of controls at both Layer 2 and Layer 3, comprehensive monitoring, and policies that achieve parity with existing IPv4 security measures. The expanded address space and new protocols like NDP introduce novel attack vectors that demand IPv6-specific defenses.

Start with the fundamentals: deploy RA Guard on access switches, implement firewall rules with proper ICMPv6 handling, and establish comprehensive logging and monitoring. Build from there with NDP security, ACLs, and continuous monitoring.

Remember that IPv6 security is not optional—dual-stack networks are only as secure as their weakest protocol. Attackers will find and exploit IPv6 if it's left unprotected.

Next Steps:

1. Assess your current IPv6 security risks
2. Test your connectivity at test-ipv6.run
3. Implement Layer 2 First-Hop Security on access switches
4. Establish firewall rule parity between IPv4 and IPv6
5. Deploy comprehensive logging and monitoring
6. Create incident response procedures for IPv6-specific attacks

---

References:

• RFC 4890 - Recommendations for Filtering ICMPv6 Messages in Firewalls
• RFC 6105 - IPv6 Router Advertisement Guard
• RFC 7113 - Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)
• RFC 9099 - Operational Security Considerations for IPv6 Networks
• NIST SP 800-119 - Guidelines for the Secure Deployment of IPv6
• DoD IPv6 Security Guidance (2023)