We are approaching the end of this 10 part series on the most common IPv6 security myths. Now it’s time to turn our eyes away from security risks to focus a bit more on security resources. Today’s myth is actually one of the most harmful to those who hold it. If you believe that there is no good information out there, it’s nearly impossible to find that information. So let’s get down to it and dispel our 9th myth. We’ll start by looking at a few of the high level principles and then look at a selection of resources, which contain much more detail.
Myth: There are no IPv6 Security BCPs yet
Reality: There are!
Many security standards don’t discuss IPv6 specifically. However, any general guideline related to IP likely applies to both versions – many security policies are (and should be) higher level. We saw this in Myth’s #2 and #7 to some extent and it’s also evident below, as many of these security practices apply to both IPv6 and IPv4.
Here are a few of the key principles to keep your IPv6 network secure:
- Perform IPv6 filtering at the perimeter
- Use RFC2827 (BCP38) and RFC3704 (BCP84) ingress filtering throughout the network
- Use manual tunnels (with IPsec whenever possible) instead of dynamic tunnels and deny packets for transition techniques not used
- Use common access-network security measures (NAC/802.1X, disable unused switch ports, Ethernet port security, MACSec/TrustSec)
- Strive to achieve equivalent protections for IPv6 as with IPv4
- Continue to let vendors know what you expect in terms of IPv6 security features
Myth: There are no IPv6 Security Resources available
Reality: There are!
The BCPs above are really just the tip of the iceberg when it comes to all the things you need to know to securely deploy IPv6. For a deeper dive on how to actually execute on these high level policies you’ll want to do some more reading. Here are a couple of the best IPv6 security resources I’m aware of. Read them and you’re well on your way to being a true IPv6 security expert!
- IPv6 Security, By Scott Hogg and Eric Vyncke, Cisco Press, 2009
- CPNI Viewpoint: Security Implications of IPv6
- Operational Security Considerations for IPv6 Networks
- IPv6 Hackers is a forum for IPv6 security researchers and networking pros
- Deploy360 has a section specifically on IPv6 Security
- Search engines are your friends! There’s lots more info out there!
What are your favorite IPv6 security resources? Leave a comment!