Score:1

Server

Are there any additional security considerations to be taken into account when activating IPv6 as opposed to IPv4?

Heinzi

10/6/23, 9:24 AM

As a sysadmin, I'm fairly experienced with IPv4. As such, I feel comfortable configuring firewalls to expose servers/services to the Internet with public IPv4 addresses.

I have a basic understanding of IPv6 addresses and name resolution in IPv6. Also, I understand that I can use TCP, UDP and ICMP in the same way as with IPv4, just with "a longer address", and that, due to the abundance of addresses, NAT is no longer necessary nor recommended (making properly configured firewall rules even more important).

So far, I have not enabled IPv6 for our public web services, since (a) it was not necessary (and, to be honest, it still isn't) and (b) I lack the years of experience I have with IPv4, which makes me less confident to be able to do this without opening some gaping security hole. However, it's 2022, not being available on IPv6 feels a bit embarrassing, and I won't get years of experience if I don't ever start.

In a nutshell, my question is: Can I use my IPv4 knowledge (and the basics mentioned above) to securely make an Internet service available to the public via IPv6, or are there some additional topics that I really should learn about first before "flipping the switch"?

2 + 1

security

tcpip

ipv6

Ron Maupin

10/13/23, 9:29 PM

"_I understand that I can use TCP, UDP and ICMP in the same way as with IPv4, just with 'a longer address'_." You can also use other existing or future protocols that you cannot with IPv4 on the public Internet because IPv4 NAPT only supports TCP, UDP, and ICMP. Many people would love to use SCTP, but NAPT has stifled innovation. QUIC had to be developed on top of UDP because of that, but a future version of QUIC on IPv6 could be its own transport protocol.

Score:2

Server

drookie

10/6/23, 9:33 AM

Can I use my IPv4 knowledge (and the basics mentioned above) to securely make an Internet service available to the public via IPv6

Yup, definitely.

There is, however, one major security consideration when flipping the switch for IPv6 address family: by default IPv6 operates public address prefixes, so you may consider using unique-local (RFC 4193) prefixes for any private LANs (if you have any) behind your routers.

As for public-WAN-connected servers - well, same security/packet filter measures apply.

+ 4

A.B

10/7/23, 3:30 PM

I'd add an often overlooked problem: firewalling all ICMPv6. In IPv4 it's already not great to firewall any ICMP (can at least cause PMTUD problems), but in IPv6 it's fatal since NDP which replaces IPv4's ARP is ICMPv6-based.

drookie

10/7/23, 5:18 PM

Just don’t filter any icmp: filtering icmp is an urban legend, taking its source in the fact that Windows 95 non-OSR2 was known to trap when receiving fragmented icmp frame.

Ron Maupin

10/9/23, 4:00 AM

_[RFC 4890, Recommendations for Filtering ICMPv6 Messages in Firewalls](https://www.rfc-editor.org/rfc/rfc4890)_ explains which ICMPv6 messages should or should not be filtered.

Lasse Michael Mølgaard

10/13/23, 9:07 PM

I wouldn't use unique-local for LAN. It is easier just to configure default deny rule when going from WAN to LAN. I will however enable SLAAC since it makes all hosts with non-static ip address practically immune against discovery through ip address scanning.

Score:1

Server

Dubu

10/13/23, 8:59 PM

One of the most prolific authors in the IPv6 security domain is Fernando Gont. He (co-)authored several RFCs, Internet Drafts and other documents and gives talks on IPv6 in general and IPv6 security. Among his technical reports you have "IPv6 Security for IPv4 Engineers" (PDF) and an "IPv6 Security FAQ" (PDF), both from 2019, that you may find useful.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Are there any additional security considerations to be taken into account when activating IPv6 as opposed to IPv4?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.