As our members roll out IPv6 on our Cloud Platform, I thought it would be a good idea to share some of our findings that will help make jumping into the IPv6 universe easier for you. Hopefully, this saves you some time and effort in your IPv6 deployment.
Most people deploying IPv6 are using dual-stack implementations – meaning they have IPv4 and IPv6 running and allowing traffic on both types of network addresses. We assume you’re already familiar with IPv4 and are now looking to start using IPv6.
The goal of this article is to educate you about some potential pitfalls before you enable IPv6. Please take the following in account before enabling IPv6:
- Enabling IPv6 could by-pass your security posture entirely. IPv6 is an entirely different network with different addresses. By enabling IPv6, you could defeat your security products or bypass them. For example, in Linux typical port-filtering is done using iptables, which is only for IPv4; to secure IPv6 you need to use ip6tables. In addition, you have to be careful how you route traffic, as it may go across an unintended interface. Make sure you have a well thought out plan involving all your devices and security products before enabling IPv6.
- IPv6 has no broadcast capability like IPv4! Don’t block multicast or you may run into weird, intermittent issues that can be confusing to debug. IPv6 only supports multicast, unicast, and anycast. It’s important to understand a lot of broadcast type traffic has been reimagined into IPv6 multicast.
- ICMP in IPv6 (ICMPv6) is reimagined as well. It’s totally different than the prior version with lots of new features, functionality, and capabilities. It is a good idea to get up-to-speed on the changes or at least understand that ICMP is different under IPv6.
- IPv6 is not necessarily more secure than IPv4. This myth probably persists because IPsec is built into IPv6, versus a bolt-on for IPv4 (meaning not universal to IPv4). Just because IPsec is supported, doesn’t mean that it’s in use. Plus, it doesn’t stop other types of attacks (like application layer). So just because you’re using IPv6 doesn’t mean you’re “more secure”, or that you don’t need to worry about security because you’re using IPv6.
- Conversely, because of the large amount of address space in IPv6, NAT (network address translation) isn’t needed. This doesn’t mean that IPv6 is less secure because you’re not sitting behind a NAT device, as purely relying on a NAT device for security is problematic. IPv6 probably makes it more evident that relying on NAT devices for security (which were created to deal with the limited address space of IPv4) is not a good idea.
Hopefully, this article has inspired you to become more familiar with IPv6 and the promise it has. As IPv6 adaption grows due to a dwindling supply of IPv4 address space, we expect IPv6 will become the de-facto standard when deploying new devices, especially in the era of the Internet of Things.
Below are a few links that you might find useful to check out next:
How To Enable And Configure IPv6 For A Cloud Server:
Differences between IPv4 and IPv6:
IPv6 Security FAQ: