IPv6 Security Considerations and Recommendations

Published: February 27, 2006 | Updated: August 31, 2011

Writer: Joe Davies

On This Page

IPv6 Security Considerations
Authorization for Automatically Assigned Addresses and Configurations
Protection of IP Packets
Control of What Traffic is Exchanged with the Internet
Summary
For More Information

Internet Protocol version 6 (IPv6) provides many benefits over Internet Protocol version 4 (IPv4). However, before deploying IPv6 you should be aware of additional security considerations. This article describes each of these security considerations in detail and provides Microsoft® recommendations and best practices for mitigating the potential risks associated with IPv6 traffic.

IPv6 Security Considerations

Internet Protocol version 6 (IPv6) provides a new Internet layer of the TCP/IP protocol suite that replaces Internet Protocol version 4 (IPv4) and provides many benefits, as described in Development and Deployment of IPv6: Good for Internet, Technology. However, deploying IPv6 can introduce the following security considerations to your network:

  • Authorization for automatically assigned addresses and configurations

  • Protection of IP packets

  • Control of what traffic is exchanged with the Internet

This article describes each of these security considerations in detail and provides Microsoft recommendations and best practices for computers running Windows 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows Server 2003, and Windows XP.

Authorization for Automatically Assigned Addresses and Configurations

After gaining access to the network, any computer can obtain a valid IPv6 address configuration and begin communicating on the network. IPv6 hosts can use the following methods to obtain an IP address configuration:

  • An exchange of Router Solicitation and Router Advertisement messages as defined in RFC 4861

    For Neighbor Discovery-based IPv6 configuration, SEcure Neighbor Discovery (SEND) (described in RFC 3971) can provide protection for Router Solicitation and Router Advertisement messages. SEND can also be used to provide protection for Neighbor Solicitation and Neighbor Advertisement message exchanges for address resolution or neighbor unreachability detection, providing protection against Neighbor Discovery-based denial of service (DoS) attacks by nodes with statically configured IPv6 addresses. In contrast, there is no mitigation against Address Resolution Protocol (ARP) DoS attacks for IPv4. However, Microsoft does not support SEND in any version of Windows.

  • Dynamic Host Configuration Protocol for IPv6 (DHCPv6) defined in RFC 3315

    RFC 3118 defines a method to provide authentication for DHCP message exchanges for IPv6 or IPv4 DHCP-based configuration. Windows XP and Windows Server 2003 do not support DHCPv6-based IPv6 address configuration. Microsoft supports DHCPv6 in Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008. However, Microsoft does not support RFC 3118.

Another configuration consideration is that IPv6 nodes will configure additional routes and addresses based on received Router Advertisement messages. A malicious node could configure local hosts with improper addresses and routes and disrupt IPv6-based network connectivity. However, IPv6 nodes that support RFC 4191 can detect unreachable routes and prevent them from being added to the IPv6 routing table. IPv6 in Windows 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows Server 2003, and Windows XP supports RFC 4191.

Microsoft Recommendations and Best Practices

To prevent unauthorized computers from communicating on private networks, Microsoft recommends that you use IEEE 802.1X authentication to authenticate all computers that are connecting to your network with wired or wireless connections. With IEEE 802.1X-based authentication at the link layer, computers cannot send any network traffic until they have authenticated themselves to a switch or wireless access point. Only after a successful IEEE 802.1X authentication can an IPv6-based computer use address autoconfiguration protocols such as Neighbor Discovery or DHCPv6 to obtain an automatically assigned IPv6 address configuration.

For information about configuring 802.1X authentication for wired or wireless connections, see the following resources:

In Windows 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, and Windows XP with Service Pack 3, Network Access Protection (NAP) provides additional protection for 802.1X-authenticated connections by requiring that computers meet system health requirements before obtaining a connection that allows unlimited access to the intranet.

For more information about NAP, see Network Access Protection Web site.

Protection of IP Packets

To help protect IP packets from tampering (data modification) and interpretation (passive capturing) by intermediate or neighboring nodes, IP packets can be protected with Internet Protocol security (IPsec). IPsec uses cryptographic security services to provide tampering protection, spoofing protection, and optional encryption for IP packets. IPsec is defined in RFCs 4301-4303 for both IPv4 and IPv6 traffic.

Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008 provide full support for IPsec for both IPv4 and IPv6 with negotiation of security associations using Internet Key Exchange (IKE) and Authenticated IP (AuthIP), automatic determination of cryptographic keys, and a graphical user interface to configure IPsec policy settings. You can configure IPsec policy settings for IPv4 or IPv6 as part of Computer Configuration Group Policy and easily propagate common IPsec policy settings throughout an organization that uses the Active Directory® directory service.

Windows Server 2003 and Windows XP provide only limited support for IPsec for IPv6 using a command-line tool to manually configure IPsec security policies, security associations, and keys. Unlike IPsec for IPv4, IPsec for IPv6 in Windows XP and Windows Server 2003 is not centrally configurable and deployable.

Microsoft Recommendations and Best Practices

Use the IPsec support in Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008 to protect your IPv6 traffic. Additionally, the NAP platform supports IPsec-protected IPv4 or IPv6 communications between computers that can prove their system health.

Although IPsec for IPv6 support is limited in Windows XP and Windows Server 2003, you can leverage IPsec for IPv4 in Windows to protect tunneled IPv6 private network traffic. To aid in the transition from IPv4 to IPv6, IPv6 transition technologies such as Intrasite Automatic Tunnel Addressing Protocol (ISATAP) and Teredo provide IPv6 connectivity between IPv6/IPv4 hosts that are separated by an IPv4 infrastructure through tunneling. For more information, see IPv6 Transition Technologies. Tunneled IPv6 traffic can be encapsulated in the following ways:

  • Using an IPv4 header

    ISATAP traffic is IPv6 traffic tunneled using an IPv4 header that has the IP Protocol field set to 41. To protect ISATAP traffic, configure IPsec for IPv4 policy settings to protect all traffic with the IP protocol set to 41.

  • Using an IPv4 header and a UDP header

    Teredo traffic is IPv6 traffic tunneled using an IPv4 header and UDP port 3544. To protect Teredo traffic, configure IPsec for IPv4 policy settings to protect all traffic with the source or destination UDP port set to 3544.

For more information about IPsec support in Windows, see the Microsoft IPsec Web site.

Control of What Traffic is Exchanged with the Internet

To prevent unwanted traffic from the Internet, organizations typically deploy edge firewalls or proxies and intrusion detection systems (IDSs). These security devices attempt to ensure that an attacker's traffic from the Internet cannot penetrate to the private network, such as when a host on the private network is compromised by malware and becomes reachable by malicious users on the Internet. Because not all of these security devices are currently IPv6-capable, there are additional security risks for IPv6 traffic.

For example, an edge firewall or proxy device that is not aware of IPv6 or IPv6 tunneled traffic could pass that traffic to and from the Internet, creating a conduit for attacks from the Internet. However, the following behaviors mitigate this threat:

  • To exchange tunneled packets with hosts on the IPv4 Internet, the edge device must forward outbound IPv4-based UDP traffic or IPv4 protocol 41 packets to the Internet. Otherwise, the traffic for current IPv6 tunneling mechanisms (such as ISATAP or Teredo) will not be able to traverse IPv4 edge firewalls to the Internet. However, most modern IPv4-based firewall products for large organizations drop all outbound IPv4-based UDP traffic and IPv4 protocol 41 packets by default.

  • The application or service that is being attacked must be IPv6-capable. In Windows XP and Windows Server 2003, many network applications and services are not IPv6-capable and only work over IPv4. In Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008, almost all network applications and services are IPv6-capable. IPv6 support for Windows applications and services will change over time, but IPv6 awareness in edge devices will also change to keep pace.

As another example, an IDS that has been configured to detect the traffic associated with common attacks and malicious behavior for IPv4 might not be able to detect similar traffic when it is sent over IPv6.

Microsoft Recommendations and Best Practices

To prevent unwanted and unauthorized IPv6 traffic from the Internet, you can do the following:

  • To prevent intranet hosts from using any IPv6-over-IPv4 tunneled traffic to reach the Internet, configure your IPv4-based edge firewall to drop all outbound IPv4 protocol 41 packets. To prevent Internet hosts from using any IPv6-over-IPv4 tunneled traffic to reach intranet hosts, configure your IPv4-based edge firewall to drop all inbound IPv4 protocol 41 packets.

  • Upgrade your edge firewall, proxy, and IDS to include IPv6 and tunneled IPv6 functionality.

  • If your private network computers must communicate with hosts on the IPv6 portion of the Internet, upgrade your edge firewall between your private network and the IPv6 portion of the Internet to support stateful IPv6 firewalling.

  • Deploy ISATAP correctly on your private network so that default route traffic is never forwarded to the IPv4 Internet. Default route traffic from ISATAP hosts on the IPv4 portion of your network should be forwarded to an ISATAP router, which is connected to both the IPv4 and IPv6 portions of your private network. The default route on the ISATAP router should point to the IPv6-capable portion of your private network.

  • If your ISATAP router and edge firewall is the same device, ensure that the device's default route for IPv6 traffic points to the IPv6 portion of your network, not to the IPv4 Internet.

  • If your ISATAP router and edge firewall are different devices, configure your IPv4-based edge firewall to silently discard all IPv4 traffic with the IP Protocol field set to 41 on the interface attached to the private network. This will prevent IPv4 Internet connectivity to ISATAP hosts on the private network.

  • If the ISATAP hosts on your private network must communicate with hosts on the IPv6 portion of the Internet, upgrade your edge firewall between your private network and the IPv6 portion of the Internet to support stateful IPv6 firewalling.

  • To prevent private network hosts from using Teredo traffic to reach locations on the Internet, configure your IPv4-based edge firewall to silently discard all IPv4 traffic with the source or destination UDP port of 3544 on the interface attached to the private network. This will prevent Internet connectivity to Teredo hosts on the private network.

Summary

When deploying IPv6 on your network, you should be aware of the following security considerations: authorization for automatically assigned addresses and configurations, protection of IP packets, and control of what traffic is exchanged with the Internet. In many cases, these security considerations also exist for IPv4 traffic. For most of these security considerations, there are mitigation technologies or best practices to minimize the potential risks of IPv6 traffic in current versions of Windows.

For More Information

See the following resources for more information: