Home / Blogs

Best Practices for Implementing IPv6 and Avoiding Traffic Exposures

There has been a lot of discussion lately about the potential for IPv6 to create security issues. While there are definitely some security risks of IPv6 deployment, a carefully considered implementation plan can help mitigate against security risks.

As we approach World IPv6 Launch tomorrow, I thought it prudent to share the below described incident that iDefense recently observed. This incident illustrates the disruptive capability of IPv6 in action and also prompted me to think about what IT professionals need to do to help make sure their network infrastructure is ready for the impending launch of IPv6.

During a recent incident, attackers compromised an organization’s network and were able to activate the IPv6 protocol on the organization’s routers. In this case, as in many enterprises, network and security engineers were not fully monitoring IPv6 traffic within their networks. By using IPv6, the attackers that caused this incident flew completely under the radar and were able to transmit their stolen data unnoticed.

Cases such as these present one of the greatest risks to organizations, but have gone mostly unreported. They also call to light how important it is for administrators to actively monitor IPv6 traffic in their networks just as robustly as IPv4 traffic to better understand specific IPv6 attack vectors and traffic characteristics.

Even if an organization is not planning to implement IPv6, it is in their best interest to deal with IPv6 traffic exposures as soon as possible, as they may already have devices, operating systems and transitional configurations in place on their networks that can make them susceptible to cyber criminals.

The following are some best practices for handling the transition to IPv6 no matter what your migration plan is:

  1. Begin monitoring networks for IPv6 traffic now.
  2. If you’re not monitoring for IPv6, turn off IPv6 everywhere to ensure that there are not any unknown paths through an organization’s network. This includes turning off IPv6 interfaces and tunneling protocols.
  3. Begin thinking about what is required to build the security that organizations need to use IPv6 within the application layer.
  4. Do an IPv6 pilot on a small portion of the network, potentially using a transitional technology.
  5. Develop a plan to transition an entire network to IPv6 incrementally.
  6. Execute the plan once it’s ready but execute quickly once committed to avoid vulnerabilities.
  7. Acquire and test IPv6-aware monitoring and assessment tools.

Has your organization started actively planning for the launch of IPv6?

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix


Sponsored byVerisign