Operational Security Considerations for IPv6 Networks

IPv6 address allocations and overall architecture are an important part of securing IPv6. Initial designs, even if intended to be temporary, tend to last much longer than expected. Although initially IPv6 was thought to make renumbering easy, in practice it may be extremely difficult to renumber without a proper IP Address Management (IPAM) system. introduces the mechanisms that could be utilized for IPv6 site renumbering and tries to cover most of the explicit issues and requirements associated with IPv6 renumbering. A key task for a successful IPv6 deployment is to prepare an addressing plan. Because an abundance of address space is available, structuring an address plan around both services and geographic locations allow address space to become a basis for more structured security policies to permit or deny services between geographic regions. documents some operational considerations of using different prefix size for address assignments to end sites. A common question is whether companies should use Provider Independent (PI) vs Provider Allocated (PA) space , but from a security perspective there is little difference. However, one aspect to keep in mind is who has administrative ownership of the address space and who is technically responsible if/when there is a need to enforce restrictions on routability of the space, e.g., due to malicious criminal activity originating from it. Relying on PA address may also force the use of NPTv6 and therefore augmenting the complexity of the operations including the security operations. In , it is recommended that IPv6 network deployments provide multiple IPv6 addresses from each prefix to general-purpose hosts and it specifically does not recommend limiting a host to only one IPv6 address per prefix. It also recommends that the network give the host the ability to use new addresses without requiring explicit requests (for example by using SLAAC). Having by default multiple IPv6 addresses per interface is a major change compared to the unique IPv4 address per interface for hosts (secondary IPv4 addresses are not common); especially for audits (see section ).

Unique Local Addresses (ULAs) are intended for scenarios where interfaces are not globally reachable, despite being routed within a domain. They formally have global scope, but specifies that they must be filtered at domain boundaries. ULAs are different from addresses and have different use cases. One use of ULA is described in , another one is for internal communication stability in networks where external connectivity may came and go (e.g., some ISPs provide ULAs in home networks connected via a cable modem).

in section 5.1 specifies the rationale of using /127 for inter-router point-to-point links; a /127 prevents the ping-pong attack between routers not correctly implementing and also prevents a DoS attack on the neighbor cache. The previous recommendation of has been obsoleted and marked Historic by ). Some environments are also using link-local addressing for point-to-point links. While this practice could further reduce the attack surface of infrastructure devices, the operational disadvantages also need to be carefully considered; see also .

Many operators reserve a /64 block for all loopback addresses in their infrastructure and allocate a /128 out of this reserved /64 prefix for each loopback interface. This practice facilitates configuration of Access Control List (ACL) rules to enforce a security policy for those loopback addresses

When considering how to assign stable addresses (either by static configuration or by pre-provisioned DHCPv6 lease ), it is necessary to take into consideration the effectiveness of perimeter security in a given environment. There is a trade-off between ease of operation (where some portions of the IPv6 address could be easily recognizable for operational debugging and troubleshooting) versus the risk of trivial scanning used for reconnaissance. shows that there are scientifically based mechanisms that make scanning for IPv6 reachable nodes more feasible than expected; see also . Stable addresses also allow easy enforcement of a security policy at the perimeter based on IPv6 addresses. is a mechanism where the perimeter defense can retrieve security policy template based on the type of internal device. The use of well-known IPv6 addresses (such as ff02::1 for all link-local nodes) or the use of commonly repeated addresses could make it easy to figure out which devices are name servers, routers, or other critical devices; even a simple traceroute will expose most of the routers on a path. There are many scanning techniques possible and operators should not rely on the 'impossible to find because my address is random' paradigm (a.k.a. "security by obscurity"), even if it is common practice to have the stable addresses randomly distributed across /64 subnets and to always use DNS (as IPv6 addresses are hard to remember for the human brains). While in some environments obfuscating addresses could be considered an added benefit, it does not preclude enforcement of perimeter rules and that stable addresses follow some logical allocation scheme for ease of operation (as simplicity always helps security). Typical deployments will have a mix of stable and non-stable addresses; the stable addresses being either predicatable (e.g., ::25 for a mail server) or obfuscated (i.e., appearing as a random 64-bit number).

Historically, stateless address autoconfiguration (SLAAC) makes up the globally unique IPv6 address based on an automatically generated 64-bit interface identifier (IID) based on the EUI-64 MAC address combined with the /64 prefix (received in the Prefix Information Option (PIO) of the Router Advertisement (RA)). The EUI-64 address is generated from the stable 48-bit MAC address and does not change even if the host moves to another network; this is of course bad for privacy as a host (and its associated user) can be traced from network (home) to network (office or Wi-Fi in hotels)... recommends against the use of EUI-64 addresses and it must be noted that most host operating systems do not use EUI-64 addresses anymore and rely on either or . Randomly generating an interface ID, as described in , is part of SLAAC with so-called privacy extension addresses and is used to address some privacy concerns. Privacy extension addresses, a.k.a., temporary addresses may help to mitigate the correlation of activities of a node within the same network and may also reduce the attack exposure window. But using privacy extension addresses might prevent the operator from building host specific access control lists (ACLs). The privacy extension addresses could also be used to obfuscate some malevolent activities and specific user attribution/accountability procedures should be put in place as described in . combined with the address generation mechanism of specifies another way to generate an address while still keeping the same IID for each network prefix; this allows SLAAC nodes to always have the same stable IPv6 address on a specific network while having different IPv6 addresses on different networks. In some specific use cases where user accountability is more important than user privacy, network operators may consider disabling SLAAC and relying only on DHCPv6; but not all operating systems support DHCPv6 so some hosts will not get any IPv6 connectivity. Disabling SLAAC and privacy extension addresses can be done for most operating systems by sending RA messages with a hint to get addresses via DHCPv6 by setting the M-bit but also disabling SLAAC by resetting all A-bits in all prefix information options. However, attackers could still find ways to bypass this mechanism if not enforced at the switch/router level. However, in scenarios where anonymity is a strong desire (protecting user privacy is more important than user attribution), privacy extension addresses should be used. When is available, the stable privacy address is probably a good balance between privacy (among different networks) and security/user attribution (within a network).

Even if the use of DHCP is not mandated by , some environments use DHCPv6 to provision addresses and other parameters in order to ensure auditability and traceability (see ) for the limitations of DHCPv6 for auditability. A main security concern is the ability to detect and counteract rogue DHCP servers (). It must be noted that as opposed to DHCPv4, DHCPv6 can lease several IPv6 addresses per client. For DHCPv4, the lease is bond to the 'client identifier', which may contain a hardware address, or it may contain another type of identifier, such as a DNS name. For DHCPv6, the lease is bound to the client DHCP Unique ID (DUID) which is also not always bound to the client link-layer address. describes the privacy issues associated with the use of DHCPv6 by Internet users. The anonymity profiles are designed for clients that wish to remain anonymous to the visited network. recommends that DHCPv6 servers issue addresses randomly from a large pool. While there are no fundamental differences with IPv4 and IPv6 DNS security concerns, there are specific considerations in DNS64 environments that need to be understood. Specifically, the interactions and the potential of interference with DNSSEC () implementation need to be understood - these are pointed out in more detail in .

An interesting approach is using a /64 per host as proposed in especially in a shared environment. This allows for easier user attribution (typically based on the host MAC address) as its /64 prefix is stable even if applications within the host can change their IPv6 address within this /64 prefix.

Beside the security aspects of IPv6 addresses, there are also privacy considerations: mainly because they are of global scope and visible globally. goes into more detail on the privacy considerations for IPv6 addresses by comparing the manually configured IPv6 address, DHCPv6 or SLAAC.

Extension headers are an important difference between IPv4 and IPv6. In IPv4-based packets, it's trivial to find the upper layer protocol type and protocol header, while in IPv6 it is more complex since the extension header chain must be parsed completely (even if not processed) in order to find the upper layer protocol header. IANA has closed the existing empty "Next Header Types" registry to new entries and is redirecting its users to a new "IPv6 Extension Header Types" registry per . Extension headers have also become a very controversial topic since forwarding nodes that discard packets containing extension headers are known to cause connectivity failures and deployment problems . Understanding the role of varying extension headers is important and this section enumerates the ones that need careful consideration. A clarification on how intermediate nodes should handle packets with existing or future extension headers is found in . The uniform TLV format to be used for defining future extension headers is described in . Sections 5.2 and 5.3 of provide more information on the processing of extension headers by IPv6 nodes. It must also be noted that there is no indication in the IPv6 packet as to whether the Next Protocol field points to an extension header or to a transport header. This may confuse some filtering rules. There is IETF work in progress regarding filtering rules for those extension headers: for transit routers.

While recommends the order and the maximum repetition of extension headers, there are still IPv6 implementations, at the time of writing, which support a non-recommended order of headers (such as ESP before routing) or an illegal repetition of headers (such as multiple routing headers). The same applies for options contained in the extension headers (see ). In some cases, it has led to nodes crashing when receiving or forwarding wrongly formatted packets. A firewall or edge device should be used to enforce the recommended order and the maximum of occurrences of extension headers.

In the previous IPv6 specification , the hop-by-hop options header, when present in an IPv6 packet, forced all nodes to inspect and possibly process this header. This enabled denial-of-service attacks as most, if not all, routers can not process this kind of packet in hardware but have to process this packet in software hence competing with other software tasks such as handling the control and management planes. Section 4.3 of the current Internet Standard for IPv6, , has taken this attack vector into account and made the processing of hop-by-hop options header by intermediate routers explicitly configurable.

The fragment header is used by the source (and only the source) when it has to fragment packets. and section 4.5 of explain why it is important that: Firewall and security devices should drop first fragments that do not contain the entire ipv6 header chain (including the transport-layer header); Destination nodes should discard first fragments that do not contain the entire ipv6 header chain (including the transport-layer header). If those requirements are not met, stateless filtering could be bypassed by a hostile party. applies a stricter rule to Neighbor Discovery Protocol (NDP) by enforcing the drop of fragmented NDP packets. describes how the RA-guard function described in should behave in the presence of fragmented RA packets.

The IPsec [RFC4301] extension headers (AH and ESP) are required if IPsec is to be utilized for network level security. But IPsec is no more required for normal IPv6 nodes: in the updated IPv6 Nodes Requirement standard <xref target="RFC8504"/> IPsec is a 'SHOULD' and not a 'MUST' implement.

IPv6 relies heavily on NDP to perform a variety of link operations such as discovering other nodes on the link, resolving their link-layer addresses, and finding routers on the link. If not secured, NDP is vulnerable to various attacks such as router/neighbor message spoofing, redirect attacks, Duplicate Address Detection (DAD) DoS attacks, etc. Many of these security threats to NDP have been documented in IPv6 ND Trust Models and Threats and in . NDP has even issues when the attacker is off-link see the section below ; but, most of the issues are only when the attacker is on the same link.

Neighbor Discovery Protocol (NDP) can be vulnerable to remote denial of service (DoS) attacks; for example, when a router is forced to perform address resolution for a large number of unassigned addresses, i.e., a neighbor cache exhaustion attack. This can keep new devices from joining the network or render the last hop router ineffective due to high CPU usage. Easy mitigative steps include rate limiting Neighbor Solicitations, restricting the amount of state reserved for unresolved solicitations, and clever cache/timer management. discusses the potential for off-link DoS in detail and suggests implementation improvements and operational mitigation techniques that may be used to mitigate or alleviate the impact of such attacks. Here are some feasible mitigation options that can be employed by network operators today: Ingress filtering of unused addresses by ACL. These require stable configuration of the addresses; for example, allocating the addresses out of a /120 and using a specific ACL to only allow traffic to this /120 (of course, the actual hosts are configured with a /64 prefix for the link). Tuning of NDP process (where supported). Using /127 on point-to-point link per . Using link-local addresses only on links where there are only routers see

Router Advertisement spoofing is a well-known on-link attack vector and has been extensively documented. The presence of rogue RAs, either unintentional or malicious, can cause partial or complete failure of operation of hosts on an IPv6 link. For example, a host can select an incorrect router address which can be used as on-path attack or can assume wrong prefixes to be used for SLAAC. summarizes the scenarios in which rogue RAs may be observed and presents a list of possible solutions to the problem. (RA-Guard) describes a solution framework for the rogue RA problem where network segments are designed around switching devices that are capable of identifying invalid RAs and blocking them before the attack packets actually reach the target nodes. However, several evasion techniques that circumvent the protection provided by RA-Guard have surfaced. A key challenge to this mitigation technique is introduced by IPv6 fragmentation. Attacker can conceal their attack by fragmenting their packets into multiple fragments such that the switching device that is responsible for blocking invalid RAs cannot find all the necessary information to perform packet filtering of the same packet. describes such evasion techniques and provides advice to RA-Guard implementers such that the aforementioned evasion vectors can be eliminated. Given that the IPv6 Fragmentation Header can be leveraged to circumvent current implementations of RA-Guard, updates such that use of the IPv6 Fragmentation Header is forbidden in all Neighbor Discovery messages except "Certification Path Advertisement", thus allowing for simple and effective measures to counter fragmented NDP attacks.

The Source Address Validation Improvements (SAVI) working group has worked on other ways to mitigate the effects of such attacks. helps in creating bindings between a DHCPv4 /DHCPv6 assigned source IP address and a binding anchor on a SAVI device. Also, describes how to glean similar bindings when DHCP is not used. The bindings can be used to filter packets generated on the local link with forged source IP addresses.

Isolating hosts for the NDP traffic canbe done by using a /64 per host as NDP is only relevant within a /64 on-link prefix; 3GPP uses a similar mechanism. A more drastic technique to prevent all NDP attacks is based on isolation of all hosts with specific configurations. Hosts (i.e., all nodes that are not routers) are unable to send data-link layer frames to other hosts, therefore, no host-to-host attacks can happen. This specific setup can be established on some switches or Wi-Fi access points. Of course, this is not always feasible when hosts need to communicate with other hosts.

It is still recommended that RA-Guard and SAVI be employed as a first line of defense against common attack vectors including misconfigured hosts. This recommendation also applies when DHCPv6 is used as RA are used to discover the default router(s) and for on-link prefix determination. This line of defense is most effective when incomplete fragments are dropped by routers and switches as described in . The generated log should also be analyzed to identify and act on violations. Network operators should be aware that RA-Guard and SAVI do not work or could even be harmful in specific network configurations (notably when there could be multiple routers). Only trivial cases (e.g., a Wi-Fi network having the routers on the uplink interfaces of the As) should have RA-guard and SAVI enabled by default.

Dynamic Host Configuration Protocol for IPv6 (DHCPv6), as described in , enables DHCP servers to pass configuration parameters such as IPv6 network addresses and other configuration information to IPv6 nodes such as an hostile recursive DNS server. DHCP plays an important role in most large networks by providing robust stateful configuration in the context of automated system provisioning. The two most common threats to DHCP clients come from malicious (a.k.a., rogue) or unintentionally misconfigured DHCP servers. A malicious DHCP server is established with the intent of providing incorrect configuration information to the clients to cause a denial of service attack or to mount on path attack. While unintentional, a misconfigured DHCP server can have the same impact. Additional threats against DHCP are discussed in the security considerations section of . DHCPv6-Shield, , specifies a mechanism for protecting connected DHCPv6 clients against rogue DHCPv6 servers. This mechanism is based on DHCPv6 packet-filtering at the layer-2 device; i.e., the administrator specifies the interfaces connected to DHCPv6 servers. However, extension headers could be leveraged to bypass DHCPv6-Shield unless is enforced. It is recommended to use DHCPv6-Shield and to analyze the corresponding log messages.

The 3GPP link is a point-to-point like link that has no link-layer address. This implies there can only be an end host (the mobile hand-set) and the first-hop router (i.e., a GPRS Gateway Support Node (GGSN) or a Packet Gateway (PGW)) on that link. The GGSN/PGW never configures a non link-local address on the link using the advertised /64 prefix on it; see . The advertised prefix must not be used for on-link determination. There is no need for address resolution on the 3GPP link, since there are no link-layer addresses. Furthermore, the GGSN/PGW assigns a prefix that is unique within each 3GPP link that uses IPv6 stateless address autoconfiguration. This avoids the necessity to perform DAD at the network level for every address built by the mobile host. The GGSN/PGW always provides an IID to the cellular host for the purpose of configuring the link-local address and ensures the uniqueness of the IID on the link (i.e., no collisions between its own link-local address and the mobile host's address). The 3GPP link model itself mitigates most of the known NDP-related Denial-of-Service attacks. In practice, the GGSN/PGW only needs to route all traffic to the mobile host that falls under the prefix assigned to it. As there is also a single host on the 3GPP link, there is no need to defend that IPv6 address. See Section 5 of for a more detailed discussion on the 3GPP link model, NDP on it and the address configuration details. In some mobile network, DHCPv6 and DHCP-PD are also used.

IPv6 uses multicast extensively for signaling messages on the local link to avoid broadcast messages for on-the-wire efficiency. The use of multicast has some side effects on wireless networks, such as a negative impact on battery life of smartphones and other battery-operated devices that are connected to such networks. , (for specific wireless networks) are discussing methods to rate limit RAs and other ND messages on wireless networks in order to address this issue. The use of link-layer multicast addresses (e.g., ff02::1 for the all nodes link-local multicast address) could also be mis-used for an amplification attack. Image, a hostile node sending an ICMPv6 ECHO_REQUEST to ff02::1 with a spoofed source address, then, all link-local nodes will reply with ICMPv6 ECHO_REPLY packets to the source address. This could be a DoS for the victim. This attack is purely local to the layer-2 network as packets with a link-local destination are never forwarded by an IPv6 router. This is the reason why large Wi-Fi network deployments limit the use of link-layer multicast either from or to the uplink of the Wi-Fi access point; i.e., Wi-Fi stations cannot send link-local multicast to their direct neighboring Wi-Fi stations.

SEcure Neighbor Discovery (SeND), as described in , is a mechanism that was designed to secure ND messages. This approach involves the use of new NDP options to carry public key-based signatures. Cryptographically Generated Addresses (CGA), as described in , are used to ensure that the sender of a Neighbor Discovery message is the actual "owner" of the claimed IPv6 address. A new NDP option, the CGA option, was introduced and is used to carry the public key and associated parameters. Another NDP option, the RSA Signature option, is used to protect all messages relating to neighbor and Router discovery. SeND protects against: Neighbor Solicitation/Advertisement Spoofing Neighbor Unreachability Detection Failure Duplicate Address Detection DoS Attack Router Solicitation and Advertisement Attacks Replay Attacks Neighbor Discovery DoS Attacks SeND does NOT: Protect statically configured addresses Protect addresses configured using fixed identifiers (i.e., EUI-64) Provide confidentiality for NDP communications Compensate for an unsecured link - SEND does not require that the addresses on the link and Neighbor Advertisements correspond. However, at this time and over a decade since their original specifications, CGA and SeND do not have wide support from widely used end points; hence, their usefulness is limited and should not be relied upon.

defines the router control plane and provides detailed guidance to secure it for IPv4 and IPv6 networks. This definition is repeated here for the reader's convenience. Please note that the definition is completely protocol-version agnostic (most of this section applies to IPv6 in the same way as to IPv4). Preamble: IPv6 control plane security is vastly congruent with its IPv4 equivalent with the exception of OSPFv3 authentication () and some packet exceptions (see ) that are specific to IPv6. Modern router architecture design maintains a strict separation of forwarding and router control plane hardware and software. The router control plane supports routing and management functions. It is generally described as the router architecture hardware and software components for handling packets destined to the device itself, as well as, building and sending packets originated locally on the device. The forwarding plane is typically described as the router architecture hardware and software components responsible for receiving a packet on an incoming interface, performing a lookup to identify the packet's IP next hop and best outgoing interface towards the destination, and forwarding the packet through the appropriate outgoing interface. While the forwarding plane is usually implemented in high-speed hardware, the control plane is implemented by a generic processor (referred to as the router processor (RP)) and cannot process packets at a high rate. Hence, this processor can be attacked by flooding its input queue with more packets than it can process. The control plane processor is then unable to process valid control packets and the router can lose OSPF or BGP adjacencies which can cause a severe network disruption. provides detailed guidance to protect the router control plane in IPv6 networks. The rest of this section contains simplified guidance. The mitigation techniques are: To drop non-legit control packet before they are queued to the RP (this can be done by a forwarding plane ACL) and To rate limit the remaining packets to a rate that the RP can sustain. Protocol specific protection should also be done (for example, a spoofed OSPFv3 packet could trigger the execution of the Dijkstra algorithm, therefore, the frequency of Dijsktra calculations should be also rate limited). This section will consider several classes of control packets: Control protocols: routing protocols: such as OSPFv3, BGP and by extension Neighbor Discovery and ICMP Management protocols: SSH, SNMP, NETCONF, RESTCONF, IPFIX, etc Packet exceptions: normal data packets which requires a specific processing such as generating a packet-too-big ICMP message or processing the hop-by-hop options header.

This class includes OSPFv3, BGP, NDP, ICMP. An ingress ACL to be applied on all the router interfaces for packets to be processed by the RP should be configured so as to: drop OSPFv3 (identified by Next-Header being 89) and RIPng (identified by UDP port 521) packets from a non link-local address (except for OSPFv3 virtual links) allow BGP (identified by TCP port 179) packets from all BGP neighbors and drop the others allow all ICMP packets (transit and to the router interfaces) Note: dropping OSPFv3 packets which are authenticated by IPsec could be impossible on some routers whose ACL are unable to parse the IPsec ESP or AH extension headers. Rate limiting of the valid packets should be done. The exact configuration will depend on the available resources of the router (CPU, TCAM, ...).

This class includes: SSH, SNMP, RESTCONF, NETCONF, gRPC, syslog, NTP, etc. An ingress ACL to be applied on all the router interfaces (or at ingress interfaces of the security perimeter or by using specific features of the platform) should be configured for packets destined to the RP such as: Drop packets destined to the routers except those belonging to protocols which are used (for example, permit TCP 22 and drop all when only SSH is used); Drop packets where the source does not match the security policy, for example if SSH connections should only be originated from the NOC, then the ACL should permit TCP port 22 packets only from the NOC prefix. Rate limiting of the valid packets should be done. The exact configuration will depend on the available resources of the router.

This class covers multiple cases where a data plane packet is punted to the route processor because it requires specific processing: generation of an ICMP packet-too-big message when a data plane packet cannot be forwarded because it is too large (required to discover the Path MTU); generation of an ICMP hop-limit-expired message when a data plane packet cannot be forwarded because its hop-limit field has reached 0 (also used by the traceroute utility); generation of an ICMP destination-unreachable message when a data plane packet cannot be forwarded for any reason; processing of the hop-by-hop options header, new implementations follow section 4.3 of where this processing is optional; or more specific to some router implementation: an oversized extension header chain which cannot be processed by the hardware and force the packet to be punted to the RP. On some routers, not everything can be done by the specialized data plane hardware which requires some packets to be 'punted' to the generic RP. This could include for example the processing of a long extension header chain in order to apply an ACL based on layer-4 information. and more generally highlight the security implications of oversized extension header chains on routers and updates the original IPv6 specifications, , such that the first fragment of a packet is required to contain the entire IPv6 header chain. Those changes are incorporated in the IPv6 standard An ingress ACL cannot mitigate a control plane attack using these packet exceptions. The only protection for the RP is to limit the rate of those packet exceptions forwarded to the RP, this means that some data plane packets will be dropped without an ICMP message sent to the source which may delay Path MTU discovery and cause drops. In addition to limiting the rate of data plane packets queued to the RP, it is also important to limit the generation rate of ICMP messages. This is important both to preserve RP resources and also to prevent an amplification attack using the router as a reflector. It is worth noting that some platforms implement this rate limiting in hardware. Of course, a consequence of not generating an ICMP message will break some IPv6 mechanisms such as Path MTU discovery or a simple traceroute.

Preamble: IPv6 routing security is congruent with IPv4 routing security at the exception of OSPv3 neighbor authentication (see ). Routing security in general can be broadly divided into three sections: Authenticating neighbors/peers Securing routing updates between peers Route filtering is also applicable to IPv6 and can ensure that routing protocol packets are coming from the local network; it must also be noted that in IPv6 all interior gateway protocols use link-local addresses. As for IPv4, it is recommended to enable a routing protocol only on interface where it is required.

As BGP is identical for IPv4 and IPv6 and as covers all the security aspects for BGP in detail, is also applicable to IPv6.

OSPFv3 can rely on IPsec to fulfill the authentication function. However, it should be noted that IPsec support is not standard on all routing platforms. In some cases, this requires specialized hardware that offloads crypto over to dedicated ASICs or enhanced software images (both of which often come with added financial cost) to provide such functionality. An added detail is to determine whether OSPFv3 IPsec implementations use AH or ESP-Null for integrity protection. In early implementations, all OSPFv3 IPsec configurations relied on AH since the details weren't specified in . However, the document which specifically describes how IPsec should be implemented for OSPFv3 specifically states that "ESP-Null MUST and AH MAY be implemented" since it follows the overall IPsec standards wording. OSPFv3 can also use normal ESP to encrypt the OSPFv3 payload to provide confidentiality for the routing information. changes OSPFv3 reliance on IPsec by appending an authentication trailer to the end of the OSPFv3 packets; it does not specifically authenticate the specific originator of an OSPFv3 packet; rather, it allows a router to confirm that the packet has been issued by a router that had access to the shared authentication key. With all authentication mechanisms, operators should confirm that implementations can support re-keying mechanisms that do not cause outages. There have been instances where any re-keying cause outages and therefore, the tradeoff between utilizing this functionality needs to be weighed against the protection it provides.

IPv6 initially mandated the provisioning of IPsec capability in all nodes. However, in the updated IPv6 Nodes Requirement standard is a 'SHOULD' and not a 'MUST' implement. Theoretically it is possible that communication between two IPv6 nodes, especially routers exchanging routing information be encrypted using IPsec. In practice however, deploying IPsec is not always feasible given hardware and software limitations of various platforms deployed.

Route filtering policies will be different depending on whether they pertain to edge route filtering vs internal route filtering. At a minimum, IPv6 routing policy as it pertains to routing between different administrative domains should aim to maintain parity with IPv4 from a policy perspective, e.g., Filter internal-use, non-globally routable IPv6 addresses at the perimeter; Discard routes for bogon and reserved space (see ); Configure ingress route filters that validate route origin, prefix ownership, etc. through the use of various routing databases, e.g., . There is additional work being done in this area to formally validate the origin ASs of BGP announcements in . Some good guidance can be found at . A valid routing table can also be used apply network ingress filtering (see ).

In order to perform forensic research in the cases of a security incidents or detection abnormal behavior, network operators should log multiple pieces of information in some cases this requires a frequent poll of devices via a Network Management Station. This logging should include: logs of all applications using the network (including user space and kernel space) when available (for example web servers); data from IP Flow Information Export also known as IPFIX; data from various SNMP MIBs or YANG data via RESTCONF or NETCONF ; historical data of Neighbor Cache entries; stateful DHCPv6 lease cache, especially when a relay agent is used; Source Address Validation Improvement (SAVI) events, especially the binding of an IPv6 address to a MAC address and a specific switch or router interface; RADIUS accounting records. Please note that there are privacy issues or regulations related to how these logs are collected, stored, and safely discarded. Operators are urged to check their country legislation (e.g., General Data Protection Regulation GDPR in the European Union). All those pieces of information can be used for: forensic investigations such as who did what and when? correlation: which IP addresses were used by a specific node (assuming the use of privacy extensions addresses ) inventory: which IPv6 nodes are on my network? abnormal behavior detection: unusual traffic patterns are often the symptoms of an abnormal behavior which is in turn a potential attack (denial of service, network scan, a node being part of a botnet, etc.)

This section lists the most important sources of data that are useful for operational security.

Those logs are usually text files where the remote IPv6 address is stored in clear text (not binary). This can complicate the processing since one IPv6 address, for example 2001:db8::1 can be written in multiple ways, such as: 2001:DB8::1 (in uppercase) 2001:0db8::0001 (with leading 0) and many other ways including the reverse DNS mapping into a FQDN (which should not be trusted). explains this problem in detail and recommends the use of a single canonical format. This document recommends the use of canonical format for IPv6 addresses in all possible cases. If the existing application cannot log under the canonical format, then it is recommended to use an external program in order to canonicalize all IPv6 addresses. For example, this perl script can be used:

<CODE BEGINS> ) { chomp $line; foreach my $word (split /[\s+]/, $line) { $binary_address = inet_pton AF_INET6, $word ; if ($binary_address) { print inet_ntop AF_INET6, $binary_address ; } else { print $word ; } print " " ; } print "\n" ; } ]]> <CODE ENDS>

IPFIX defines some data elements that are useful for security: in section 5.4 (IP Header fields): nextHeaderIPv6 and sourceIPv6Address; in section 5.6 (Sub-IP fields) sourceMacAddress. The IP version is the ipVersion element defined in . Moreover, IPFIX is very efficient in terms of data handling and transport. It can also aggregate flows by a key such as sourceMacAddress in order to have aggregated data associated with a specific sourceMacAddress. This memo recommends the use of IPFIX and aggregation on nextHeaderIPv6, sourceIPv6Address, and sourceMacAddress.

RFC 4293 defines a Management Information Base (MIB) for the two address families of IP. This memo recommends the use of: ipIfStatsTable table which collects traffic counters per interface; ipNetToPhysicalTable table which is the content of the Neighbor cache, i.e., the mapping between IPv6 and data-link layer addresses. There are also YANG modules about the two IP addresses families and can be used with and . This memo recommends the use of: interfaces-state/interface/statistics from ietf-interfaces@2018-02-20.yang which contains counters for interface . ipv6/neighbor from ietf-ip@2018-02-22.yang which is the content of the Neighbor cache, i.e., the mapping between IPv6 and data-link layer addresses.

The neighbor cache of routers contains all mappings between IPv6 addresses and data-link layer addresses. There are multiple ways to collect the current entries in the Neighbor Cache, notably but not limited to: the SNMP MIB as explained above; using streaming telemetry or NETCONF and to collect the operational state of the neighbor cache; also by connecting over a secure management channel (such as SSH) and explicitly requesting a neighbor cache dump via the Command Line Interface or another monitoring mechanism. The neighbor cache is highly dynamic as mappings are added when a new IPv6 address appears on the network. This could be quite frequently with privacy extension addresses or when they are removed when the state goes from UNREACH to removed (the default time for a removal per Neighbor Unreachability Detection algorithm is 38 seconds for a host using Windows 7). This means that the content of the neighbor cache must periodically be fetched at an interval which does not exhaust the router resources and still provides valuable information (suggested value is 30 seconds but to be checked in the actual setup) and stored for later use. This is an important source of information because it is trivial (on a switch not using the SAVI algorithm) to defeat the mapping between data-link layer address and IPv6 address. Let us rephrase the previous statement: having access to the current and past content of the neighbor cache has a paramount value for forensic and audit trail. When using one /64 per host () or DHCP-PD, it is sufficient to keep the history of the allocated prefixes when combined with strict source address prefix enforcement on the routers and layer-2 switches to prevent IPv6 spoofing.

In some networks, IPv6 addresses/prefixes are managed by a stateful DHCPv6 server that leases IPv6 addresses/prefixes to clients. It is indeed quite similar to DHCP for IPv4 so it can be tempting to use this DHCP lease file to discover the mapping between IPv6 addresses/prefixes and data-link layer addresses as is commonly used in IPv4 networking . It is not so easy in the IPv6 networks because not all nodes will use DHCPv6 (there are nodes which can only do stateless autoconfiguration) but also because DHCPv6 clients are identified not by their hardware-client address as in IPv4 but by a DHCP Unique ID (DUID) which can have several formats: some being the data-link layer address, some being data-link layer address prepended with time information, or even an opaque number which is useless for operational security. Moreover, when the DUID is based on the data-link address, this address can be of any client interface (such as the wireless interface while the client actually uses its wired interface to connect to the network). If a lightweight DHCP relay agent is used in a layer-2 switche, then the DHCP servers also receives the Interface-ID information which could be saved in order to identify the interface on which the switch received a specific leased IPv6 address. Also, if a 'normal' (not lightweight) relay agent adds the data-link layer address in the option for Relay Agent Remote-ID or , then the DHCPv6 server can keep track of the data-link and leased IPv6 addresses. In short, the DHCPv6 lease file is less interesting than for IPv4 networks. If possible, it is recommended to use DHCPv6 servers that keep the relayed data-link layer address in addition to the DUID in the lease file as those servers have the equivalent information to IPv4 DHCP servers. The mapping between data-link layer address and the IPv6 address can be secured by deploying switches implementing the SAVI mechanisms. Of course, this also requires that the data-link layer address is protected by using a layer-2 mechanism such as .

For interfaces where the user is authenticated via a RADIUS server, and if RADIUS accounting is enabled, then the RADIUS server receives accounting Acct-Status-Type records at the start and at the end of the connection which include all IPv6 (and IPv4) addresses used by the user. This technique can be used notably for Wi-Fi networks with Wi-Fi Protected Address (WPA) or any other IEEE 802.1X wired interface on an Ethernet switch.

There are other data sources for log information that must be collected (as currently collected as in the IPv4 networks): historical mapping of IPv6 addresses to users of remote access VPN; historical mappings of MAC addresses to switch interface in a wired network.

This section leverages the data collected as described before in order to achieve several security benefits. Section 9.1 of contains more details about host tracking.

The forensic use case is when the network operator must locate an IPv6 address that was present in the network at a certain time or is still currently in the network. To locate an IPv6 address in an enterprise network where the operator has control over all resources, the source of information can be the neighbor cache, or, if not found, the DHCP lease file. Then, the procedure is: Based on the IPv6 prefix of the IPv6 address, find the router(s) which is(are) used to reach this prefix (assuming that anti-spoofing mechanisms are used). Based on this limited set of routers, on the incident time and on the IPv6 address, retrieve the data-link address from the live neighbor cache, from the historical neighbor cache data, or from SAVI events, or retrieve the data-link address from the DHCP lease file (). Based on the data-link layer address, look-up the switch interface associated with the data-link layer address. In the case of wireless LAN with RADIUS accounting (see ), the RADIUS log has the mapping between the user identification and the MAC address. If a Configuration Management Data Base (CMDB) is used, then it can be used to map the data-link layer address to a switch port. At the end of the process, the interface of the host originating malicious activity or the username perpetrating the malicious activity has been determined. To identify the subscriber of an IPv6 address in a residential Internet Service Provider, the starting point is the DHCP-PD leased prefix covering the IPv6 address; this prefix can often be linked to a subscriber via the RADIUS log. Alternatively, the Forwarding Information Base of the CMTS or BNG indicates the CPE of the subscriber and the RADIUS log can be used to retrieve the actual subscriber. More generally, a mix of the above techniques can be used in most, if not all, networks.

RFC 7707 describes the difficulties for an attacker to scan an IPv6 network due to the vast number of IPv6 addresses per link (and why in some cases it can still be done). While the huge addressing space can sometimes be perceived as a 'protection', it also makes the inventory task difficult in an IPv6 network while it was trivial to do in an IPv4 network (a simple enumeration of all IPv4 addresses, followed by a ping and a TCP/UDP port scan). Getting an inventory of all connected devices is of prime importance for a secure network operation. There are many ways to do an inventory of an IPv6 network. The first technique is to use the IPFIX information and extract the list of all IPv6 source addresses to find all IPv6 nodes that sent packets through a router. This is very efficient but, alas, will not discover silent nodes that never transmitted packets traversing the the IPFIX target router. Also, it must be noted that link-local addresses will never be discovered by this means. The second way is again to use the collected neighbor cache content to find all IPv6 addresses in the cache. This process will also discover all link-local addresses. See . Another way that works only for local network, consists in sending a ICMP ECHO_REQUEST to the link-local multicast address ff02::1 which addresses all IPv6 nodes on the network. All nodes should reply to this ECHO_REQUEST per . Other techniques involve obtaining data from DNS, parsing log files, leveraging service discovery such as mDNS and . Enumerating DNS zones, especially looking at reverse DNS records and CNAMES, is another common method employed by various tools. As already mentioned in , this allows an attacker to prune the IPv6 reverse DNS tree, and hence enumerate it in a feasible time. Furthermore, authoritative servers that allow zone transfers (AXFR) may be a further information source.

In an IPv4 network, it is easy to correlate multiple logs, for example to find events related to a specific IPv4 address. A simple Unix grep command is enough to scan through multiple text-based files and extract all lines relevant to a specific IPv4 address. In an IPv6 network, this is slightly more difficult because different character strings can express the same IPv6 address. Therefore, the simple Unix grep command cannot be used. Moreover, an IPv6 node can have multiple IPv6 addresses. In order to do correlation in IPv6-related logs, it is advised to have all logs in a format with only canonical IPv6 addresses . Then, the neighbor cache current (or historical) data set must be searched to find the data-link layer address of the IPv6 address. Then, the current and historical neighbor cache data sets must be searched for all IPv6 addresses associated to this data-link layer address to derive the search set. The last step is to search in all log files (containing only IPv6 address in canonical format) for any IPv6 addresses in the search set. Moreover, recommends using multiple IPv6 addresses per prefix, so, the correlation must also be done among those multiple IPv6 addresses, for example by discovering in the NDP cache all IPv6 addresses associated with the same MAC address and interface.

Abnormal behavior (such as network scanning, spamming, denial of service) can be detected in the same way as in an IPv4 network. Sudden increase of traffic detected by interface counter (SNMP) or by aggregated traffic from IPFIX records. Change in traffic pattern (number of connections per second, number of connection per host...) with the use of IPFIX.

While some data sources (IPFIX, MIB, switch CAM tables, logs, ...) used in IPv4 are also used in the secure operation of an IPv6 network, the DHCPv6 lease file is less reliable and the neighbor cache is of prime importance. The fact that there are multiple ways to express the same IPv6 address in a character string renders the use of filters mandatory when correlation must be done.

As it is expected that some networks will not run in a pure IPv6-only mode, the different transition mechanisms must be deployed and operated in a secure way. This section proposes operational guidelines for the most known and deployed transition techniques.

Dual stack is often the first deployment choice for network operators. Dual stacking the network offers some advantages over other transition mechanisms. Firstly, the impact on existing IPv4 operations is reduced. Secondly, in the absence of tunnels or address translation, the IPv4 and IPv6 traffics are native (easier to observe and secure) and should have the same network processing (network path, quality of service, ...). Dual stack enables a gradual termination of the IPv4 operations when the IPv6 network is ready for prime time. On the other hand, the operators have to manage two network stacks with the added complexities. From an operational security perspective, this now means that the network operator has twice the exposure. One needs to think about protecting both protocols now. At a minimum, the IPv6 portion of a dual-stacked network should be consistent with IPv4 from a security policy point of view. Typically, the following methods are employed to protect IPv4 networks at the edge or security perimeter: ACLs to permit or deny traffic; Firewalls with stateful packet inspection. It is recommended that these ACLs and/or firewalls be additionally configured to protect IPv6 communications. The enforced IPv6 security must be congruent with the IPv4 security policy, otherwise the attacker will use the protocol version having the more relaxed security policy. Maintaining the congruence between security policies can be challenging (especially over time); it is recommended to use a firewall or an ACL manager that is dual-stack, i.e., a system that can apply a single ACL entry to a mixed group of IPv4 and IPv6 addresses. Also, given the end-to-end connectivity that IPv6 provides, it is recommended that hosts be fortified against threats. General device hardening guidelines are provided in . For many years, all host operating systems have IPv6 enabled by default, so, it is possible even in an 'IPv4-only' network to attack layer-2 adjacent victims via their IPv6 link-local address or via a global IPv6 address when the attacker provides rogue RAs or a rogue DHCPv6 service. discusses the security implications of native IPv6 support and IPv6 transition/coexistence technologies on "IPv4-only" networks and describes possible mitigations for the aforementioned issues.

There are many tunnels used for specific use cases. Except when protected by IPsec, all those tunnels have a couple of security issues as described in RFC 6169; tunnel injection: a malevolent person knowing a few pieces of information (for example the tunnel endpoints and the encapsulation protocol) can forge a packet which looks like a legit and valid encapsulated packet that will gladly be accepted by the destination tunnel endpoint, this is a specific case of spoofing; traffic interception: no confidentiality is provided by the tunnel protocols (without the use of IPsec or alternative encryption methods), therefore anybody on the tunnel path can intercept the traffic and have access to the clear-text IPv6 packet; combined with the absence of authentication, a on-path attack can also be mounted; service theft: as there is no authorization, even a non-authorized user can use a tunnel relay for free (this is a specific case of tunnel injection); reflection attack: another specific use case of tunnel injection where the attacker injects packets with an IPv4 destination address not matching the IPv6 address causing the first tunnel endpoint to re-encapsulate the packet to the destination... Hence, the final IPv4 destination will not see the original IPv4 address but only the IPv4 address of the relay router. bypassing security policy: if a firewall or an IPS is on the path of the tunnel, then it may neither inspect nor detect a malevolent IPv6 traffic transmitted over the tunnel. To mitigate the bypassing of security policies, it is recommended to block all default configuration tunnels by denying IPv4 packets matching: IP protocol 41: this will block ISATAP, 6to4, 6rd as well as 6in4 tunnels; IP protocol 47: this will block GRE tunnels; UDP protocol 3544: this will block the default encapsulation of Teredo tunnels. Ingress filtering should also be applied on all tunnel endpoints if applicable to prevent IPv6 address spoofing. As several of the tunnel techniques share the same encapsulation (i.e., IPv4 protocol 41) and embed the IPv4 address in the IPv6 address, there are a set of well-known looping attacks described in RFC 6324, this RFC also proposes mitigation techniques.

Site-to-site static tunnels are described in RFC 2529 and in GRE. As the IPv4 endpoints are statically configured and are not dynamic they are slightly more secure (bi-directional service theft is mostly impossible) but traffic interception and tunnel injection are still possible. Therefore, the use of IPsec in transport mode and protecting the encapsulated IPv4 packets is recommended for those tunnels. Alternatively, IPsec in tunnel mode can be used to transport IPv6 traffic over a non-trusted IPv4 network.

ISATAP tunnels are mainly used within a single administrative domain and to connect a single IPv6 host to the IPv6 network. This often implies that those systems are usually managed by a single entity; therefore, audit trail and strict anti-spoofing are usually possible and this raises the overall security. Special care must be taken to avoid a looping attack by implementing the measures of RFC 6324 and of . IPsec in transport or tunnel mode can be used to secure the IPv4 ISATAP traffic to provide IPv6 traffic confidentiality and prevent service theft.

While 6rd tunnels share the same encapsulation as 6to4 tunnels, they are designed to be used within a single SP domain, in other words they are deployed in a more constrained environment than 6to4 tunnels and have few security issues other than lack of confidentiality. The security considerations (Section 12) of describes how to secure 6rd tunnels. IPsec for the transported IPv6 traffic can be used if confidentiality is important.

Organizations using MPLS in their core can also use 6PE and 6VPE to enable IPv6 access over MPLS. As 6PE and 6VPE are really similar to BGP/MPLS IP VPN described in , the security properties of these networks are also similar to those described in . It relies on: Address space, routing and traffic separation with the help of VRFs (only applicable to 6VPE); Hiding the IPv4 core, hence removing all attacks against P-routers; Securing the routing protocol between CE and PE; in the case of 6PE and 6VPE, link-local addresses (see ) can be used and as these addresses cannot be reached from outside of the link, the security of 6PE and 6VPE is even higher than the IPv4 BGP/MPLS IP VPN. LDPv6 itself does not induce new risks, see also .

DS-lite is also a translation mechanism and is therefore analyzed further in this document as it includes IPv4 NAPT.

With the encapsulation and translation versions of mapping of Address and Port (MAP) (MAP-E and MAP-T), the access network is purely an IPv6 network and MAP protocols are used to connect IPv4 hosts on the subscriber network access to IPv4 hosts on the Internet. The subscriber router does stateful operations in order to map all internal IPv4 addresses and layer-4 ports to the IPv4 address and the set of layer-4 ports received through MAP configuration process. The SP equipment always does stateless operations (either decapsulation or stateless translation). Therefore, as opposed to there is no state-exhaustion DoS attack against the SP equipment because there is no state and there is no operation caused by a new layer-4 connection (no logging operation). The SP MAP equipment should implement all the security considerations of ; notably, ensuring that the mapping of the IPv4 address and port are consistent with the configuration. As MAP has a predictable IPv4 address and port mapping, the audit logs are easier to manage.

6to4 tunnels require a public routable IPv4 address in order to work correctly. They can be used to provide either single IPv6 host connectivity to the IPv6 Internet or multiple IPv6 networks connectivity to the IPv6 Internet. The 6to4 relay was historically the anycast address defined in which has been deprecated by and is no longer used by recent Operating Systems. Some security considerations are explained in . points out that if an operator provides well-managed servers and relays for 6to4, non-encapsulated IPv6 packets will pass through well-defined points (the native IPv6 interfaces of those servers and relays) at which security mechanisms may be applied. Client usage of 6to4 by default is now discouraged, and significant precautions are needed to avoid operational problems.

Teredo tunnels are mainly used in a residential environment because Teredo easily traverses an IPv4 NAPT device thanks to its UDP encapsulation. Teredo tunnels connect a single host to the IPv6 Internet. Teredo shares the same issues as other tunnels: no authentication, no confidentiality, possible spoofing and reflection attacks. IPsec for the transported IPv6 traffic is recommended. The biggest threat to Teredo is probably for an IPv4-only network as Teredo has been designed to easily traverse IPV4 NAT-PT devices which are quite often co-located with a stateful firewall. Therefore, if the stateful IPv4 firewall allows unrestricted UDP outbound and accepts the return UDP traffic, then Teredo actually punches a hole in this firewall for all IPv6 traffic to the Internet and from the Internet. While host policies can be deployed to block Teredo in an IPv4-only network in order to avoid this firewall bypass, it would be enough to block all UDP outbound traffic at the IPv4 firewall if deemed possible (of course, at least port 53 should be left open for DNS traffic, port 443 for QUIC, port 500 for IKE, port 3478 for STUN, i.e., filter judiciously). Teredo is now hardly never used and no longer enabled by default in most environments, so, it is less of a threat, however, special consideration must be taken in case of devices with older or non-updated operating systems may be present and by default were running Teredo.

Translation mechanisms between IPv4 and IPv6 networks are alternate coexistence strategies while networks transition to IPv6. While a framework is described in , the specific security considerations are documented in each individual mechanism. For the most part, they specifically mention interference with IPsec or DNSSEC deployments, how to mitigate spoofed traffic, and what some effective filtering strategies may be. While not really a transition mechanism to IPv6, this section also includes the discussion about the use of heavy IPv4-to-IPv4 network address and port translation to prolong the life of IPv4-only networks.

Carrier-Grade NAT (CGN), also called NAT444 CGN or Large Scale NAT (LSN) or SP NAT is described in and is utilized as an interim measure to extend the use of IPv4 in a large service provider network until the provider can deploy an effective IPv6 solution. requested a specific IANA allocated /10 IPv4 address block to be used as address space shared by all access networks using CGN. This has been allocated as 100.64.0.0/10. Section 13 of lists some specific security-related issues caused by large scale address sharing. The Security Considerations section of also lists some specific mitigation techniques for potential misuse of shared address space. Some Law Enforcement Agencies have identified CGN as impeding their cyber-crime investigations (for example Europol press release on CGN). Many translation techniques (NAT64, DS-lite, ...) have the same security issues as CGN when one part of the connection is IPv4-only. has recommendations for Internet-facing servers to also log the source TCP or UDP ports of incoming connections in an attempt to help identify the users behind such a CGN. suggests the use of deterministic address mapping in order to reduce logging requirements for CGN. The idea is to have a known algorithm for mapping the internal subscriber to/from public TCP and UDP ports. lists common requirements for CGNs. analyzes some solutions to enforce policies on misbehaving nodes when address sharing is used. also updates the NAT behavioral requirements.

Stateful NAT64 translation allows IPv6-only clients to contact IPv4 servers using unicast UDP, TCP, or ICMP. It can be used in conjunction with DNS64 , a mechanism which synthesizes AAAA records from existing A records. There is also a stateless NAT64 which is similar for the security aspects with the added benefit of being stateless, so, less prone to a state exhaustion attack. The Security Consideration sections of and list the comprehensive issues. A specific issue with the use of NAT64 is that it will interfere with most IPsec deployments unless UDP encapsulation is used. DNSSEC has an impact on DNS64 see section 3.1 of . Another translation mechanism relying on a combination of stateful and stateless translation, 464XLAT , can be used to do host local translation from IPv4 to IPv6 and a network provider translation from IPv6 to IPv4, i.e., giving IPv4-only application access to an IPv4-only server over an IPv6-only network. 464XLAT shares the same security considerations as NAT64 and DNS64, however it can be used without DNS64, avoiding the DNSSEC implications.

Dual-Stack Lite (DS-Lite) is a transition technique that enables a service provider to share IPv4 addresses among customers by combining two well-known technologies: IP in IP (IPv4-in-IPv6) and IPv4 NAPT. Security considerations with respect to DS-Lite mainly revolve around logging data, preventing DoS attacks from rogue devices (as the Address Family Translation Router (AFTR) function is stateful and restricting service offered by the AFTR only to registered customers. Section 11 of and section 2 of describe important security issues associated with this technology.

With almost all devices being IPv6 enabled by default and with many end points having IPv6 connectivity to the Internet, it is critical to also harden those devices against attacks over IPv6. The following guidelines should be used to ensure appropriate hardening of the host, be it an individual computer or router, firewall, load-balancer, server, etc. device. Restrict device access to authorized individuals Monitor and audit access to the device Turn off any unused services on the end node Understand which IPv6 addresses are being used to source traffic and change defaults if necessary Use cryptographically protected protocols for device management if possible (SCP, SNMPv3, SSH, TLS, etc.) Use host firewall capabilities to control traffic that gets processed by upper layer protocols Use virus scanners to detect malicious programs