IPv6 Best Practices
Implementing security measures at the beginning of a deployment improves the initial security posture instead of waiting until after an attack has occurred. IPv6 best practices include the following:
Filter bogus addresses: Drop, at the edge of your network, any addresses that should never be valid source or destination addresses. These are also referred to as bogon addresses.
Filter nonlocal multicast addresses: If you are not running multicast applications, you should never need multicast to be forwarded beyond a specific VLAN. Local multicast is often used by IPv6 (for example, in routing updates and neighbor discovery).
Filter ICMPv6 traffic that is not needed on your specific networks: Normal NDP uses ICMPv6 as its core protocol. A path’s maximum transmission unit (MTU) is also determined by using ICMP. Outside of its normal functionality, you want to filter the unused parts of ICMP so that an attacker cannot use it against your network.
Drop routing header type 0 packets: Routing header 0, also known as RH0, may contain many intermediate next hops, and if followed an attacker could control the path of a packet through a network. The attacker could also use this to create an amplification attack that could loop until the TTL expires on the packet. Cisco routers, by default, drop packets with this type of header.
Use manual tunnels rather than automatic tunnels: If tunneling, do not use automatic tunnel mechanisms such as automatic 6to4, because you cannot control all of them. (They are dynamic.) With the manual tunnels, avoid allowing the tunnels to go through the perimeter of your network, as you will not have tight controls on the contents of the tunneled packets.
Protect against rogue IPv6 devices: There are a number of mechanisms available within IPv6 to help defend against the spoofing of IPv6 neighbors. These include the following:
IPv6 first-hop security binding table: This table is used to validate that the IPv6 neighbors are legitimate.
IPv6 device tracking: This feature provides the IPv6 neighbor table with the ability to immediately reflect changes when an IPv6 host becomes inactive.
IPv6 port-based access list support: Similar to IPv4 port access control lists (PACL), this feature provides access control on Layer 2 switch ports for IPv6 traffic.
IPv6 RA Guard: Provides the capability to block or reject rogue RA Guard messages that arrive at the network switch platform.
IPv6 ND Inspection: IPv6 ND inspection analyzes neighbor discovery messages to build a trusted binding table database, and IPv6 neighbor discovery messages that do not conform are dropped.
Secure Neighbor Discovery in IPv6 (SeND): Although platform support of SeND still remains limited, this feature defines a set of new ND options, and two new ND messages (Certification Path Solicitation [CPS] and Certification Path Answer [CPA]), to help mitigate the effects of the ND spoofing and redirection.