Security concerns in IPv6

IPv6 is the big brother of IPv4 and became an internet standard on July 14th, 2017.

While IPv6 is ahead of its predecessor, it brings a number of security concerns. You should be aware of these even if you are not currently using IPv6 in your systems.

Iptables or ip6tables?

Iptables is the de-facto firewall on Linux, but it is only responsible for IPv4 addresses. In order to deny IPv6 connections you will need to configure ip6tables too.

Services like Uncomplicated Firewall (UFW) automatically mirrors rules to ip6tables if the rule allows it. 

No more NAT

IPv6 no longer needs to be translated or aliased on transport, since there are now enough addresses to be assigned to every device in the world. This means that there is no NAT or private address space, and that everything is routable.

NAT still exists in IPv6, but generally is not a default implementation. Double check that your routing is not exposing private IPv6 addresses to the internet. Or for now, turn off IPv6 routing completely.

Concerned about IPv6?

In addition to our regular toolkit, we use IPv6 enumeration tools in our assessments to expose any IPv6 related security issues.