datatracker.ietf.org
Sign in
Version 5.6.4.p1, 2014-10-20
Report a bug

IPv6 Transition/Co-existence Security Considerations
RFC 4942

Network Working Group                                          E. Davies
Request for Comments: 4942                                    Consultant
Category: Informational                                      S. Krishnan
                                                                Ericsson
                                                               P. Savola
                                                               CSC/Funet
                                                          September 2007

          IPv6 Transition/Coexistence Security Considerations

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Abstract

   The transition from a pure IPv4 network to a network where IPv4 and
   IPv6 coexist brings a number of extra security considerations that
   need to be taken into account when deploying IPv6 and operating the
   dual-protocol network and the associated transition mechanisms.  This
   document attempts to give an overview of the various issues grouped
   into three categories:
   o  issues due to the IPv6 protocol itself,
   o  issues due to transition mechanisms, and
   o  issues due to IPv6 deployment.

Davies, et al.               Informational                      [Page 1]
RFC 4942                 IPv6 Security Overview           September 2007

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
   2.  Issues Due to IPv6 Protocol  . . . . . . . . . . . . . . . . .  4
     2.1.  IPv6 Protocol-Specific Issues  . . . . . . . . . . . . . .  5
       2.1.1.  Routing Headers and Hosts  . . . . . . . . . . . . . .  5
       2.1.2.  Routing Headers for Mobile IPv6 and Other Purposes . .  6
       2.1.3.  Site-Scope Multicast Addresses . . . . . . . . . . . .  7
       2.1.4.  ICMPv6 and Multicast . . . . . . . . . . . . . . . . .  7
       2.1.5.  Bogus Errored Packets in ICMPv6 Error Messages . . . .  8
       2.1.6.  Anycast Traffic Identification and Security  . . . . .  9
       2.1.7.  Address Privacy Extensions Interact with DDoS
               Defenses . . . . . . . . . . . . . . . . . . . . . . . 10
       2.1.8.  Dynamic DNS: Stateless Address Autoconfiguration,
               Privacy Extensions, and SEND . . . . . . . . . . . . . 10
       2.1.9.  Extension Headers  . . . . . . . . . . . . . . . . . . 11
       2.1.10. Fragmentation: Reassembly and Deep Packet
               Inspection . . . . . . . . . . . . . . . . . . . . . . 14
       2.1.11. Fragmentation Related DoS Attacks  . . . . . . . . . . 15
       2.1.12. Link-Local Addresses and Securing Neighbor
               Discovery  . . . . . . . . . . . . . . . . . . . . . . 16
       2.1.13. Securing Router Advertisements . . . . . . . . . . . . 17
       2.1.14. Host-to-Router Load Sharing  . . . . . . . . . . . . . 18
       2.1.15. Mobile IPv6  . . . . . . . . . . . . . . . . . . . . . 18
     2.2.  IPv4-Mapped IPv6 Addresses . . . . . . . . . . . . . . . . 19
     2.3.  Increased End-to-End Transparency  . . . . . . . . . . . . 20
       2.3.1.  IPv6 Networks without NATs . . . . . . . . . . . . . . 20
       2.3.2.  Enterprise Network Security Model for IPv6 . . . . . . 21
     2.4.  IPv6 in IPv6 Tunnels . . . . . . . . . . . . . . . . . . . 22
   3.  Issues Due to Transition Mechanisms  . . . . . . . . . . . . . 23
     3.1.  IPv6 Transition/Coexistence Mechanism-Specific Issues  . . 23
     3.2.  Automatic Tunneling and Relays . . . . . . . . . . . . . . 23
     3.3.  Tunneling IPv6 through IPv4 Networks May Break IPv4
           Network Security Assumptions . . . . . . . . . . . . . . . 24
   4.  Issues Due to IPv6 Deployment  . . . . . . . . . . . . . . . . 26
     4.1.  Avoiding the Trap of Insecure IPv6 Service Piloting  . . . 26
     4.2.  DNS Server Problems  . . . . . . . . . . . . . . . . . . . 28
     4.3.  Addressing Schemes and Securing Routers  . . . . . . . . . 28
     4.4.  Consequences of Multiple Addresses in IPv6 . . . . . . . . 28
     4.5.  Deploying ICMPv6 . . . . . . . . . . . . . . . . . . . . . 29
       4.5.1.  Problems Resulting from ICMPv6 Transparency  . . . . . 30
     4.6.  IPsec Transport Mode . . . . . . . . . . . . . . . . . . . 30
     4.7.  Reduced Functionality Devices  . . . . . . . . . . . . . . 31
     4.8.  Operational Factors when Enabling IPv6 in the Network  . . 31
     4.9.  Security Issues Due to Neighbor Discovery Proxies  . . . . 32
   5.  Security Considerations  . . . . . . . . . . . . . . . . . . . 32
   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 32
   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Davies, et al.               Informational                      [Page 2]
RFC 4942                 IPv6 Security Overview           September 2007

[include full document text]