Tip

IPv6 addresses: Security recommendations for usage

IPv6 addresses can be used in a number of ways that can strengthen information security. Expert Fernando Gont explains the basics of IPv6 address usage for enterprises.

Internet Protocol Version 6 nodes typically configure a number of IPv6 addresses of different types, scopes and stability properties. While the availability of such addresses could be leveraged to increase the security and privacy properties of nodes, such potential is typically wasted as a result of inappropriate usage of the available addresses.

IPv6 hosts typically configure, for each network interface, multiple IPv6 addresses of different scopes and stability properties. This is in contrast with the IPv4 world, where hosts typically configure only one address per network interface. The availability of an increased number of addresses, each of which has different properties, provides the potential for increased security, privacy and resiliency.

However, these potential benefits are usually not realized due to suboptimal use of the available addresses. Even worse, in some scenarios, such suboptimal use of the available addresses may result in unexpected problems.

This article series discusses different IPv6 address properties and how addresses with different properties can be leveraged for improved security, privacy and resiliency. Finally, it highlights areas where further work may be needed to fully benefit from exploiting the potential benefits provided by IPv6 addresses.

Addressing in the IPv6 world

IPv6 nodes typically configure multiple addresses of different scopes and stability properties. For example, it is quite usual for nodes to configure:

  • one link-local address;
  • one stable global address;
  • one or more temporary global addresses;
  • one stable unique local address (ULA); and
  • one or more temporary ULAs.
By employing ULAs, the limited address scope itself can serve as a layer of isolation from the public internet.

Hosts typically employ these addresses in a couple of different ways. For outgoing (client-like) communications, hosts rely on the default address selection algorithm for IPv6. For incoming (server-like) communications, hosts allow incoming communications on all of the available addresses.

The Internet Engineering Task Force (IETF) specifies the "Default Address Selection for Internet Protocol Version 6 (IPv6)" algorithm in RFC6724, which consists of two parts.

  • An algorithm that, given a destination address, can select the most appropriate source address for sending packets to said destination address.
  • An algorithm that, given a list of destination addresses and available source addresses, can produce an ordered list of destination addresses (with a descending preference order).

Thus, given a list of IPv6 addresses resulting from a domain name, this algorithm can produce an ordered list of destination addresses, such that each address is tried in sequence until communication succeeds. For each of these destination addresses, the most appropriate source address will be employed.

While address selection for outgoing communications is specified in great detail in RFC6724, address selection for incoming connections has been left rather unspecified, with hosts simply accepting incoming communications on all available addresses, regardless of their scope or stability properties.

Address scope considerations

As noted above, IPv6 hosts typically configure multiple addresses of different scopes ranging from link-local to global scopes. As a general rule, hosts should employ addresses of the smallest possible scope for each application. Such reduced scope readily provides a layer of isolation resulting from the address scope itself.

For example, a file server that is meant to be accessed only from within an organizational network might want to employ only ULAs -- the IPv6 equivalent of IPv4's private addresses. By employing ULAs, the limited address scope itself can serve as a layer of isolation from the public internet. Employing addresses of limited scope does not preclude or discourage the use of other means for network prophylaxis, such as firewalling, but rather serves as an additional layer of prophylaxis.

Employing IPv6 addresses of limited scope can result in additional benefits. For example, the ULA address block (fc00::/7) is large enough that virtually any large or complex network could be built out of the ULA address space. Since ULAs are locally administered, they can provide addresses that remain available even upon failures with an upstream provider; that is, even if connectivity with the upstream provider is lost and global addresses time out, ULAs can still be employed for local communication. A discussion of a number of usage scenarios for ULAs can be found on the IETF Internet-Draft webpage.

Note that nonglobal addresses (including ULAs) are usually limited to a type of application or protocol that is meant to operate on a reduced scope and, hence, their applicability may be limited.

Stay tuned for part two of this series on IPv6 addresses, which will examine address stability and usage considerations.

Next Steps

Read more on the importance of interface identifiers for IPv6 network updates

Learn about the risks posed to enterprises by invalid web certificates

Find out about the security benefits of static source code analysis

Dig Deeper on Network security