Weighing the Pros and Cons: Should You Disable IPv6 for Security?

Should you Disable IPv6 for Security?

 

We have known for some time that IPv4 addresses will run out, and IPv6 will become the network addressing standard. In many cases, IPv4 addresses already run out except for addresses hoarded by managed service providers and others.

IANA in 2011 announced that they had no more IPv4 address blocks to distribute. APNIC also ran out in 2011, as did the Europeans in 2012, and South America in 2014. The North American registry reached the last of its IPv4 address blocks in 2014, running out in 2015.

Further, all new network research and development is around IPv6.  To all intents and purposes, IPv4 is on its last legs, and businesses should make the transition to IPv6 without delay.

However, the transition to IPv6 is not an easy one. Many legacy devices don’t support it, and there are concerns, particularly around security about running a dual IPv4 and IPv6 environment. Unless you absolutely need it, should you disable IPv6 for security reasons?

 

IPV6 for security
IPV6 for security

 

 

The Advantages of IPv6 over IPv4

3 points of the advantages of IPv6
IPV6 Features

 

 

The first and most obvious answer is that you can get new IPv6 addresses. Unless you can persuade your ISP to give you a hoarded IPv4 address, you will be very lucky to find a free one.

Other advantages include:

  • IPv6 based networks can have auto-configuration capabilities, leading to less manual maintenance and more manageable networks.
  • Improved authentication and data integrity are built into IPv6. For example, IPv4 ICMP packets are often blocked by firewalls because of their potential to carry malware.
  • No more NAT or DHCP. Because of the vast IPv6 address space, there is no longer a need for NAT or DHCP.

 

What Happens When You Disable IPv6?

The first and most obvious effect is that all devices that use only IPv6 vanish from network management. They become inaccessible.  They can still communicate with each other and externally. This is a large security hole:

  • Unless firewalls are configured to handle IPv6 traffic, then it can pass into your system unhindered, bringing all kinds of malware with it.
  • Unmanaged IPv6 networks can be used to create shadow networks where internal and external users can access network resources bypassing security without IT being aware.

 

The second effect is that any applications that are using only IPv6 cannot be managed. This might not be such a problem since there are very few devices and applications that use IPv6 exclusively.

Some specific reasons why you should not disable IPv6 in certain circumstances:

  • Cloud Computing and IoT. IPv6 is essential for both.
  • Windows Servers. Microsoft Windows servers use IPv6 as part of their network architecture.  Disabling it will cause problems, such as Microsoft Exchange not starting and other seemingly random events.
  • Some security software uses IPv6, especially to receive updates. Disabling it could stop it from operating.
  • Disabling IPv6 does not speed up Internet access. This is an urban myth.

You can, on Windows servers and desktops, set a policy to prefer IPv4 over IPv6. This keeps IPv6 running but legacy equipment and software that uses IPv4 will try IPv4 protocols first.

 

How Do I Enable IPv6 under Linux?

Some legacy servers may not have IPv6 enabled. Follow these four steps to enable it:

  • Check if it is already running;
  • Enable IPV6 from /etc/sysctl.conf file;
  • Enable IPV6 from GRUB(/etc/default/grub);
  • Enable IPV6 Using sysctl command.

These simple steps will start IPv6 on your Linux server.

 

How to Disable IPv6 on Ubuntu?

Enabling IPv6 temporarily or permanently disabling IPv6 is a relatively simple matter:

 

  • Disabling IPv6 Temporarily

Execute the following commands:

 

sysctl -w net.ipv6.conf.all.disable_ipv6=1net.ipv6.conf.all.disable_ipv6 = 1
sysctl -w net.ipv6.conf.default.disable_ipv6=1net.ipv6.conf.default.disable_ipv6 = 1
IPv6 will be disabled until the next reboot. To enable IPv6 without rebooting, use the same commands replacing the = 1 with = 0.

 

  • Disabling IPv6 Permanently

You will need admin access to the /etc/default/grub file.

Using your favourite editor, make the following change:

FROM

GRUB_CMDLINE_LINUX_DEFAULT=””

TO

GRUB_CMDLINE_LINUX_DEFAULT=”ipv6.disable=1″

Then run the update-grub command.

Obviously, to restore IPv6 support do the same, changing the =1 to =0, or restoring the original line.

 

Should you Disable IPv6 for Security?

The answer to this question is no. However, there are a few recommendations you can follow for better security.

  • Comprehensive security assessment: Identify and address vulnerabilities specific to IPv6 networks through thorough vulnerability scanning, penetration testing, and security auditing.
  • IPv6 security implementation: Implement robust security protocols, such as IPsec, to ensure the confidentiality and integrity of data transmitted over IPv6 networks.
  • Network segmentation: Employ proper network segmentation practices to reduce attack surface area, enhancing network security. Ensure proper isolation of IPv6 from IPv4 networks to mitigate potential risks.
  • Ongoing monitoring and patch management: Continuously monitor network traffic for anomalous behaviour and promptly apply security updates and patches.
  • Training and awareness: Educate network administrators, IT personnel, and end-users about IPv6 security practices to foster a security-conscious culture and minimize human error-related risks.

 

While concerns surrounding IPv6 security are valid, disabling the protocol entirely often fails to provide an effective security strategy. Instead, organizations should focus on addressing the specific security risks and vulnerabilities introduced by IPv6. By adopting best practices, conducting thorough security assessments, and implementing appropriate security.

measures, organizations can benefit from the advantages offered by IPv6 while minimizing potential security risks.

 

If you have any queries or concerns about IPv6 please talk to us for an informal chat with our skilled and experienced technicians.

  • Share:
Send a Message