Should you Disable IPv6 for Security?

IPV6 for security

 

We have known for some time that IPv4 addresses will run out, and IPv6 will become the network addressing standard. In many cases, IPv4 addresses already run out except for addresses hoarded by managed service providers and others.

IANA in 2011 announced that they had no more IPv4 address blocks to distribute. APNIC also ran out in 2011, as did the Europeans in 2012, and South America in 2014. The North American registry reached the last of its IPv4 address blocks in 2014, running out in 2015.

Further, all new network research and development is around IPv6.  To all intents and purposes, IPv4 is on its last legs, and businesses should make the transition to IPv6 without delay.

However, the transition to IPv6 is not an easy one. Many legacy devices don’t support it, and there are concerns, particularly around security about running a dual IPv4 and IPv6 environment. Unless you absolutely need it, should you disable IPv6 for security reasons?

 

IPV6 for security
IPV6 for security

 

 

The Advantages of IPv6 over IPv4

3 points of the advantages of IPv6
IPV6 Features

 

 

The first and most obvious answer is that you can get new IPv6 addresses. Unless you can persuade your ISP to give you a hoarded IPv4 address, you will be very lucky to find a free one.

Other advantages include:

  • IPv6 based networks can have auto-configuration capabilities, leading to less manual maintenance and more manageable networks.
  • Improved authentication and data integrity are built into IPv6. For example, IPv4 ICMP packets are often blocked by firewalls because of their potential to carry malware.
  • No more NAT or DHCP. Because of the vast IPv6 address space, there is no longer a need for NAT or DHCP.

 

What Happens When You Disable IPv6?

The first and most obvious effect is that all devices that use only IPv6 vanish from network management. They become inaccessible.  They can still communicate with each other and externally. This is a large security hole:

  • Unless firewalls are configured to handle IPv6 traffic, then it can pass into your system unhindered, bringing all kinds of malware with it.
  • Unmanaged IPv6 networks can be used to create shadow networks where internal and external users can access network resources bypassing security without IT being aware.

 

The second effect is that any applications that are using only IPv6 cannot be managed. This might not be such a problem since there are very few devices and applications that use IPv6 exclusively.

Some specific reasons why you should not disable IPv6 in certain circumstances:

  • Cloud Computing and IoT. IPv6 is essential for both.
  • Windows Servers. Microsoft Windows servers use IPv6 as part of their network architecture.  Disabling it will cause problems, such as Microsoft Exchange not starting and other seemingly random events.
  • Some security software uses IPv6, especially to receive updates. Disabling it could stop it from operating.
  • Disabling IPv6 does not speed up Internet access. This is an urban myth.

You can, on Windows servers and desktops, set a policy to prefer IPv4 over IPv6. This keeps IPv6 running but legacy equipment and software that uses IPv4 will try IPv4 protocols first.

 

How Do I Enable IPv6 under Linux?

Some legacy servers may not have IPv6 enabled. Follow these four steps to enable it:

  • Check if it is already running;
  • Enable IPV6 from /etc/sysctl.conf file;
  • Enable IPV6 from GRUB(/etc/default/grub);
  • Enable IPV6 Using sysctl command.

These simple steps will start IPv6 on your Linux server.

 

How to Disable IPv6 on Ubuntu?

Enabling IPv6 temporarily or permanently disabling IPv6 is a relatively simple matter:

 

  • Disabling IPv6 Temporarily

Execute the following commands:

sysctl -w net.ipv6.conf.all.disable_ipv6=1net.ipv6.conf.all.disable_ipv6 = 1

sysctl -w net.ipv6.conf.default.disable_ipv6=1net.ipv6.conf.default.disable_ipv6 = 1

IPv6 will be disabled until the next reboot. To enable IPv6 without rebooting, use the same commands replacing the = 1 with = 0.

 

  • Disabling IPv6 Permanently

You will need admin access to the /etc/default/grub file.

Using your favourite editor, make the following change:

FROM:

GRUB_CMDLINE_LINUX_DEFAULT=””

TO:

GRUB_CMDLINE_LINUX_DEFAULT=”ipv6.disable=1″

Then run the update-grub command.

Obviously, to restore IPv6 support do the same, changing the =1 to =0, or restoring the original line.

 

Should you Disable IPv6 for Security?

The answer to this question is clearly no.

If you have any queries or concerns about IPv6 please talk to us for an informal chat with our skilled and experienced technicians.

  • Share:
Send a Message