New Address

DNS: Even More Important for IPv6

If the Domain Name System (DNS) is important in IPv4, it is considerably more significant in IPv6 given that the addresses are more complex. An infrastructure that uses IPv6 is typically unthinkable without DNS mechanisms. The positive news is that most DNS server implementations support IPv6, and no reimplementation of this service is required.

Instead, you only need to extend the existing zones to include IPv6 entries. It is important, however, that these entries actually exist for IPv6, because the IPv6 address will only rarely be entered. An administrator who might easily remember an IPv4 address will be overwhelmed with the more complex IPv6 addresses. Maintaining and updating the DNS systems and zones is hugely important in IPv6 and must be taken into account in migration planning.

DHCPv6 Usage Plan

Whereas the DNS service only needs to be extended, the considerations relating to DHCP are of a more fundamental nature: Through the autoconfiguration mechanism, you may no longer need to operate a DHCPv6 server. On the other hand, not all IPv6 configuration options can at present be transferred using router advertisements, so DHCPv6 might need to play a complementary role. You need to decide how hosts obtain their IP address:

• Manual: All settings are configured by hand.
• Manual/autoconfiguration: Only individual settings are configured manually.
• Autoconfiguration: Only the values supplied by autoconfiguration are configured.
• Autoconfiguration/stateless DHCPv6: The node creates some IPv6 configuration settings itself and others are retrieved via DHCPv6.
• Stateful DHCPv6: The node receives all IPv6 configuration options via DHCPv6.

Depending on how you address these considerations, you might need to plan for DHCPv6.

Hardening IPv6

One essential aspect of IPv6 migration is the security level after the migration. IPv6 comes with new vulnerabilities and challenges. The issue of security should be considered from the outset in your IPv6 migration project. IPv6 is not inherently more or less secure than IPv4. Security depends on the existing security mechanisms and technologies. There is admittedly still a knowledge deficit relating to IPv6 vulnerabilities, because this protocol is still not as widely available as IPv4, which every hacker on earth has already taken apart. On the other hand, you can set up a solid baseline, taking into account some basic principles, then supplement those principles with additional measures if necessary.

I have already addressed the most obvious issue: After eliminating NAT, the network firewall is now the only protection against attacks from the Internet in some environments. The firewall configuration thus assumes fundamental importance. But in principle, the situation is no different for IPv4 – the firewall is the designated protection mechanism, not the NAT device – and the usual firewall configuration rules also apply to IPv6: as much as necessary, and as little as possible.

You might need to make sure other security components are IPv6 capable. Proceed carefully and study each component: For instance, your intrusion prevention system might prevent some forms of attack in IPv4, but not detect them in IPv6.

First hop security is another important consideration. First hop security refers to measures taken on a switch on the local subnet, as close as possible to the device, to establish protection. Potential attacks include RA-Guard, DHCP snooping, and ARP spoofing (neighbor discovery inspection). Since various IPv6 features are based on neighbor discovery, the first hop is very significant for security, and you need to examine it in the context of migration planning. Unfortunately, not all access switches support these features, so you'll need to weigh the costs and benefits carefully.