IPv6 Security Overview

Many organizations’ cybersecurity teams have not spent any time considering how to proactively secure IPv6.  However, there is no doubt that these security teams have heard of IPv6 sometime in the past twenty years as it has been evolving and has been widely deployed.  The fact is that IPv6 is far more popular than most security practitioners realize and many employees use IPv6 when they are outside the IPv4-only enterprise network.  IPv6 is already inside enterprise networks because it is enabled by default on all host operating systems and many embedded systems.

If security teams are unprepared to deal with IPv6 security incidents, then the organization is in jeopardy.  Not having a plan to proactively secure IPv6 represents a significant risk to the enterprise.  Intentionally or unintentionally ignoring IPv6 is irresponsible and could possibly be considered negligence.  If they haven’t started to develop a strategy and take action to secure IPv6, then the organization is at risk.

Here is a list of “7 points your security team needs to know about IPv6 (but probably doesn’t)”.

The following sections of this article provide a broad overview of IPv6 security topics for enterprise organizations to consider.  The article concludes with a compendium of IPv6 security recommendations to help organizations proactively secure IPv6.

The IPv6 “Latent Threat”

IPv6 is no more or less secure than IPv4.  There is no inherent security built into either protocol.  However, if IPv6 has been enabled and no steps have been taken to secure it then it can be a risk.

Even if a company hasn’t intentionally started using IPv6 yet, all organizations already have some IPv6 running on their networks and probably didn’t even realize it.  Many remote workers already use IPv6 at home and on their mobile devices.  They could be using it when mobile, working from a coffee shop, at a conference, or in an airport or hotel.  Internet apps are already using IPv6.  For example, an organization's SaaS provider could implement IPv6 tomorrow, and there would be IPv6 connections occurring unbeknownst to the security team.

All host operating systems come with IPv6 enabled by default, and there are IPv6 packets on every wired or wireless LAN segment in an enterprise.  However, this could be invisible to security teams who don’t know about IPv6 or lack the tools to gain visibility to IPv6 activity.

Therefore, IPv6 represents a “Latent Threat” to enterprise networks.  There is a protocol that runs in the enterprise that is invisible, and the security teams have not taken any steps to learn about or proactively secure it in any way.

Adversaries Are Actively Using IPv6

Adversaries are already targeting IPv6 systems and actively scanning the Internet.

In CrowdSec’s Q2 2023 Majority Report, they noted that their radars from October 2022 to June 2023 and observed reported IPv6 addresses increase from 10% to 20%.  IPv6 reported malicious addresses increased 35% from May to June 2023 observing increased active scanning attacks.  Earlier in 2025, there was evidence that TheWizards APT group was targeting segments using IPv6 SLAAC using their Spellbinder tool.

For decades, IPv6 experts have known how to perform “Network Reconnaissance in IPv6 Networks” (IETF RFC 7707).  Link-local reconnaissance is trivial if the attacker is on-link or has compromised a node on a network segment.  Therefore, it is vital that enterprises know what is connected to their networks and observe east-west communications on LAN segments for nefarious activities.

Security researchers are constantly developing “New Ways of IPv6 Scanning,” and attackers can learn these methods and use them for nefarious purposes.  We used to believe that IPv6 networks were too large to scan, but we now know that large-scale IPv6 Internet reconnaissance is taking place.  There are lists of active and responsive IPv6 Internet-reachable hosts, and there are tools and techniques that make this broad scanning feasible.

Many IT Products Have IPv6 Vulnerabilities

It is easy for attackers to create IPv6 crafted packet exploits, just like they do with IPv4.  IPv6 is subtly different than IPv4, and attackers can forge IPv6 packets, leveraging fragmentation, or extension headers such as hop-by-hop or destination options headers.  All vendors have published IPv6 vulnerabilities, and many of these vulnerabilities are due to the vendor’s improper parsing and handling of IPv6 packets.

A quick search of the CVE database for IPv6-related vulnerabilities reveals that many popular IT vendors' software could be at risk.  Therefore, organizations must keep their systems patched for all vulnerabilities, even if they don’t believe they are using IPv6.

Protect Both IPv4 and IPv6 Equally

Organizations are only as strong as the weakest of the two protocol stacks.  Attackers will actively probe for weaknesses in both protocols and target the one that is less defended.  Running IPv4 and IPv6 in parallel (dual-stack) will increase the “attack surface”.

Running dual stacks will increase the amount of effort an organization’s security team must expend to ensure they have equal protection for both protocols.  However, there are steps that security teams can take, such as securing applications that yield benefits when defending those applications targeted over either Internet Protocol.

Review Current Security Products and Services for IPv6 Capabilities

Another risk to organizations is that some cybersecurity vendor products lack sufficient IPv6 security features.  Organizations need to verify that their security protection measures have adequate IPv6 capabilities to prevent them from moving forward with an insecure IPv6 deployment.  They need to consider all the security products they use, such as firewalls, IDS/IPSs, malware protection measures, content filtering, SIEMS, authentication, Certificate Authorities (CAs), web proxies, DDoS protection measures, vulnerability scanning, zero trust systems, and more.  Any type of security management, threat intelligence system should be watching for IPv6-related incidents.

When assessing security products' IPv6 capabilities, security administrators should consider the IPv6 features employed in the data plane, control plane, and management plane.  They can start by asking their vendors, digging deep into the IPv6 features and capabilities to make sure they have what they need to equally protect IPv4 and IPv6.  They may need to perform Proof-of-Concept (PoC) lab testing to fully confirm they can defend IPv6.  However, if their current security vendor lacks the required IPv6 features, then they can delay their IPv6 deployment or possibly switch vendors.

IPv6 VPN Breakout is Real

Individuals and organizations are concerned about preserving privacy when using the dual-protocol Internet.  This involves using encryption technology to protect application traffic.  VPNs are commonplace for protecting site-to-site traffic or those remote workers using their mobile devices.

Unfortunately, most enterprise VPNs are only configured for IPv4, and they don’t handle IPv6 connections in any way.  Therefore, there is a risk of the IPv6 traffic not traversing the VPN and “breaking out” of the VPN and being forwarded over the IPv6-enabled Internet without any encryption.  This is called IPv6 VPN Breakout and could be a huge security risk for most enterprise organizations.

The industry’s best practice recommendation is to IPv6-enable the VPN and enforce no-split-tunneling so that all IPv4 and IPv6 traverses the VPN and no traffic leaks out unprotected.

Summary of IPv6 Security Recommendations

Again, security practitioners should realize that IPv6 is no more or less secure than IPv4.  They must learn about the IPv6 protocol, anticipate attacker behavior, and actively plan to deploy IPv6 securely right from the start.

Security administrations must strive to achieve equal protection for IPv6 as with IPv4.  They must gain visibility into IPv6 traffic and log all the IPv6 security events.  Performing granular IPv6 ingress and egress filtering at the perimeter and creating a layered security defense for IPv6 is critical.  They must harden network devices, servers, and applications against IPv6 attacks.

If the security teams need a checklist of IPv6 security considerations, they can refer to IETF RFC 9099, “Operational Security Considerations for IPv6 Networks”.

Forming a Comprehensive Security Strategy

An enterprise organization should not proceed with enabling IPv6 before having a comprehensive plan to proactively secure IPv6.  The security strategy for IPv6 will be similar to an organization’s approach to IPv4, but not necessarily identical.

The organization is recommended to create an IPv6 Security Threat Model, categorizing the threats that the unprotected environment is susceptible to.  The threats are organized to provide a foundation to prepare the IPv6 security mitigation architecture.  The output of this exercise will be the requirement drivers for the network protection measures that will be employed to mitigate the IPv6 threats.

The next step is to document the breadth of the enterprise IPv6 Security Architecture.  This contains the target high-level strategy to mitigate IPv6 security risks by mapping the IPv6 security controls to threats and defining the best practices for securing IPv6-enabled environments.  The IPv6 Security Architecture also details the plan to protect IPv6 over the long term as new threats and attacks emerge.

The final step is to document the IPv6 Security Risk Matrix, which lists the risks and assigns a relative score for: 1) severity, 2) damage potential, 3) likelihood, and 4) the CAPEX/OPEX values for remediation.  An algebraic equation is used to calculate a numerical "risk score" for each item, and the risks will be ranked.  This ordered list of risks will help prioritize the remediation tasks using this lightweight risk management framework.

Once an organization has gone through these steps, it will have a solid IPv6 security strategy that mitigates the currently known and anticipated risks.

Hogg Networking is able to guide organizations through the process of learning about IPv6, understanding the current threats, and developing a comprehensive security plan to proactively secure IPv6.

Other Information on IPv6

Hogg Networking provides other information on IPv6.  This information can be accessed via the website.  If you need additional information on IPv6, please contact me (info@hoggnet.com) and I’ll share it with you.