The National Security Agency issued guidance to the Department of Defense to mitigate cybersecurity issues as it transitions from the legacy internet protocol to the latest.
In 2020, the federal government mandated that all agencies and departments migrate from Internet Protocol version 4 (IPv4) to IPv6, which is considered more secure.
However, there are inherent challenges when changing network configurations, and IPv6 isn’t without its own risks.
“While there are convincing reasons to transition from IPv4 to IPv6, security is not the main motivation. Security risks exist in IPv6 and will be encountered, but they should be mitigated with a combination of stringently applied configuration guidance and training for system owners and administrators during the transition,” the guidance, released Jan. 18 states. “IPv6 security issues are quite similar to those from IPv4. That is, the security methods used with IPv4 should typically be applied to IPv6 with adaptations as required to address the differences with IPv6. Security issues associated with an IPv6 implementation will generally surface in networks that are new to IPv6, or in early phases of the IPv6 transition.”
As part of the incremental transition, many networks will be “dual stacked,” meaning they will be running both IPs concurrently, which can increase the operational burden and attack surface.
“It’s important that DOD system admins use this guidance to identify and mitigate potential security issues as they roll out IPv6 support in their networks,” Neal Ziring, NSA cybersecurity technical director, said in a press release.
Notably, NSA says current networks lack maturity and administrators lack experience in IPv6.
NSA is aware that security issues will arise as they always do with network changes, and thus, issued a series of recommendations for administrators and owners. They include, among others: auto-configuration, automatic tunnels, dual stacking, and educating the workforce with knowledge of the differences between IPv4 and IPv6.