NIST Gives Guidelines for Securing IPv6

NIST Draft of Special Publication 800-119 will help secure IPv6 ahead of deployment

The National Institute of Standards and Technology (NIST) issued a draft of a new publication that will help secure IPv6 networks as they are being deployed. The Special Publication (SP) number 800-119 "Guidelines for the Secure Deployment of IPv6" is now in the comments stage. Once those comments and improvements are integrated into the document this will be one of the key sources for advice on preparing to secure our new IPv6 implementations.

For years we have heard that "IPv6 is just around the corner" but the process of deploying IPv6 has moved at a glacial pace. However, just as global warming is melting the world's glaciers the thawing of IPv6 is happening and it is gathering more momentum. With only 8% availability of the remaining supply of IPv4 addresses, more and more people are taking notice of this address shortage. More people are starting to move from the denial stage into acceptance and starting to educate themselves on what IPv6 is and what it means to their organizations.

The U.S. Federal government was aggressive early on with its plans to move forward with IPv6. However, weakening in the strength of its convictions to move to IPv6 resulted in the coming and passing of the June 30, 2008 deadline. However, the early fervor around IPv6 resulted in increased awareness and procurement guidelines that helped vendors notice that IPv6 features/functionality means a future in selling government customers. Even though IPv6 is not being deployed in the majority of government organizations it is important to consider the security of doing so during the planning stages.

On February 22nd, 2010 the Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST), which is part of the U.S. Department of Commerce, released the Special Publication (SP) 800-119 DRAFT Guidelines for the Secure Deployment of IPv6. This document provides advice to U.S. Government organizations on the things they should consider prior to adding IPv6 to their network environments.

First of all, we should thank Sheila Frankel, Richard Graveman and John Pearce for writing this quality document and putting in so much time and effort. The community at large really needs this type of guidance to help them stay secure. This document covers all the relevant current topics related to IPv6 security. It is a very comprehensive document that will provide a lot of value to organizations looking to secure IPv6 ahead of its implementation.

This document is very current and covers timely topics like the security of SHIM6, Large-Scale NAT, Dual-Stack Lite, 6rd, and translation mechanisms. This document provides a lot of background information and introductory material on IPv6. Basic information such as IPv6 header structure, addressing, ICMPv6, transition mechanisms, DNS, DHCPv6, and other information is provided along with the security recommendations. This may be beneficial to those who don't know as much about IPv6. However, some of this background information is not necessarily germane to the discussion of security. The fundamental information is nice to have with the recommendations but it really adds to the size of the document to include all the necessary background.

This document is already quite comprehensive and when they incorporate the comments (due on April 23rd) this document will grow in size and increase in quality. In addition to our book on IPv6 Security, we can look to this document as one of the key sources of information on how to secure an IPv6 network.

Scott

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10