Security considerations for Internet Protocol version 6 (ITSM.80.003) – Canadian Centre for Cyber Security

Summary

The Canadian Centre for Cyber Security guidance (ITSM.80.003) explains the security implications of adopting IPv6 across Government of Canada networks. It outlines IPv6 benefits—much larger address space, native IPsec support, autoconfiguration and neighbour discovery—and the new risks that come with running IPv6, especially in dual-stack (IPv4/IPv6) environments. The publication stresses that IPv6 is often enabled by default on modern systems, and that poor visibility, default configurations, tunnelling and legacy applications can expand the attack surface if not properly managed.

The document provides practical security considerations and recommended controls covering migration planning, procurement and testing, network architecture, addressing schemes, DHCPv6 and SLAAC protections, neighbour discovery hardening, address translation and tunnelling controls, monitoring/tool readiness, and the role of IPv6 in supporting zero trust. It concludes by recommending a planned, risk-based transition for organisations aiming ultimately for an IPv6-only end state where appropriate.

Key Points

IPv6 offers larger address space and built-in features (e.g. IPsec, SLAAC, ND) but also new attack vectors; it is not a simple “flip the switch” change.
Dual-stack deployments increase management complexity and attack surface; aim for an IPv6-only end state where feasible.
Default OS and vendor settings often enable IPv6 and automatic tunnels (Teredo, 6to4, ISATAP); these can bypass filters and must be blocked or monitored.
Addressing plans and IPAM are vital: use clear schemes, consider ULAs carefully and implement deny-by-default network policies.
Protect autoconfiguration: disable SLAAC where possible, use privacy extensions, and enable DHCPv6 address registration when needed.
Harden and protect neighbour discovery (ND) — use SEND or IPsec where available and filter ICMPv6 at boundaries per RFC guidance.
Update monitoring and management tools (IDPS, SIEM, scanners, patch tools) to support IPv6 and test dual-stack and IPv6-only scenarios.
Avoid risky translation mechanisms like NAT-PT; prefer supported solutions (NAT64/DNS64, 464XLAT) and design for redundancy and availability.
Implement tunnel-aware security, deny outbound UDP by default at the edge, and perform threat/risk assessments before rollout.
Invest in training and pilot labs to build operational expertise in IPv6 network and security management.

Context and relevance

Global IPv4 scarcity and modern service requirements make IPv6 adoption inevitable. This guidance is tailored for Government of Canada departments operating at UNCLASSIFIED and PROTECTED sensitivity levels but the controls and risks apply equally to large organisations and critical infrastructure providers. It ties into broader trends: zero trust adoption, cloud migrations, and the need to revise security tooling and procurement to handle IPv6 traffic correctly. The paper is a checklist for secure IPv6 transition planning and for aligning existing security controls with IPv6 realities.

Why should I read this?

If you run networks, manage security or buy networking kit, read this. It’s basically a practical, government-grade checklist that tells you what will trip you up when IPv6 appears — and how to stop it from turning into a headache. Short version: don’t assume IPv6 is harmless; get visibility, block unauthorised tunnels, update tools and plan your move properly.

Author style

Punchy and practical — this guidance is designed to be actionable. For anyone responsible for network security in an organisation moving to IPv6, it’s essential reading: it highlights the concrete steps you should take before enabling IPv6 at scale, and what to test to avoid operational and security gaps.