NSA CSI IPv6 Security Guidance (2023) [pdf]

From the recommendations document:<p>&gt; The assigned IPv6 address incorporates media access control (MAC) address information from the network interface and may allow for host identification via interface ID, network interface card, or host vendor.<p>How long has it been since NSA has looked at generally-available OSs with IPv6 support? IPv6 &quot;Privacy Addresses&quot; are a thing that&#x27;s on-by-default everywhere (and a damn thorn in my side). SLAAC has been using a identifier that&#x27;s a combination of a randomly-generated ID and the subnet that the address is being generated for rather than the MAC address of the NIC for address generation for ages. (This is yet another thing that I revert back to the old behavior.)<p>They go on to recommend disabling SLAAC and using only DHCPv6. Does NSA know something exploitable about common DHCPv6 implementations that we don&#x27;t? ;)<p>&gt; ...a dual stack DNS implementation may need to support both A and AAAA records.<p>It&#x27;s weird to say &quot;dual stack DNS implementation&quot;. DNS servers can store A and AAAA records, regardless of whether their host is doing &quot;dual stack&quot; addressing or not. (If yours cannot, then by golly, you fucked up when you wrote your DNS server.)

Piece of advice: setup a dedicated firewall’d vlan for iot and obsolete Lin&#x2F;win devices, regardless of v4 or v6.

Interesting that they prefer dual stack to tunnel. I would have thought running your own 6to4 at the network edge would have been more preferential.

TLDR: Avoid it if you can!

Slightly off topic but IPV6 is a massive security hole for regular consumers. NATs sucked when you trying to connect to your favorite MMO but that is because they created a default drop rule for all special inbound ports.<p>I was shocked to see that as soon as your ISP switched to IPV6, your host is now directly addressed. As a by product of skipping NAT you are now relying on every machine having proper firewall settings. [UPDATE: or the router drops incoming IPV6 connections w&#x2F; it&#x27;s firewall]<p>Just think about how many windows machines out there have Remote desktop enabled but were only safe because they were not publicly accessible or the hospital machines that are still running windows XP. God help us.