IPv6 Security · Enterprise Hardening

IPv6 Network Security
Is Not Optional — It's Different

No NAT. Mandatory ICMPv6. Extension header abuse. Dual-stack doubles your attack surface. IPv6 security requires purpose-built policies, not IPv4 rules with bigger addresses.

Get an IPv6 Security Audit

Why IPv6 Security Is Fundamentally Different

IPv6 is not "just bigger IPv4." Every firewall rule, IPS signature, and access control must be re-evaluated. Here's what changes.

No NAT = Direct Exposure

IPv4's NAT provided accidental obscurity. IPv6 gives every device a globally routable address — directly reachable from the internet. Without proper firewall policies, internal servers, printers, and IoT devices are exposed.

ICMPv6 Cannot Be Blocked

Unlike IPv4 where ICMP can be blocked at the firewall, ICMPv6 is essential for Neighbor Discovery, Router Advertisements, SLAAC, and Path MTU Discovery. Blocking it breaks connectivity. You must filter selectively.

Extension Header Abuse

IPv6 extension headers can be chained to evade firewalls and IPS that cannot parse the full chain. Fragmentation headers enable deep packet inspection bypass. Documented by NSA and Black Hat research.

Dual-Stack = 2× Attack Surface

Running both IPv4 and IPv6 doubles your attack surface. Most enterprises have mature IPv4 security but no IPv6 policies at all — attackers target the unprotected protocol.

Rogue Router Advertisements

Any device on the LAN can send Router Advertisements and become the default gateway — redirecting all traffic through an attacker's machine. RA Guard is essential but can be bypassed on some switches.

Address Privacy Leaks

SLAAC with EUI-64 embeds the device's MAC address in its IPv6 address — leaking hardware identity across the internet. RFC 7217 stable privacy addresses must be enforced on all endpoints.

Our IPv6 Security Services

Dual-Stack Firewall Hardening

We configure FortiGate's consolidated policy mode with matching IPv4 and IPv6 security profiles — IPS, antivirus, web filtering, application control, and DLP all applied to IPv6 traffic. No security gaps between protocol stacks.

First-Hop Security (FHS)

Deploy RA Guard, DHCPv6 Guard, IPv6 ND Inspection, and Source Guard on access switches. We build binding tables, configure trust boundaries, and test bypass resistance on your specific switch hardware.

ICMPv6 Policy Design

We design granular ICMPv6 filtering policies — permitting essential types (NDP, Router Solicitation, Path MTU Discovery) while blocking abuse vectors (redirect, information queries, oversized packets).

IPv6 Penetration Testing

Our red team tests your IPv6 attack surface — extension header evasion, rogue RA injection, NDP spoofing, DNS enumeration of IPv6 hosts, and dual-stack escape techniques that bypass IPv4-only security controls.

IPv6 Threat Monitoring

24/7 SOC monitoring of IPv6 traffic flows, NDP anomalies, unauthorized Router Advertisements, and IPv6 tunnel detection. We use FortiAnalyzer and FortiSIEM to provide unified IPv4+IPv6 visibility.

Compliance & Documentation

Detailed IPv6 security policy documentation aligned with NSA IPv6 Security Guidance, NIST SP 800-119, and DoT IPv6 transition requirements. Audit-ready artifacts for regulatory compliance.

Powered by FortiGate IPv6 Security

As an authorized Fortinet partner, we leverage FortiGate's full IPv6 security stack — the same profiles protecting your IPv4 traffic now protect IPv6.

IPS on IPv6
Full signature matching
Antivirus
Malware scanning on IPv6
Web Filter
URL/category filtering
App Control
Layer 7 visibility on IPv6
DLP
Data loss prevention
NAT64/DNS64
Built-in translation
SSL VPN
Dual-stack VPN tunnels
OSPFv3/BGP4+
IPv6 dynamic routing

Frequently Asked Questions

Neither inherently. IPv6 has security advantages (IPsec was originally mandatory, larger address space makes scanning harder) and disadvantages (no NAT obscurity, ICMPv6 dependency, extension header complexity). The real risk is enterprises that have mature IPv4 security but zero IPv6 policies — creating an unmonitored attack vector.

Yes. Most modern operating systems enable IPv6 by default. Your network likely has IPv6 traffic flowing right now — through SLAAC auto-configuration, link-local addresses, and dual-stack ISP connections. Without IPv6 firewall rules, this traffic bypasses your entire IPv4 security stack.

All current FortiGate models support full IPv6 security — IPS, antivirus, web filtering, application control, and DLP all work on IPv6 traffic. FortiOS 7.0+ added full GUI support for IPv6 configuration. The consolidated policy mode (FortiOS 6.2+) lets you manage both stacks in a single rule set.

RA Guard blocks unauthorized Router Advertisement messages on access switch ports. Without it, any device on your LAN can advertise itself as the default gateway and intercept all traffic (man-in-the-middle). It is the IPv6 equivalent of DHCP snooping in IPv4 networks.

Our red team uses tools like THC-IPv6, Chiron, and custom scripts to test: rogue RA injection, NDP spoofing, extension header evasion of firewalls/IPS, IPv6 tunnel detection, SLAAC address prediction, and dual-stack escape techniques. We provide a detailed report with remediation steps for every finding.

Secure Your IPv6 Infrastructure

Get a comprehensive IPv6 security audit — we'll identify unmonitored IPv6 traffic, test your defenses, and deploy hardened dual-stack policies.

Request Security Audit →