IPv6 Security Considerations Per Device Type

Security
Host Switch Router CPE
Equipment

IPSec (if needed) HOST + HOST + HOST + Router

RH0 [RFC5095] IPv6 ACLs Ingress Filtering Header chain Security
and RPF [RFC7112] Equipment
Overlapping Frags FHS
[RFC5722] DHCPv6 Relay
Support EHs DHCPv6 Server
RA-Guard [RFC8213]
Inspection Privacy Issues
Atomic Fragments [RFC6105]
OSPFv3
[RFC6946] ICMPv6 fine
DHCPv6 guard Auth. [RFC4552] grained filtering
NDP IPv6 snooping
Fragmentation or / and [RFC7166] Encapsulated
[RFC6980] IPv6 source / Traffic Inspection
prefix guard IS-IS
Header chain
[RFC5310] IPv6 Traffic
[RFC7112] IPv6 destination
Filtering
guard or, less preferred,
Stable IIDs [RFC5304]
[RFC8064][RFC7217] MLD snooping
[RFC7136] [RFC4541]
MBGP
Temp. Address DHCPv6-Shield
Extensions [RFC7610] TCP-AO [RFC5925]
[RFC8981] Obsoleted MD5
Signature Option
Disable if not used: [RFC2385]
LLMNR, mDNS,
DNS-SD, transition MBGP Bogon
mechanisms prefix filtering
Version: 20210423

 IPv6 Security Considerations On Your Network

Control Plane Security Forwarding Plane Security

IPv6 Internet

BGP

R Router
IPv6

P2P links
IGP NDP
R
MLD

R R
Firewall FW

NDP Switch FHS

DHCPv6
MLD
DNS* IPv6

Hosts Servers

* All Name resolution related protocols

Version: 20210423