IPv6 - Internet Protocol version 6. Header, addressing and security (RFC 8200)
IPv6 per RFC 8200 - fixed-length header, 128-bit addresses, Neighbor Discovery, extension headers. Security and deployment pitfalls.
IPv6 is the successor to IPv4, designed in the mid-1990s in response to address pool exhaustion and limitations uncovered by the evolution of the Internet. The first specification was published as RFC 2460 (1998); the current version is RFC 8200 from July 2017 (Internet Standard, STD 86).
Despite 28 years since standardisation, adoption remains incomplete - according to Google IPv6 Statistics, about 45-48% of traffic in 2026 uses IPv6 (regionally dependent). For a security engineer, familiarity with IPv6 is mandatory regardless of whether the organisation “uses” IPv6 - most modern operating systems ship with the IPv6 stack enabled by default, creating a frequently overlooked attack vector.
IPv6 header
The IPv6 header is substantially simpler than IPv4 and has a fixed length of 40 bytes. Designers deliberately removed fields that complicated routing in IPv4 (checksum, fragmentation, options in the main header).
| Field | Length | Purpose |
|---|---|---|
| Version | 4 bits | Protocol version (always 6) |
| Traffic Class | 8 bits | DSCP (6 bits) + ECN (2 bits) - QoS |
| Flow Label | 20 bits | Flow identifier for router processing |
| Payload Length | 16 bits | Length of data following the header (excluding the main header) |
| Next Header | 8 bits | Type of the next header (protocol or extension header) |
| Hop Limit | 8 bits | TTL equivalent - decremented by each router |
| Source Address | 128 bits | Sender address |
| Destination Address | 128 bits | Receiver address |
The header checksum is gone - integrity is ensured by the data link layer (for example Ethernet FCS) and by higher-layer protocols (TCP, UDP). Options are gone too - replaced by extension headers that form a chain after the main header.
Extension Headers
| Next Header | Name | Purpose |
|---|---|---|
| 0 | Hop-by-Hop Options | Options processed by every router |
| 43 | Routing | Source routing (RH0 historically unsafe, RH2/RH3 in Mobile IPv6) |
| 44 | Fragment | Fragmentation - sender-side only |
| 50 | ESP (Encapsulating Security Payload) | IPsec - encryption |
| 51 | AH (Authentication Header) | IPsec - authentication |
| 60 | Destination Options | Options for the receiver |
| 59 | No Next Header | End of chain |
The order of extension headers is recommended (RFC 8200 section 4.1), not strictly required - which has historically led to IDS evasion attacks.
WARNING
Routers do not fragment IPv6 packets. If a packet exceeds the link MTU, the router drops it and sends ICMPv6 “Packet Too Big”. Blocking ICMPv6 at the firewall (even partially) breaks Path MTU Discovery - the result is a “black hole”: large packets fail to arrive and the sender does not know why.
Addressing
An IPv6 address is 128 bits wide (~3.4 x 10^38 addresses). It is written in colon-separated hexadecimal notation, with shortening allowed:
2001:0db8:0000:0000:0000:ff00:0042:8329
2001:db8::ff00:42:8329 (shortened)Address types
| Range | Type | Purpose |
|---|---|---|
| 2000::/3 | Global Unicast | Publicly routable addresses |
| fc00::/7 | Unique Local (ULA) | RFC 1918 equivalent (private) |
| fe80::/10 | Link-Local | Mandatory on every interface |
| ff00::/8 | Multicast | Replaces IPv4 broadcast |
| ::1/128 | Loopback | 127.0.0.1 equivalent |
| ::/128 | Unspecified | No address (used in DHCPv6) |
| 64:ff9b::/96 | NAT64 | Prefix for IPv6 to IPv4 translation (RFC 6052) |
| 2001:db8::/32 | Documentation | Reserved for examples |
A Link-Local address (fe80::/10) is generated automatically on every IPv6 interface. It is used for Neighbor Discovery, RA/RS and DHCPv6 - always present regardless of the global address configuration.
Address assignment methods
- Manual - assigned by the administrator
- SLAAC (Stateless Address Autoconfiguration, RFC 4862) - the host builds an address from the prefix received in a Router Advertisement and its own Interface ID
- DHCPv6 (RFC 8415) - a DHCPv6 server assigns addresses (typically for networks requiring registration)
- RFC 4941 / RFC 8981 (Privacy Extensions) - temporary, randomly generated addresses for privacy protection
Neighbor Discovery replaces ARP
In IPv4, IP-to-MAC mapping is handled by ARP. In IPv6 that role is taken by Neighbor Discovery Protocol (NDP, RFC 4861), built on ICMPv6. NDP handles:
| ICMPv6 message | Function |
|---|---|
| Router Solicitation (RS) | Host asks whether a router is present |
| Router Advertisement (RA) | Router announces prefixes and network parameters |
| Neighbor Solicitation (NS) | ARP Request equivalent |
| Neighbor Advertisement (NA) | ARP Reply equivalent |
| Redirect | Notification of a better route |
NDP inherits many of ARP’s security issues:
- RA spoofing - forged Router Advertisements convince hosts that the attacker is the router (traffic redirection)
- NA spoofing - the ARP poisoning equivalent
- DAD (Duplicate Address Detection) abuse - the attacker replies to every host NS, preventing address configuration
Defence mechanisms: RA Guard (RFC 6105) on a switch blocks unauthorised RAs on access ports; SEND (Secure Neighbor Discovery, RFC 3971) adds cryptographic authentication - rarely deployed in practice.
IPsec in IPv6
In the original RFC 2460, IPsec was mandatory. RFC 6434 (2011) changed the status to “recommended, not required” - vendors could omit IPsec on constrained platforms. In RFC 8200 (2017), IPsec remains recommended but not required.
In practice, many vendors implement IPsec, but corporate deployment still requires policy configuration and key management - it does not work out of the box.
IPv6 security pitfalls
WARNING
Common IPv6 myths: “we are IPv4-only so IPv6 does not affect us”, “the lack of NAT weakens security”, “IPv6 is secure by default thanks to IPsec”. All three are wrong.
Dual stack with unsecured IPv6 - Windows, Linux and macOS ship with IPv6 enabled by default. An organisation that “does not use IPv6”, yet does not block IPv6 traffic on its firewalls and does not monitor NDP, has an open parallel network it cannot see.
SLAAC/RA attacks - a malicious endpoint on the LAN can send an RA advertising itself as an IPv6 router. Every host without RA Guard will immediately route IPv6 traffic through the attacker.
Topology discovery - the IPv6 address space is huge, which makes scanning harder. However, SLAAC addresses with an Interface ID generated from the MAC (EUI-64) are predictable; static addresses in real networks tend to follow patterns (::1, ::2, ::beef). DNS (PTR, AXFR) remains a reconnaissance vector.
Sender-side fragmentation - the Fragment header can be used for IDS evasion if the reassembly system has a different policy from the end host. RFC 8021 deprecates atomic fragments.
No integrity without IPsec - IPv6 still does not provide sender authentication by default. Source Address spoofing remains possible without BCP 38.
IPv6 in OT
IPv6 adoption in OT networks is negligible. The majority of PLCs, HMI panels and I/O devices support IPv4 only. Exceptions include:
- Modern IEDs in electrical substations (IEC 61850) - some models support IPv6 for MMS communication
- BMS systems (BACnet/IP) - RFC 8169 defines BACnet over IPv6
- PROFINET - operates at layer 2, independent of IP
Recommendation for OT architects: disable IPv6 on devices that do not need it. Uncontrolled IPv6 in an OT segment is an open door to attack, without monitoring or firewall rules to cover it.
Tools
| Tool | Use |
|---|---|
| ip -6 (iproute2) | IPv6 configuration on Linux |
| ping6 / traceroute6 | Layer 3 diagnostics |
| Wireshark / tcpdump | IPv6 traffic analysis |
| THC IPv6 toolkit | IPv6 penetration testing (fake_router6, parasite6) |
| Scapy | Crafting IPv6 packets for testing |
| radvd | Router Advertisement daemon for Linux |
Summary
IPv6 addressed most of the technical limitations of IPv4 - address space, fragmentation, routing complexity. At the same time it carried a significant share of layer 3 attack vectors into the new reality. An organisation that declares “we do not use IPv6” statistically has a bigger IPv6 security problem than one that deploys and monitors it deliberately.
For comparison with the protocol IPv6 replaces, see IPv4 (RFC 791). Proposals for future protocol versions are discussed in IPv8 - historical and contemporary proposals.
Sources
- RFC 8200 - Internet Protocol, Version 6 (IPv6) Specification - current specification (STD 86)
- RFC 4861 - Neighbor Discovery for IP version 6 (IPv6) - NDP
- RFC 4862 - IPv6 Stateless Address Autoconfiguration - SLAAC
- RFC 6105 - IPv6 Router Advertisement Guard - defence against rogue RA
- RFC 8981 - Temporary Addresses for IPv6 - privacy extensions
- RFC 7123 - Security Implications of IPv6 on IPv4 Networks - dual stack risks
- IANA IPv6 Address Space - allocations
- Google IPv6 Statistics - current adoption data
Need help in this area?
Our experts will help you assess the risk and plan next steps.