IPv6 and Security

How to Properly Secure Networks and End Devices

The introduction of IPv6 raises new security issues for providers, enterprise network operators and private customers. After all, IPv6 offers new opportunities to compromise a network. On the one hand, there are variants of existing types of attack, and on the other, IPv6 opens up new security gaps. In order to protect an IPv6 network, in addition to these fundamental security issues, it must be clarified whether the components used to date, such as firewalls, proxies or IPS, are equipped for IPv6. How is a migration carried out correctly from a security perspective? What will change after the elimination of NAT due to permanent accessibility via public addresses? This IPv6 security course provides a detailed overview of these current issues. Participants will learn how to assess the risks posed by IPv6 for their network and how to plan comprehensive protection.

Course Contents

New points of attack through IPv6
Securing IPv6 addressing
The auxiliary protocols ICMPv6 and DHCPv6 from a security perspective
IPv6 and First Hop Security
Securing IPv6 networks
Securing endpoints
Securing routers for IPv6
Adapt firewalls to IPv6
Securing the migration

The detailed digital documentation package, consisting of an e-book and PDF, is included in the price of the course.

Premium Course Documents

In addition to the digital documentation package, the exclusive Premium Print Package is also available to you.

High-quality color prints of the ExperTeach documentation
Exclusive folder in an elegant design
Document pouch in backpack shape
Elegant LAMY ballpoint pen
Practical notepad

The Premium Print Package can be added during the ordering process for € 150,- plus VAT (only for classroom participation).

Target Group

The course is suitable for planners, administrators and security officers who want to plan, prepare or accompany a migration to IPv6.

Knowledge Prerequisites

Participants need solid knowledge of the conventional IP world and must be well acquainted with IPv6. Prior attendance of the course IPv6 - Addressing, Routing and IPv4 Interworking is strongly recommended. It is also assumed that the participants know and understand common security concepts.

Alternatives

Book this course together with IPv6 – Addressing, Routing, and IPv4 Interworking as PowerPackage IPv6 for the discounted price of € 2.395,-.

1	Basic Security Considerations
1.1	Basic Considerations
1.1.1	Security Measures
1.1.2	Staff and Service Providers
1.2	IPv4 and IPv6—Security in Comparison
1.2.1	The Current Security Situation
1.2.2	Vulnerable IPv6 Stacks
1.3	Security Aspects of the IPv6 Header
1.3.1	The Flow Label—Covert Channel
1.3.2	Extension Header Parsing
1.3.3	Security Relevance of Extension Headers
1.3.4	Filtering IPv6
1.4	Testing Security—Tools for IPv6 Vulnerability Tests
1.4.1	IPv6 Port Scanner
1.4.2	Vulnerability Scanner for IPv6
1.4.3	Packet Generators
1.4.4	The THC Toolbox

2	Security Aspects of IPv6 Addressing
2.1	Security Relevance of NAT
2.1.1	NAT Variants with IPv4
2.1.2	End-to-end Addressing with IPv6
2.1.3	No IP Hiding
2.1.4	IPv6—IPv6 Network Prefix Translation (NPTv6)
2.2	Security Considerations on the Address Types
2.2.1	EUI 64—High Recognition Factor
2.2.2	Temporary Addresses
2.3	Reconnaissance of IPv6 Addresses and Networks
2.3.1	Passive Sniffing
2.3.2	Multicast Enumeration
2.3.3	Registration Query
2.3.4	Scanning IPv6 Networks
2.3.5	Guessing IPv6 Addresses
2.3.6	DNS Reconnaisance

3	IPv6 LANs Attacks and Countermeasures
3.1	Neighbor Discovery Attacks
3.1.1	Trust Models and Threats
3.1.2	NDP Spoofing
3.1.3	Neighbor Unreachability Detection (NUD)
3.1.4	DoS_New_IP6
3.1.5	NDP Exhaustion Attack
3.1.6	Neighbor Advertisement Flooding
3.2	SLAAC Attacks
3.2.1	Rogue Router
3.2.2	Man-in-the-Middle with RAs
3.2.3	Faked Default Gateway
3.2.4	RA Flooding
3.3	DHCPv6 Attacks
3.3.1	DHCPv6 Starvation
3.3.2	Rogue DHCPv6 Server
3.4	ICMPv6 Attacks
3.4.1	Amplification Attack
3.4.2	Redirect Attacks
3.5	ACLs for Protection
3.5.1	Exclude Rogue Routers
3.5.2	Exclude Rogue DHCP Servers
3.5.3	RA Guard
3.5.4	DHCPv6 Guard/Shield
3.5.5	NDP Spoofing
3.5.6	NDP Inspection
3.6	SEND
3.6.1	SEND and CGA
3.6.2	Protecting RAs with SEND
3.6.3	SEND and Stateful Auto-configuration
3.7	IPv6 and First Hop Security
3.7.1	MLD Security
3.7.2	IEEE 802.1X—LAN Security
3.7.3	MACsec—Layer 2 Encryption

4	Protecting Routers in IPv6 Networks
4.1	IPv6 Filtering
4.1.1	Configuration of IPv6 ACLs
4.1.2	Incoming Traffic
4.1.3	Filter Addresses
4.1.4	Filtering ICMPv6
4.2	Protecting Routing Protocols
4.2.1	Authentication for Routing Protocols
4.2.2	BGP-4—Use of Link-Local Unicasts
4.2.3	Preventing IP Spoofing
4.3	IPsec in IPv6 Networks
4.3.1	Application Options of IPsec
4.3.2	Host-to-Host Scenario
4.3.3	IPv6 VPNs
4.3.4	IPv6 VPDN with IPsec
4.3.5	IPsec RAS VPNs and IPv6

5	Customize Security Solutions—Firewalls & Co.
5.1	Question the IPv6-Capability
5.2	Filter Rules in Dual Stack Networks
5.2.1	Supplement to the Security Policy
5.2.2	Objects with Multiple IPv6 Addresses
5.2.3	Assignment of Static Addresses via DHCP
5.3	Next Generation Firewalls and Proxies
5.3.1	Problems with Content Filtering
5.3.2	Application Filtering
5.3.3	Identity-based Firewall—IP-independent
5.4	IPv6-IPS
5.4.1	Independence from IP
5.4.2	New Network-based Rules
5.5	Vendor Solutions in Comparison
5.5.1	Check Point
5.5.2	Cisco
5.5.3	Palo Alto
5.5.4	Fortinet
5.5.5	Juniper
5.5.6	Barracuda
5.6	Radius and IPv6
5.6.1	Establish IPv6 Connectivity
5.6.2	RADIUS IPv6 Attributes
5.6.3	Cisco ISE
5.6.4	Microsoft—Network Policy Server
5.6.5	Freeradius and IPv6
5.7	Proxies in IPv6 Networks
5.7.1	Proxy Variants
5.7.2	Address Mapping

6	Security during Migration
6.1	Conceptual Migration to IPv6
6.2	IPv6 Latent Threats
6.3	Dual Stack—Double Protection Required
6.3.1	End Device Security from the Viewpoint of IPv6
6.3.2	Windows
6.3.3	Linux
6.3.4	Mac OS
6.3.5	Mobile Devices
6.4	Securing Tunnel Technologies
6.4.1	Questioning the Tunnel Security
6.4.2	Protecting a Configured Tunnel
6.4.3	Encrypting the Tunnel Traffic
6.5	Migration from a Security Perspective
6.5.1	Address Design for a Secure IPv6 Network
6.5.2	Best Practices

A	Lab Exercises
A.1	Lab Exercises in the Course
A.1.1	Lab Setup
A.2	Exercises—Chapter 2
A.3	Exercises—Chapter 3

B	List of Abbreviations

Classroom training: Do you prefer the classic training method? A course in one of our Training Centers, with a competent trainer and the direct exchange between all course participants? Then you should book one of our classroom training dates!
Hybrid training: Hybrid training means that online participants can additionally attend a classroom course. The dynamics of a real seminar are maintained, and the online participants are able to benefit from that. Online participants of a hybrid course use a collaboration platform, such as WebEx Training Center or Saba Meeting. To do this, a PC with browser and Internet access is required, as well as a headset and ideally a Web cam. In the seminar room, we use specially developed and customized audio- and video-technologies. This makes sure that the communication between all persons involved works in a convenient and fault-free way.
Online training: You wish to attend a course in online mode? We offer you online course dates for this course topic. To attend these seminars, you need to have a PC with Internet access (minimum data rate 1Mbps), a headset when working via VoIP and optionally a camera. For further information and technical recommendations, please refer to.
Tailor-made courses: You need a special course for your team? In addition to our standard offer, we will also support you in creating your customized courses, which precisely meet your individual demands. We will be glad to consult you and create an individual offer for you.

You can find the complete description of this course with dates and prices ready for download at as PDF.

Course Contents

New points of attack through IPv6
Securing IPv6 addressing
The auxiliary protocols ICMPv6 and DHCPv6 from a security perspective
IPv6 and First Hop Security
Securing IPv6 networks
Securing endpoints
Securing routers for IPv6
Adapt firewalls to IPv6
Securing the migration

The detailed digital documentation package, consisting of an e-book and PDF, is included in the price of the course.

Premium Course Documents

In addition to the digital documentation package, the exclusive Premium Print Package is also available to you.

High-quality color prints of the ExperTeach documentation
Exclusive folder in an elegant design
Document pouch in backpack shape
Elegant LAMY ballpoint pen
Practical notepad

The Premium Print Package can be added during the ordering process for € 150,- plus VAT (only for classroom participation).

Target Group

The course is suitable for planners, administrators and security officers who want to plan, prepare or accompany a migration to IPv6.

Knowledge Prerequisites

Alternatives

Book this course together with IPv6 – Addressing, Routing, and IPv4 Interworking as PowerPackage IPv6 for the discounted price of € 2.395,-.

1	Basic Security Considerations
1.1	Basic Considerations
1.1.1	Security Measures
1.1.2	Staff and Service Providers
1.2	IPv4 and IPv6—Security in Comparison
1.2.1	The Current Security Situation
1.2.2	Vulnerable IPv6 Stacks
1.3	Security Aspects of the IPv6 Header
1.3.1	The Flow Label—Covert Channel
1.3.2	Extension Header Parsing
1.3.3	Security Relevance of Extension Headers
1.3.4	Filtering IPv6
1.4	Testing Security—Tools for IPv6 Vulnerability Tests
1.4.1	IPv6 Port Scanner
1.4.2	Vulnerability Scanner for IPv6
1.4.3	Packet Generators
1.4.4	The THC Toolbox

2	Security Aspects of IPv6 Addressing
2.1	Security Relevance of NAT
2.1.1	NAT Variants with IPv4
2.1.2	End-to-end Addressing with IPv6
2.1.3	No IP Hiding
2.1.4	IPv6—IPv6 Network Prefix Translation (NPTv6)
2.2	Security Considerations on the Address Types
2.2.1	EUI 64—High Recognition Factor
2.2.2	Temporary Addresses
2.3	Reconnaissance of IPv6 Addresses and Networks
2.3.1	Passive Sniffing
2.3.2	Multicast Enumeration
2.3.3	Registration Query
2.3.4	Scanning IPv6 Networks
2.3.5	Guessing IPv6 Addresses
2.3.6	DNS Reconnaisance

3	IPv6 LANs Attacks and Countermeasures
3.1	Neighbor Discovery Attacks
3.1.1	Trust Models and Threats
3.1.2	NDP Spoofing
3.1.3	Neighbor Unreachability Detection (NUD)
3.1.4	DoS_New_IP6
3.1.5	NDP Exhaustion Attack
3.1.6	Neighbor Advertisement Flooding
3.2	SLAAC Attacks
3.2.1	Rogue Router
3.2.2	Man-in-the-Middle with RAs
3.2.3	Faked Default Gateway
3.2.4	RA Flooding
3.3	DHCPv6 Attacks
3.3.1	DHCPv6 Starvation
3.3.2	Rogue DHCPv6 Server
3.4	ICMPv6 Attacks
3.4.1	Amplification Attack
3.4.2	Redirect Attacks
3.5	ACLs for Protection
3.5.1	Exclude Rogue Routers
3.5.2	Exclude Rogue DHCP Servers
3.5.3	RA Guard
3.5.4	DHCPv6 Guard/Shield
3.5.5	NDP Spoofing
3.5.6	NDP Inspection
3.6	SEND
3.6.1	SEND and CGA
3.6.2	Protecting RAs with SEND
3.6.3	SEND and Stateful Auto-configuration
3.7	IPv6 and First Hop Security
3.7.1	MLD Security
3.7.2	IEEE 802.1X—LAN Security
3.7.3	MACsec—Layer 2 Encryption

4	Protecting Routers in IPv6 Networks
4.1	IPv6 Filtering
4.1.1	Configuration of IPv6 ACLs
4.1.2	Incoming Traffic
4.1.3	Filter Addresses
4.1.4	Filtering ICMPv6
4.2	Protecting Routing Protocols
4.2.1	Authentication for Routing Protocols
4.2.2	BGP-4—Use of Link-Local Unicasts
4.2.3	Preventing IP Spoofing
4.3	IPsec in IPv6 Networks
4.3.1	Application Options of IPsec
4.3.2	Host-to-Host Scenario
4.3.3	IPv6 VPNs
4.3.4	IPv6 VPDN with IPsec
4.3.5	IPsec RAS VPNs and IPv6

5	Customize Security Solutions—Firewalls & Co.
5.1	Question the IPv6-Capability
5.2	Filter Rules in Dual Stack Networks
5.2.1	Supplement to the Security Policy
5.2.2	Objects with Multiple IPv6 Addresses
5.2.3	Assignment of Static Addresses via DHCP
5.3	Next Generation Firewalls and Proxies
5.3.1	Problems with Content Filtering
5.3.2	Application Filtering
5.3.3	Identity-based Firewall—IP-independent
5.4	IPv6-IPS
5.4.1	Independence from IP
5.4.2	New Network-based Rules
5.5	Vendor Solutions in Comparison
5.5.1	Check Point
5.5.2	Cisco
5.5.3	Palo Alto
5.5.4	Fortinet
5.5.5	Juniper
5.5.6	Barracuda
5.6	Radius and IPv6
5.6.1	Establish IPv6 Connectivity
5.6.2	RADIUS IPv6 Attributes
5.6.3	Cisco ISE
5.6.4	Microsoft—Network Policy Server
5.6.5	Freeradius and IPv6
5.7	Proxies in IPv6 Networks
5.7.1	Proxy Variants
5.7.2	Address Mapping

6	Security during Migration
6.1	Conceptual Migration to IPv6
6.2	IPv6 Latent Threats
6.3	Dual Stack—Double Protection Required
6.3.1	End Device Security from the Viewpoint of IPv6
6.3.2	Windows
6.3.3	Linux
6.3.4	Mac OS
6.3.5	Mobile Devices
6.4	Securing Tunnel Technologies
6.4.1	Questioning the Tunnel Security
6.4.2	Protecting a Configured Tunnel
6.4.3	Encrypting the Tunnel Traffic
6.5	Migration from a Security Perspective
6.5.1	Address Design for a Secure IPv6 Network
6.5.2	Best Practices

A	Lab Exercises
A.1	Lab Exercises in the Course
A.1.1	Lab Setup
A.2	Exercises—Chapter 2
A.3	Exercises—Chapter 3

B	List of Abbreviations

Classroom training: Do you prefer the classic training method? A course in one of our Training Centers, with a competent trainer and the direct exchange between all course participants? Then you should book one of our classroom training dates!
Hybrid training: Hybrid training means that online participants can additionally attend a classroom course. The dynamics of a real seminar are maintained, and the online participants are able to benefit from that. Online participants of a hybrid course use a collaboration platform, such as WebEx Training Center or Saba Meeting. To do this, a PC with browser and Internet access is required, as well as a headset and ideally a Web cam. In the seminar room, we use specially developed and customized audio- and video-technologies. This makes sure that the communication between all persons involved works in a convenient and fault-free way.
Online training: You wish to attend a course in online mode? We offer you online course dates for this course topic. To attend these seminars, you need to have a PC with Internet access (minimum data rate 1Mbps), a headset when working via VoIP and optionally a camera. For further information and technical recommendations, please refer to.
Tailor-made courses: You need a special course for your team? In addition to our standard offer, we will also support you in creating your customized courses, which precisely meet your individual demands. We will be glad to consult you and create an individual offer for you.

You can find the complete description of this course with dates and prices ready for download at as PDF.

ExperTeach Identifier: IP6S

Duration & Prices

Prices excl. V.A.T.

Classes in Germany

2 days

€ 1,595

Classes in Austria

2 days

€ 1,595

Classes in Switzerland

2 days

€ 2,150

Online training

2 days

€ 1,595

+ Premium Print Package (Optional)

€ 150

			Date	City
20251023	2	3	10/23/-10/24/25	Frankfurt
20251023	2	3	10/23/-10/24/25	Live Online
20251023	2	1	10/23/-10/24/25	Zürich
20251120	2	1	11/20/-11/21/25	Berlin
20251120	2	3	11/20/-11/21/25	Hamburg
20251120	1	3	11/20/-11/21/25	Live Online
20251218	2	3	12/18/-12/19/25	München
20251218	2	3	12/18/-12/19/25	Live Online
20260122	2	3	01/22/-01/23/26	Düsseldorf
20260122	2	3	01/22/-01/23/26	Live Online
20260219	2	3	02/19/-02/20/26	Live Online
20260219	2	3	02/19/-02/20/26	Wien
20260326	2	3	03/26/-03/27/26	Frankfurt
20260326	2	3	03/26/-03/27/26	Live Online
20260326	2	1	03/26/-03/27/26	Zürich
20260423	2	3	04/23/-04/24/26	Berlin
20260423	2	3	04/23/-04/24/26	Hamburg
20260423	2	3	04/23/-04/24/26	Live Online
20260521	2	3	05/21/-05/22/26	München
20260521	2	3	05/21/-05/22/26	Live Online
20260618	2	3	06/18/-06/19/26	Frankfurt
20260618	2	3	06/18/-06/19/26	Live Online