Are there any additional security considerations to be taken into account when activating IPv6 as opposed to IPv4?

Question

As a sysadmin, I'm fairly experienced with IPv4. As such, I feel comfortable configuring firewalls to expose servers/services to the Internet with public IPv4 addresses.

I have a basic understanding of IPv6 addresses and name resolution in IPv6. Also, I understand that I can use TCP, UDP and ICMP in the same way as with IPv4, just with "a longer address", and that, due to the abundance of addresses, NAT is no longer necessary nor recommended (making properly configured firewall rules even more important).

So far, I have not enabled IPv6 for our public web services, since (a) it was not necessary (and, to be honest, it still isn't) and (b) I lack the years of experience I have with IPv4, which makes me less confident to be able to do this without opening some gaping security hole. However, it's 2022, not being available on IPv6 feels a bit embarrassing, and I won't get years of experience if I don't ever start.

In a nutshell, my question is: Can I use my IPv4 knowledge (and the basics mentioned above) to securely make an Internet service available to the public via IPv6, or are there some additional topics that I really should learn about first before "flipping the switch"?

Answer 1

Can I use my IPv4 knowledge (and the basics mentioned above) to securely make an Internet service available to the public via IPv6

Yup, definitely.

There is, however, one major security consideration when flipping the switch for IPv6 address family: by default IPv6 operates public address prefixes, so you may consider using unique-local (RFC 4193) prefixes for any private LANs (if you have any) behind your routers.

As for public-WAN-connected servers - well, same security/packet filter measures apply.

Answer 2

One of the most prolific authors in the IPv6 security domain is Fernando Gont. He (co-)authored several RFCs, Internet Drafts and other documents and gives talks on IPv6 in general and IPv6 security. Among his technical reports you have "IPv6 Security for IPv4 Engineers" (PDF) and an "IPv6 Security FAQ" (PDF), both from 2019, that you may find useful.