ETSI GR IP6 031 V1.1.1 (2020-11)

ETSI GR IP6 031 V1.1.1 (2020-11)






GROUP REPORT
IPv6 Security, Cybersecurity, Blockchain
Disclaimer
The present document has been produced and approved by the IPv6 Integration (IP6) ETSI Industry Specification Group (ISG)
and represents the views of those members who participated in this ISG.
It does not necessarily represent the views of the entire ETSI membership.

---------------------- Page: 1 ----------------------
2 ETSI GR IP6 031 V1.1.1 (2020-11)



Reference
DGR/IP6-0031
Keywords
blockchain, cybersecurity, internet, IPv6, security

ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format at www.etsi.org/deliver.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2020.
All rights reserved.

DECT™, PLUGTESTS™, UMTS™ and the ETSI logo are trademarks of ETSI registered for the benefit of its Members.

3GPP™ and LTE™ are trademarks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and
of the oneM2M Partners.
®
GSM and the GSM logo are trademarks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI GR IP6 031 V1.1.1 (2020-11)
Contents
Intellectual Property Rights . 5
Foreword . 5
Modal verbs terminology . 5
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 6
3 Definition of terms, symbols and abbreviations . 10
3.1 Terms . 10
3.2 Symbols . 10
3.3 Abbreviations . 10
4 Generic IPv6 Security Considerations. 12
4.1 Addressing Architecture . 12
4.1.1 Introduction. 12
4.1.2 Statically Configured Addresses . 12
4.1.3 Use of ULAs . 12
4.1.4 Point-to-Point Links . 13
4.1.5 Temporary Addresses - Privacy Extensions for SLAAC . 13
4.1.6 Privacy Consideration of Addresses . 13
4.1.7 DHCP/DNS Considerations . 13
4.1.8 Using a /64 per host . 14
4.2 Extension Headers . 14
4.2.1 Overview . 14
4.2.2 Order and Repetition of Extension Headers . 14
4.2.3 Hop-by-Hop Options Header . 14
4.2.4 Fragment Header . 14
4.2.5 IP Security Extension Header . 15
4.3 Link-Layer Security . 15
4.3.1 ND/RA Rate Limiting . 15
4.3.2 RA/NA Filtering . 15
4.3.3 Securing DHCP . 16
4.3.4 3GPP Link-Layer Security . 16
4.3.5 SeND and CGA . 17
4.4 Control Plane Security . 17
4.4.1 Overview . 17
4.4.2 Control Protocols . 18
4.4.3 Management Protocols . 18
4.4.4 Packet Exceptions . 18
4.5 Routing Security . 19
4.5.1 Authenticating Neighbors/Peers . 19
4.5.2 Securing Routing Updates Between Peers . 19
4.5.3 Route Filtering . 20
4.6 Logging/Monitoring . 20
4.6.1 Overview . 20
4.6.2 Data Sources . 21
4.6.2.1 Logs of Applications . 21
4.6.2.2 IP Flow Information Export by IPv6 Routers . 21
4.6.2.3 SNMP MIB by IPv6 Routers . 21
4.6.2.4 Neighbor Cache of IPv6 Routers . 22
4.6.2.5 Stateful DHCPv6 Lease . 22
4.6.2.6 RADIUS Accounting Log . 22
4.6.2.7 Other Data Sources . 23
4.6.3 Use of Collected Data . 23
4.6.3.1 Forensic and User Accountability . 23
ETSI

---------------------- Page: 3 ----------------------
4 ETSI GR IP6 031 V1.1.1 (2020-11)
4.6.3.2 Inventory . 23
4.6.3.3 Correlation . 24
4.6.3.4 Abnormal Behaviour Detection . 24
4.6.4 Summary . 24
4.7 Transition/Coexistence Technologies. 24
4.7.1 Dual Stack . 24
4.7.2 Transition Mechanisms . 25
4.7.2.1 Security issues . 25
4.7.2.2 Site-to-Site Static Tunnels . 25
4.7.2.3 6PE and 6VPE . 26
4.7.2.4 Mapping of Address and Port. 26
4.7.3 Translation Mechanisms . 26
4.7.3.1 Carrier-Grade NAT (CGN) . 26
4.7.3.2 NAT64/DNS64 . 26
4.7.3.3 DS-Lite . 27
4.8 General Device Hardening . 27
5 Enterprises Specific Security Considerations . 27
5.1 External Security Considerations . 27
5.2 Internal Security Considerations . 28
6 Service Providers Security Considerations . 28
6.1 BGP . 28
6.2 Transition Mechanism . 28
6.3 Lawful Intercept . 28
7 Residential Users Security Considerations . 29
8 Cybersecurity . 29
8.1 Introduction . 29
8.2 National Cyber Security Centre Finland, NCSC-FI . 32
8.3 National Communications Security Authority, NCSA-FI . 34
8.3.1 Overview . 34
8.3.2 National Regulatory Authority, NRA . 34
8.3.3 CERT-FI . 34
8.3.4 Targets and methods for steering and supervision . 35
8.3.5 Players subject to NCSC-FI's regulation . 35
8.3.6 Proactive supervision . 36
8.3.7 The goals of Traficom's supervision . 36
8.4 Operators' rights and obligations . 36
8.5 Conclusion . 37
9 Blockchain/DataBlockMatrix . 37
9.1 Blockchain/DLT and Privacy Regulation . 37
9.2 DLT and Data Management . 38
9.3 A Distributed Ledger Alternative to Blockchain . 39
9.4 Decentralized Trust in a Permissioned Distributed Ledger Model . 40
History . 42

ETSI

---------------------- Page: 4 ----------------------
5 ETSI GR IP6 031 V1.1.1 (2020-11)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
Foreword
This Group Report (GR) has been produced by ETSI Industry Specification Group (ISG) IPv6 Integration (IP6).
Modal verbs terminology
In the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be
interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
ETSI

---------------------- Page: 5 ----------------------
6 ETSI GR IP6 031 V1.1.1 (2020-11)
1 Scope
The present document gives the outline of deployment of IPv6 security, Cybersecurity, Blockchain an DatablockMatrix.
2 References
2.1 Normative references
Normative references are not applicable in the present document.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long-term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] "Are you sharing the same IP address as a criminal? Law enforcement call for the end of carrier
grade NAT (CGN) to increase accountability online", October 2017.
NOTE: Available at https://www.europol.europa.eu/newsroom/news/are-you-sharing-same-ip-address-criminal-
law-enforcement-call-for-end-of-carrier-grade-nat-cgn-to-increase-accountability-online.
[i.2] IETF draft-chakrabarti-nordmark-6man-efficient-nd: "IPv6 Neighbor Discovery Optimizations for
Wired and Wireless Networks", February 2015.
[i.3] IETF draft-ietf-dhc-sedhcpv6: "Secure DHCPv6", February 2017.
[i.4] IETF draft-ietf-opsec-ipv6-eh-filtering: "Recommendations on the Filtering of IPv6 Packets
Containing IPv6 Extension Headers", July 2018.
[i.5] IETF draft-ietf-v6ops-ula-usage-considerations: "Considerations For Using Unique Local
Addresses", March 2017.
[i.6] IETF draft-kampanakis-6man-ipv6-eh-parsing: "Implementation Guidelines for parsing IPv6
Extension Headers", August 2014.
[i.7] IETF draft-thubert-savi-ra-throttler: "Throttling RAs on constrained interfaces", June 2012.
[i.8] IETF RFC 1918 (February 1996): "Address Allocation for Private Internets".
[i.9] IETF RFC 2131 (March 1997): "Dynamic Host Configuration Protocol".
[i.10] IETF RFC 2460 (December 1998): "Internet Protocol, Version 6 (IPv6)Specification".
NOTE: Obsoleted by IETF RFC 8200.
[i.11] IETF RFC 2529 (March 1999): "Transmission of IPv6 over IPv4 Domains without Explicit
Tunnels".
[i.12] IETF RFC 2740 (December 1999): "OSPF for IPv6".
[i.13] IETF RFC 2784 (March 2000): "Generic Routing Encapsulation (GRE)".
[i.14] IETF RFC 2827 (May 2000): "Network Ingress Filtering: Defeating Denial of Service Attacks
which employ IP Source Address Spoofing".
ETSI

---------------------- Page: 6 ----------------------
7 ETSI GR IP6 031 V1.1.1 (2020-11)
[i.15] IETF RFC 2866 (June 2000): "RADIUS Accounting".
[i.16] IETF RFC 3756 (May 2004): "IPv6 Neighbor Discovery (ND) Trust Models and Threats".
[i.17] IETF RFC 3924 (October 2004): "Cisco Architecture for Lawful Intercept in IP Networks".
[i.18] IETF RFC 3971 (March 2005): "SEcure Neighbor Discovery (SEND)".
[i.19] IETF RFC 3972 (March 2005): "Cryptographically Generated Addresses (CGA)".
[i.20] IETF RFC 4193 (October 2005): "Unique Local IPv6 Unicast Addresses".
[i.21] IETF RFC 4293 (April 2006): "Management Information Base for the Internet Protocol (IP)".
[i.22] IETF RFC 4301 (December 2005): "Security Architecture for the Internet Protocol".
[i.23] IETF RFC 4302 (December 2005): "IP Authentication Header".
[i.24] IETF RFC 4303 (December 2005): "IP Encapsulating Security Payload (ESP)".
[i.25] IETF RFC 4364 (February 2006): "BGP/MPLS IP Virtual Private Networks (VPNs)".
[i.26] IETF RFC 4381 (February 2006): "Analysis of the Security of BGP/MPLS IP Virtual Private
Networks (VPNs)".
[i.27] IETF RFC 4443 (March 2006): "Internet Control Message Protocol (ICMPv6) for the Internet
Protocol Version 6 (IPv6) Specification".
[i.28] IETF RFC 4649 (August 2006): "Dynamic Host Configuration Protocol for IPv6 (DHCPv6) Relay
Agent Remote-ID Option".
[i.29] IETF RFC 4659 (September 2006): "BGP-MPLS IP Virtual Private Network (VPN) Extension for
IPv6 VPN".
[i.30] IETF RFC 4798 (February 2007): "Connecting IPv6 Islands over IPv4 MPLS Using IPv6 Provider
Edge Routers (6PE)".
[i.31] IETF RFC 4861 (September 2007): "Neighbor Discovery for IP version 6 (IPv6)".
[i.32] IETF RFC 4864 (May 2007): "Local Network Protection for IPv6".
[i.33] IETF RFC 4890 (May 2007): "Recommendations for Filtering ICMPv6 Messages in Firewalls".
[i.34] IETF RFC 4941 (September 2007): "Privacy Extensions for Stateless Address Autoconfiguration
in IPv6".
[i.35] IETF RFC 5340 (July 2008): "OSPF for IPv6".
[i.36] IETF RFC 5635 (August 2009): "Remote Triggered Black Hole Filtering with Unicast Reverse
Path Forwarding (uRPF)".
[i.37] IETF RFC 5952 (August 2010): "A Recommendation for IPv6 Address Text Representation".
[i.38] IETF RFC 6092 (January 2011): "Recommended Simple Security Capabilities in Customer
Premises Equipment (CPE) for Providing Residential IPv6 Internet Service".
[i.39] IETF RFC 6104 (February 2011): "Rogue IPv6 Router Advertisement Problem Statement".
[i.40] IETF RFC 6105 (February 2011): "IPv6 Router Advertisement Guard".
[i.41] IETF RFC 6146 (April 2011): "Stateful NAT64: Network Address and Protocol Translation from
IPv6 Clients to IPv4 Servers".
[i.42] IETF RFC 6147 (April 2011): "DNS64: DNS Extensions for Network Address Translation from
IPv6 Clients to IPv4 Servers".
[i.43] IETF RFC 6164 (April 2011): "Using 127-Bit IPv6 Prefixes on Inter-Router Links".
ETSI

---------------------- Page: 7 ----------------------
8 ETSI GR IP6 031 V1.1.1 (2020-11)
[i.44] IETF RFC 6169 (April 2011): "Security Concerns with IP Tunneling".
[i.45] IETF RFC 6192 (March 2011): "Protecting the Router Control Plane".
[i.46] IETF RFC 6221 (May 2011): "Lightweight DHCPv6 Relay Agent".
[i.47] IETF RFC 6241 (June 2011): "Network Configuration Protocol (NETCONF)".
[i.48] IETF RFC 6264 (June 2011): "An Incremental Carrier-Grade NAT (CGN) for IPv6 Transition".
[i.49] IETF RFC 6269 (June 2011): "Issues with IP Address Sharing".
[i.50] IETF RFC 6302 (June 2011): "Logging Recommendations for Internet-Facing Servers".
[i.51] IETF RFC 6324 (August 2011): "Routing Loop Attack Using IPv6 Automatic Tunnels: Problem
Statement and Proposed Mitigations".
[i.52] IETF RFC 6333 (August 2011): "Dual-Stack Lite Broadband Deployments Following IPv4
Exhaustion".
[i.53] IETF RFC 6459 (January 2012): "IPv6 in 3rd Generation Partnership Project (3GPP) Evolved
Packet System (EPS)".
[i.54] IETF RFC 6564 (April 2012): "A Uniform Format for IPv6 Extension Headers".
[i.55] IETF RFC 6583 (March 2012): "Operational Neighbor Discovery Problems".
[i.56] IETF RFC 6598 (April 2012): "IANA-Reserved IPv4 Prefix for Shared Address Space".
[i.57] IETF RFC 6620 (May 2012): "FCFS SAVI: First-Come, First-Served Source Address Validation
Improvement for Locally Assigned IPv6 Addresses".
[i.58] IETF RFC 6666 (August 2012): "A Discard Prefix for IPv6".
[i.59] IETF RFC 6762 (February 2013): "Multicast DNS".
[i.60] IETF RFC 6763 (February 2013): "DNS-Based Service Discovery".
[i.61] IETF RFC 6810 (January 2013): "The Resource Public Key Infrastructure (RPKI) to Router
Protocol".
[i.62] IETF RFC 6939 (May 2013): "Client Link-Layer Address Option in DHCPv6".
[i.63] IETF RFC 6980 (August 2013): "Security Implications of IPv6 Fragmentation with IPv6 Neighbor
Discovery".
[i.64] IETF RFC 7011 (September 2013): "Specification of the IP Flow Information Export (IPFIX)
Protocol for the Exchange of Flow Information".
[i.65] IETF RFC 7012 (September 2013): "Information Model for IP Flow Information Export (IPFIX)".
[i.66] IETF RFC 7039 (October 2013): "Source Address Validation Improvement (SAVI) Framework".
[i.67] IETF RFC 7045 (December 2013): "Transmission and Processing of IPv6 Extension Headers".
[i.68] IETF RFC 7050 (November 2013): "Discovery of the IPv6 Prefix Used for IPv6 Address
Synthesis".
[i.69] IETF RFC 7084 (November 2013): "Basic Requirements for IPv6 Customer Edge Routers".
NOTE: Obsoletes IETF RFC 6204.
[i.70] IETF RFC 7112 (January 2014): "Implications of Oversized IPv6 Header Chains".
[i.71] IETF RFC 7113 (February 2014): "Implementation Advice for IPv6 Router Advertisement Guard
(RA-Guard)".
ETSI

---------------------- Page: 8 ----------------------
9 ETSI GR IP6 031 V1.1.1 (2020-11)
[i.72] IETF RFC 7166 (March 2014): "Supporting Authentication Trailer for OSPFv3".
NOTE: Obsoletes IETF RFC 6506.
[i.73] IETF RFC 7381 (October 2014): "Enterprise IPv6 Deployment Guidelines".
[i.74] IETF RFC 7404 (November 2014): "Using Only Link-LocalAddressing inside an IPv6 Network".
[i.75] IETF RFC 7422 (December 2014): "Deterministic Address Mapping to Reduce Logging in
Carrier-Grade NAT Deployments".
[i.76] IETF RFC 7513 (May 2015): "Source Address Validation Improvement (SAVI) Solution for
DHCP".
[i.77] IETF RFC 7597 (July 2015): "Mapping of Address and Port with Encapsulation (MAP-E)".
[i.78] IETF RFC 7599 (July 2015): "Mapping of Address and Port using Translation (MAP-T)".
[i.79] IETF RFC 7610 (August 2015): "DHCPv6-Shield: Protecting against Rogue DHCPv6 Servers".
[i.80] IETF RFC 7707 (March 2016): "Network Reconnaissance in IPv6 Networks".
NOTE: Obsoletes IETF RFC 5157.
[i.81] IETF RFC 7721 (March 2016): "Security and Privacy Considerations for IPv6 Address Generation
Mechanisms".
[i.82] IETF RFC 7872 (June 2016): "Observations on the Dropping of Packets with IPv6 Extension
Headers in the Real World".
[i.83] IETF RFC 7915 (June 2016): "IP/ICMP Translation Algorithm".
NOTE: Obsoletes IETF RFC 6145.
[i.84] IETF RFC 7934 (July 2016): "Host Address A
...