Detecting IPv6 Tunnels in an Enterprise Network

The ongoing depletion of unique and global IPv4 addresses is creating an increased focus on IPv6 technology.

The regional registries run ongoing statistics on the available IPv4 address pool and realize that they will be unable to meet IPv4 address block requests at some point in the future (

Most major computer operating system vendors support IPv6 and have it enabled by default. They will even try to use Pv6 through dynamic tunneling technologies if the enterprise network is capable of supporting IPv4 only. 

An important consideration is that IPv6 is quite likely to be already running on the enterprise network, whether that implementation was planned or not. Some important characteristics of IPv6 include: 


  •  IPv6 has a mechanism to automatically assign addresses so that end systems can easily establish communications. 
  •  IPv6 has several mechanisms available to ease the integration of the protocol into the network. 
  •  Automatic tunneling mechanisms can take advantage of the underlying IPv4 network and connect it to theIPv6 Internet. For an IPv4 enterprise network, the existence of an IPv6 overlay network has several of implications: 
  •  The IPv4 firewalls can be bypassed by the IPv6 traffic, and leave the security door wide open. 
  •  Intrusion detection mechanisms not expecting IPv6 traffic may be confused and allow intrusionIn some cases (for example, with the IPv6 transition technology known as 6to4), an internal PC can communicate directly with another internal PC and evade all intrusion protection and detection systems (IPS/IDS).


Botnet command and control channels are known to use these kind of tunnels. 


For all these reasons, it is recommended that enterprise IT departments do their utmost to detect overlay networks and generally create awareness of their existence. Using a managed implementation strategy, IT can help build a plan to control the integration of IPv6 into the network.