Random IPv6 Allocation for ISP Security

TL;DR

Assigning ISPs random IPv6 address ranges instead of sequential ones makes it harder for attackers to map your network and find vulnerabilities. This guide explains how to do this, covering planning, generation, allocation, and ongoing management.

How Random IPv6 Allocation Improves cyber security

Traditionally, ISPs are given blocks of IPv6 addresses in a predictable order. Attackers can use this information to scan for devices within those ranges, identifying potential targets. Randomisation breaks this pattern, making network discovery much more difficult.

Step-by-Step Guide

1. Planning Your Allocation
   • Determine Block Size: Decide on the size of IPv6 blocks you’ll allocate. Common sizes are /48, /56 or /64. Smaller blocks offer more randomness but require more management.
   • Total Address Space: Calculate how much total address space you need to cover your current and projected subscriber base.
   • Allocation Policy: Define a clear policy for assigning these random ranges to ISPs, including documentation requirements from them.
2. Generating Random IPv6 Ranges

   You’ll need a tool or script to generate the random ranges. Here’s an example using Python:

   import random
   import ipaddress
   
   def generate_random_ipv6_range(prefix_length):
       network = ipaddress.ip_network('2001:db8::/32', strict=False) # Replace with your allocated space
       while True:
           subnet = network.subnets(new_prefix=prefix_length)
           try:
               random_subnet = random.choice(list(subnet))
               if str(random_subnet).startswith('fd'): #Avoid documentation ranges.
                   continue
               return str(random_subnet)
           except IndexError:
               print("No more subnets available in the specified range.")
               break
   
   # Example usage: Generate a random /56 subnet
   range = generate_random_ipv6_range(56)
   print(range)

   Important: Replace ‘2001:db8::/32’ with your actual IPv6 allocation. The `strict=False` allows generation from any part of the network, and the check for starting with ‘fd’ avoids documentation ranges which are not usable.

3. Allocating Ranges to ISPs
   • Unique Identifier: Assign a unique identifier to each ISP.
   • Range Assignment Record: Create a database or spreadsheet to record the assigned range for each ISP, along with their identifier and contact information.
   • Communication: Clearly communicate the allocated range to the ISP, including any specific configuration requirements.
4. ISP Configuration & Monitoring
   • Prefix Delegation: ISPs will need to configure their equipment to use the delegated prefix. Provide clear instructions and support.
   • Router Advertisements (RAs): Ensure ISPs are correctly advertising the assigned prefixes on their networks.
   • Monitoring for Unexpected Prefixes: Regularly monitor your network for any unexpected IPv6 prefixes being advertised that haven’t been officially allocated. Tools like tcpdump or dedicated network monitoring systems can help.

     tcpdump -i eth0 ip6 addr show

5. Ongoing Management
   • Range Exhaustion: Plan for range exhaustion. Have a process in place to generate and allocate new ranges as needed.
   • Revocation Policy: Define a policy for revoking assigned ranges if an ISP is no longer active or violates your allocation agreement.
   • Documentation Updates: Keep your allocation records up-to-date with any changes.