Disable IPv6 Tunnelling Unless Necessary
IPv6 tunnelling on network devices should be disabled unless absolutely needed.
Plain language
This control is about turning off a technology feature called 'IPv6 tunnelling' in your network devices unless you really need it. Imagine it as a back door to your network; if left open unnecessarily, it could let bad actors sneak in unnoticed. It's important to keep your digital doors locked to protect sensitive information and keep your business operations running smoothly.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
Unless explicitly required, IPv6 tunnelling is disabled on all network devices.
Why it matters
If IPv6 tunnelling is left enabled, attackers can bypass IPv4 security controls and monitoring, enabling unauthorised access or data exfiltration.
Operational notes
Confirm IPv6 tunnelling (e.g. 6to4, Teredo, ISATAP) is disabled on routers, firewalls and hosts; only enable via approved change and re-check configs.
Implementation tips
- IT team should identify if IPv6 tunnelling is being used: Conduct a thorough network inventory to check if any devices are currently using IPv6 tunnelling features. Use network management tools to list devices and their configurations.
- IT manager should review necessity: Assess the business or operational need for IPv6 tunnelling on specific devices. Talk to key business units to understand if any applications or services require this feature.
- Network administrator to disable non-essential tunnelling: For devices where IPv6 tunnelling is not required, switch it off in the device settings. Use device management software to apply these settings across the network.
- System owner to communicate with stakeholders: Inform any relevant stakeholders, such as department managers, about the changes and why they are necessary for security. Ensure they understand the impact, if any, on their operations.
- IT team should schedule regular reviews: Set up a routine check (e.g., every 6 months) to ensure that IPv6 tunnelling remains disabled on devices unless expressly needed. Use network monitoring systems to flag any unauthorised reactivation.
Audit / evidence tips
-
Asknetwork configuration records: Request documents showing current settings of network devices
GoodRecords show tunnelling disabled except where justified
-
Aska needs assessment report: Request a report detailing why any devices have IPv6 tunnelling enabled
GoodEach enabled device has a clear, justified business need documented
-
Askto see a stakeholder communication log: Request evidence of communications to stakeholders about this change
GoodDocumented communication to all relevant parties with confirmation receipts
-
Askdevice management tool reports: Request a report from any tools used to manage device configuration centrally
GoodLogs show successful disabling of tunnelling on all applicable devices
-
Askpolicy or procedure documents: Request any policy documents related to network configuration
GoodPolicy specifically highlights IPv6 tunnelling settings with enforcement mechanisms
Cross-framework mappings
How ISM-1428 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-1428 mandates a specific secure configuration setting: IPv6 tunnelling is disabled unless needed | |
| handshake Supports (1) expand_less | ||
| Annex A 8.21 | ISM-1428 reduces exposure by ensuring IPv6 tunnelling is not available on network devices unless there is an explicit business requirement | |
| link Related (1) expand_less | ||
| Annex A 8.20 | Annex A 8.20 requires secure management of networks and network devices to reduce opportunities for unauthorised access and data compromise | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.