Disable IPv6 Tunnelling Unless Necessary
IPv6 tunnelling on network devices should be disabled unless absolutely needed.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Feb 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationUnless explicitly required, IPv6 tunnelling is disabled on all network devices.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about turning off a technology feature called 'IPv6 tunnelling' in your network devices unless you really need it. Imagine it as a back door to your network; if left open unnecessarily, it could let bad actors sneak in unnoticed. It's important to keep your digital doors locked to protect sensitive information and keep your business operations running smoothly.
Why it matters
If IPv6 tunnelling is left enabled, attackers can bypass IPv4 security controls and monitoring, enabling unauthorised access or data exfiltration.
Operational notes
Confirm IPv6 tunnelling (e.g. 6to4, Teredo, ISATAP) is disabled on routers, firewalls and hosts; only enable via approved change and re-check configs.
Implementation tips
- IT team should identify if IPv6 tunnelling is being used: Conduct a thorough network inventory to check if any devices are currently using IPv6 tunnelling features. Use network management tools to list devices and their configurations.
- IT manager should review necessity: Assess the business or operational need for IPv6 tunnelling on specific devices. Talk to key business units to understand if any applications or services require this feature.
- Network administrator to disable non-essential tunnelling: For devices where IPv6 tunnelling is not required, switch it off in the device settings. Use device management software to apply these settings across the network.
- System owner to communicate with stakeholders: Inform any relevant stakeholders, such as department managers, about the changes and why they are necessary for security. Ensure they understand the impact, if any, on their operations.
- IT team should schedule regular reviews: Set up a routine check (e.g., every 6 months) to ensure that IPv6 tunnelling remains disabled on devices unless expressly needed. Use network monitoring systems to flag any unauthorised reactivation.
Audit / evidence tips
-
Ask: network configuration records: Request documents showing current settings of network devices
Good: Records show tunnelling disabled except where justified
-
Ask: a needs assessment report: Request a report detailing why any devices have IPv6 tunnelling enabled
Good: Each enabled device has a clear, justified business need documented
-
Ask: to see a stakeholder communication log: Request evidence of communications to stakeholders about this change
Good: Documented communication to all relevant parties with confirmation receipts
-
Ask: device management tool reports: Request a report from any tools used to manage device configuration centrally
Good: Logs show successful disabling of tunnelling on all applicable devices
-
Ask: policy or procedure documents: Request any policy documents related to network configuration
Good: Policy specifically highlights IPv6 tunnelling settings with enforcement mechanisms
Cross-framework mappings
How ISM-1428 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 8.9 | ISM-1428 mandates a specific secure configuration setting: IPv6 tunnelling is disabled unless needed | |
| Annex A 8.20 | ISM-1428 requires organisations to disable IPv6 tunnelling on all network devices unless it is explicitly required | |
| Supports (1) | ||
| Annex A 8.21 | ISM-1428 reduces exposure by ensuring IPv6 tunnelling is not available on network devices unless there is an explicit business requirement | |