Block IPv6 Tunnelling at Network Boundaries
Network security must block IPv6 tunnels at all external connections to prevent unauthorised data flow.
Plain language
Blocking IPv6 tunnels at the edges of your network is about ensuring bad actors can’t sneak data in and out of your business through hidden pathways. If these tunnels aren’t blocked, unauthorised traffic could go unnoticed, potentially leading to data leaks or cyber-attacks, which could severely harm your business's integrity and operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
IPv6 tunnelling is blocked by network security appliances at externally-connected network boundaries.
Why it matters
If IPv6 tunnelling isn’t blocked at external boundaries, hidden IPv6 traffic can bypass controls, enabling data exfiltration and cyber espionage.
Operational notes
Validate boundary firewalls/IDS block common IPv6 tunnels (6in4, Teredo, ISATAP) and alert on any IPv6-in-IPv4 traffic or rule drift.
Implementation tips
- The IT team should check all network security devices at the boundaries of your network. Ensure those devices are configured to block any IPv6 tunnelling. This involves updating the settings on your routers and firewalls to specifically disable IPv6 tunnelling capabilities.
- Managers should schedule regular training sessions for staff on the importance of maintaining network security. Focus on how IPv6 tunnelling can be a risk, using simple terms. This will empower your team to stay alert and report any unusual behaviour on the network.
- System owners should work with a cybersecurity consultant to review current network settings if IPv6 is being used. Discuss how IPv6 is integrated and confirm there are no unintended tunnels that can bypass security checks. Use basic network diagrams to visualise the setup.
- Office managers should maintain a log of all changes made to network settings, especially those related to IPv6 tunnelling. Make sure this log is clearly dated and easily accessible for future reference and audits.
Audit / evidence tips
- AskThe network device configuration settings: Request documentation showing firewall and router configurations related to IPv6 GoodIs explicit settings indicating IPv6 tunnelling is disabled
- AskTo see training attendance records: Request a list of training sessions held, focusing on network security and IPv6 GoodIs consistent training sessions with clear attendance logs
- AskConsultant reports: Request the latest cybersecurity consultant review report on IPv6 usage GoodIs a detailed report confirming no open tunnels and actions taken on recommendations
- AskTo inspect procurement records: Request procurement criteria used for network devices GoodIs clear criteria that have been adhered to in recent purchases
- AskThe network change log: Request records of changes made to the network settings, particularly referencing IPv6 settings GoodIs an up-to-date log with manager sign-off for each change
Cross-framework mappings
How ISM-1429 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.12 | ISM-1429 requires blocking IPv6 tunnelling at externally-connected network boundaries to prevent unauthorised data flows that can bypass ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.