Configure IPv6 Addresses with DHCPv6 in Stateful Mode
Use DHCPv6 to manage and log IPv6 addresses centrally for enhanced network organisation.
Plain language
This control is about using a system called DHCPv6 to automatically assign IP addresses to devices on your network. Think of it like giving each device a unique phone number that lets it communicate in the digital world. By managing these addresses centrally, it helps keep track of which devices are using which addresses, making your network smoother and more secure. If you don't do this, your network could become disorganised, harder to manage, and vulnerable to attacks.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease data stored in a centralised event logging facility.
Why it matters
Without stateful DHCPv6 with centralised lease logging, IPv6 address assignment becomes inconsistent, reducing traceability and enabling spoofing or unauthorised access.
Operational notes
Validate DHCPv6 is stateful and forwarding/sending lease events to centralised logging; review leases for anomalies and stale entries after network changes.
Implementation tips
- The IT team should configure a stateful DHCPv6 server on the network. This means setting up a central system that automatically manages IP addresses, ensuring each device gets a unique address. This helps prevent address conflicts and makes managing devices much easier.
- Network administrators should monitor and log IP address assignments. Set up a system that keeps track of which device has which IP address and for how long. This record-keeping is essential for troubleshooting and security investigations.
- System owners should ensure devices are configured to use DHCPv6. This involves setting up each device's network settings to 'automatic', allowing them to request an IP address from the DHCPv6 server. This step ensures all devices are correctly integrated into the network.
- IT managers should implement centralised logging of DHCPv6 activity. Use a secure log management tool to gather and store logs from the DHCPv6 server. These logs provide a record of network activity and can be vital for security audits.
- The security team should regularly review DHCPv6 lease logs. Conduct periodic reviews to understand network usage patterns and ensure that only authorised devices are connecting. This helps in early detection of unauthorised access attempts.
Audit / evidence tips
-
Askthe DHCPv6 server configuration documentation: Verify the network settings and ensure stateful configuration is implemented as described in organisation policy
Good: Up-to-date configuration scripts or screenshots confirming correct setup
-
Askto see DHCPv6 lease records: Request logs that show current and past IP address assignments to ensure logging is active
Good: Review logs containing timestamped entries for address issuance and release
-
Asknetwork device configuration policies: Verify the policies for device network settings
GoodPolicy documents outlining DHCPv6 settings with instructions for all device types
-
Askto review a sample DHCPv6 log file: Check that log files are being properly retained and can be traced to specific events
Good: Log entries detailing device IPs, timestamps, and lease times
-
Asksecurity review meeting records: Verify discussions around reviewing DHCPv6 setup and effectiveness occur
Good: Minutes from recent meetings showing evidence of review and planned improvements
Cross-framework mappings
How ISM-1430 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.20 | ISM-1430 requires organisations to use DHCPv6 in a stateful mode to dynamically assign IPv6 addresses and store lease data in a centralis... | |
| handshake Supports (2) expand_less | ||
| Annex A 8.16 | ISM-1430 mandates stateful DHCPv6 use and centralized logging of lease data to support network monitoring | |
| Annex A 8.32 | ISM-1430's requirement for stateful DHCPv6 and centralized logging ties into Annex A 8.32 by ensuring that such configurations and logs a... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-AC-ML2.8 | ISM-1430 requires organizations to store DHCPv6 lease data centrally, helping to align with E8-AC-ML2.8 by providing crucial telemetry fo... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.