This page highlights the key security considerations related to IPv6 networking in Digi Wi-SUN environments. While Wi-SUN defines its own security model for mesh authentication and link-layer encryption, IPv6 introduces additional layers that must be understood and managed to ensure a secure deployment.

Multilayer security

Wi-SUN Field Area Network (FAN) provides security at the MAC and mesh layer using:

  • Device authentication (via IDevID/LDevID).

  • Port Access Entity (PAE) for onboarding.

  • Link-layer encryption (AES-128).

However, IPv6 operates above this layer and requires separate attention to:

  • Address exposure.

  • External attack surfaces.

  • Protocol-specific risks (e.g., ICMPv6 misuse).

Global address exposure

All Digi Wi-SUN devices (border routers and nodes) can be assigned global IPv6 addresses. This means:

  • Devices may be reachable from outside networks unless filtered.

  • Attackers can potentially scan address ranges if not properly protected.

  • Nodes may unknowingly advertise services that are accessible externally.

Use Unique Local Addresses (ULAs) such as fd11::/64 to keep traffic private to the mesh when no external communication is needed.

ICMPv6 and neighbor discovery risks

ICMPv6 is used for essential network functions (e.g., MTU discovery, neighbor solicitation). However, it can also be abused for:

  • Network scanning and discovery.

  • Redirect attacks (altering routing behavior).

  • Router advertisement spoofing.

To mitigate these risks:

  • Allow only necessary ICMPv6 types (e.g., echo reply, NS/NA).

  • Filter unsolicited router advertisements from external sources.

  • Suppress unnecessary ICMPv6 exposure on upstream interfaces.

Routing security

Wi-SUN routing (via RPL) includes integrity checks and routing hierarchy validation, but it does not encrypt the routing control messages. While these are limited to link-local and multicast-scope addresses, potential risks include:

  • Malicious nodes injecting incorrect routes.

  • Overloading the routing table (e.g., via frequent joins/leaves).

  • Route manipulation via spoofed rank changes.

These threats are mitigated by:

  • Authenticating nodes before joining (via IDevID or LDevID). In particular, use the allow-list setting (default) when using the IDevID of the XBee Hive for Wi-SUN so as not to allow any XBee for Wi-SUN to join the network.

  • Using rate-limiting and route stability timers.

  • Ensuring RPL messages are filtered from non-mesh interfaces.

Application layer and transport security

When applications or cloud connectivity are used:

  • Always use encrypted transport (e.g., TLS) for data services.

  • Avoid exposing unauthenticated APIs or services over IPv6.

  • Validate hostnames and certificates when initiating outbound connections.

General security best practices

  • Use a firewall to block unsolicited inbound traffic to the mesh.

  • Regularly audit IPv6 routing and address tables for unusual entries.

  • Enable prefix delegation only when a trusted upstream network is available.

  • Limit access to multicast groups when possible.