Security considerations

On z/OS® Communications Server, not all security features that are supported over an IPv4 transport are enabled when communicating by an IPv6 transport. For example, IPSec, Network Access Control, Stack and Port Access Control, TLS, SSL, and Kerberos (Kerberos Version 5 and GSSAPIs) are enabled for both IPv4 and IPv6, whereas NAT traversal is enabled for IPv4 only. See Table 8 for a list of features supported for IPv4 or IPv6.

When a security function is supported over IPv4 but not over IPv6, the security feature is exercised when data is transmitted over the IPv4 transport. This is true whether the application uses AF_INET or AF_INET6 sockets. However, when an AF_INET6 socket application communicates over the IPv6 transport, security features that are supported over IPv4 only are not exercised.

Result: For the same local application, some security features can be exercised when communicating by way of IPv4, but not when communicating by way of IPv6.

To avoid creating a potential security exposure, it is important to determine if any important security features are supported over IPv4 but not over IPv6 before enabling AF_INET6 on a given LPAR. If only a subset of applications uses such a security feature, then it is sufficient to ensure that those applications communicate only over the IPv4 transport.

To ensure that the IPv4 transport is used, the following methods are available:

Verify that the application uses AF_INET sockets. Applications that use AF_INET sockets are able to communicate only by way of the IPv4 transport.
Configure the application to bind to an IPv4 address. Applications that bind to an IPv4 address are able to communicate using the IPv4 transport only.
Use the BIND parameter on the PORT statement to cause the application to bind to an IPv4 address.