IPv6 Dual-Stack Deployment Guideline for the Malaysian Government

Malaysia stands among the world's top IPv6 adopters at 65–70% nationally, yet government agency networks lag behind the consumer ISP ecosystem. This guideline provides a complete, actionable framework for deploying IPv6 dual-stack across all public-facing government services — websites, email, DNS, and web applications — aligned with the national IPv6-only target of 31 December 2030.

Malaysia's Policy Foundation Is Already Strong

MCMC's Direction No. 2 of 2015 mandated all Malaysian ISPs to provide dual-stack IP addresses to end users — the single regulatory action that catalysed Malaysia's rise to global IPv6 leadership. This was strengthened by MTSFB TC T013:2019, making IPv6 certification mandatory for all directly connected equipment from July 2020, and by MTSFB TC G034:2022 which specifically addresses the requirements for completing the IPv4-to-IPv6 transition.

Jabatan Digital Negara (JDN) — formerly MAMPU, rebranded December 2023 — is the central authority for public sector ICT and the natural institutional owner for driving government IPv6 deployment. JDN manages MyGov*Net, MyGovCloud, and MyGovUC. It was designated Government Lead Sector for NCII under the Cyber Security Act 2024, giving it both the mandate and the authority.

Address Planning: Provider Independent Space Is Non-Negotiable

Government agencies must obtain Provider Independent (PI) IPv6 address space directly from APNIC, not Provider Aggregatable (PA) space from their ISP. Renumbering a ministry with thousands of devices, VoIP phones, firewall rules, and DNS records when changing ISPs is prohibitively expensive. PI addressing requires multihoming with BGP — standard for government backbone networks.

The recommended allocation hierarchy for the federal government:

2001:db8::/32 — Federal Government Allocation (from APNIC)
├── 2001:db8:0000::/48 — JDN HQ (Putrajaya)
│   ├── 2001:db8:0000:0001::/64 — Server VLAN
│   ├── 2001:db8:0000:0002::/64 — Staff VLAN
│   ├── 2001:db8:0000:0003::/64 — VoIP VLAN
│   ├── 2001:db8:0000:0010::/64 — DMZ
│   └── 2001:db8:0000:00FF::/64 — Point-to-Point Links (/127s)
├── 2001:db8:0001::/48 — MCMC
├── 2001:db8:0002::/48 — CyberSecurity Malaysia
├── 2001:db8:0100::/40 — Data Centre Block
│   ├── 2001:db8:0100::/48 — PDSA Site 1
│   └── 2001:db8:0101::/48 — PDSA Site 2
└── 2001:db8:FF00::/40 — MyGov*Net Backbone Infrastructure

Use stateful DHCPv6 with address reservations for servers, and SLAAC with stateless DHCPv6 for staff workstations. On all servers, disable IPv6 privacy extensions — servers need stable, predictable addresses for DNS records and firewall rules:

# Linux — /etc/sysctl.conf
net.ipv6.conf.all.use_tempaddr = 0

# Windows Server — PowerShell
Set-NetIPv6Protocol -UseTemporaryAddresses Disabled

DNS: The Foundation of Every Dual-Stack Service

The core principle is simple: every hostname with an A record must also have an AAAA record. Clients use the Happy Eyeballs algorithm (RFC 8305) to race IPv4 and IPv6 connections with a 250ms preference for IPv6. This means agencies must never publish a AAAA record unless IPv6 connectivity is verified and working — a broken AAAA record adds visible latency to every user connection.

A complete dual-stack DNS zone for a government agency:

$TTL 86400
$ORIGIN agency.gov.my.

; Nameservers — both A and AAAA glue records required at MYNIC
@    IN NS   ns1.agency.gov.my.
ns1  IN A    203.0.113.1
ns1  IN AAAA 2001:db8:1::1

; Web servers
@    IN A    203.0.113.100
@    IN AAAA 2001:db8:1::100
www  IN A    203.0.113.100
www  IN AAAA 2001:db8:1::100

; Mail server
@    IN MX   10 mail.agency.gov.my.
mail IN A    203.0.113.10
mail IN AAAA 2001:db8:1::10

; SPF — ip6: mechanism is mandatory
@    IN TXT "v=spf1 ip4:203.0.113.10 ip6:2001:db8:1::10 -all"

Every IPv6 address used for email sending must have a matching PTR record — many destination mail servers reject IPv6 email without valid reverse DNS. NS glue records for both IPv4 and IPv6 must be registered with MYNIC (the .my domain registry). Enable DNSSEC using ECDSAP256SHA256 and register DS records with MYNIC.

Web Services: Minimal Changes, Maximum Impact

Web server dual-stack configuration is straightforward. The key Linux kernel detail: if net.ipv6.bindv6only=0 (the default), listen [::]:80 already accepts both IPv4 and IPv6. Use explicit ipv6only=on to avoid conflicts:

# Nginx — recommended approach
server {
    listen 80;
    listen [::]:80 ipv6only=on;
    listen 443 ssl http2;
    listen [::]:443 ssl http2 ipv6only=on;
    server_name www.agency.gov.my;
}

TLS certificates require no changes — certificates bind to domain names, not IP addresses. The same certificate serves both IPv4 and IPv6 connections. No re-issuance is needed when enabling IPv6.

For legacy IPv4-only backend applications, use Nginx or HAProxy as an IPv6-to-IPv4 reverse proxy. The frontend accepts IPv6 connections; the backend requires zero changes:

# IPv6 frontend → IPv4-only backend
server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name legacy-app.agency.gov.my;
    location / {
        proxy_pass http://192.168.1.50:8080;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Email: Reputation Management Is the Hardest Part

Enabling IPv6 for email is technically straightforward in Postfix — add inet_protocols = all to main.cf. The hard part is reputation: new IPv6 addresses have zero sending history. Google and Microsoft enforce stricter authentication requirements for IPv6-originated email than for established IPv4 addresses.

Best practices for a safe IPv6 email launch:

• Configure PTR, SPF, DKIM, and DMARC at least 30 days before the first send from a new IPv6 address
• Start DMARC at p=none to monitor authentication results before enforcing p=reject
• Warm up gradually — slowly ramp sending volume over several weeks
• Run IPv6 email in parallel with established IPv4 initially — use smtp_address_preference = any in Postfix, not ipv6
• Monitor blocklists at check.spamhaus.org — Spamhaus lists IPv6 at /64 granularity

Security: Every IPv4 Control Needs an IPv6 Counterpart

The NSA/CISA IPv6 Security Guidance (January 2023) establishes the foundational principle: all security mechanisms implemented for IPv4 must have corresponding IPv6 mechanisms achieving parity or better. Dual-stack doubles the attack surface.

The most dangerous IPv6-specific threat is Rogue Router Advertisement (RA) attacks — attackers announce themselves as the default gateway, injecting rogue DNS servers via the RDNSS option and redirecting all host traffic. Deploy RA Guard on every access switch:

! Cisco IOS — RA Guard policy
ipv6 nd raguard policy RAGUARD_HOST
 device-role host

ipv6 nd raguard policy RAGUARD_ROUTER
 device-role router
 match ra prefix-list GOV_PREFIXES

interface range GigabitEthernet1/0/1-48
 description "Staff access ports"
 ipv6 nd raguard attach-policy RAGUARD_HOST

interface GigabitEthernet1/0/49
 description "Uplink to core router"
 ipv6 nd raguard attach-policy RAGUARD_ROUTER

For server firewalls, nftables is the modern replacement for ip6tables, using the inet family for unified dual-stack management. The key rule: ICMPv6 Type 2 (Packet Too Big) must never be blocked — doing so silently breaks all TCP connections to sites with different MTUs:

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;
        ct state established,related accept
        iif "lo" accept

        # RFC 4890 — ICMPv6 required for IPv6 to function
        icmpv6 type { destination-unreachable, packet-too-big,
                      time-exceeded, parameter-problem } accept
        icmpv6 type { echo-request, echo-reply } limit rate 10/second accept
        ip6 hoplimit 255 icmpv6 type { nd-neighbor-solicit,
            nd-neighbor-advert, nd-router-solicit, nd-router-advert } accept

        tcp dport { 80, 443 } ct state new accept
        ip6 saddr 2001:db8:gov:admin::/64 tcp dport 22 ct state new accept

        counter reject
    }
}

At the network border, block all legacy tunnelling mechanisms per NSA guidance — they create covert IPv6 channels that bypass IPv4 security controls entirely:

! Block 6to4, 6in4, and Teredo at the perimeter
access-list 150 deny 41 any any log    ! IP protocol 41 (6to4/6in4)
access-list 150 deny udp any any eq 3544 log  ! Teredo

# Windows — disable via PowerShell
Set-Net6to4Configuration -State Disabled
Set-NetTeredoConfiguration -Type Disabled
Set-NetIsatapConfiguration -State Disabled

MyGov*Net: 6VPE Is the Right MPLS Transition Path

MyGov*Net 2.0 operates on MPLS technology managed by GITN Sdn Bhd (a TM subsidiary). The most cost-effective approach is 6VPE (IPv6 VPN Provider Edge) — running IPv6 traffic over the existing IPv4 MPLS core without upgrading core routers. 6VPE provides VRF-based per-agency traffic isolation critical for government network segmentation:

! Cisco 6VPE on PE router — core routers unchanged
vrf definition AGENCY-A
 rd 1:1
 address-family ipv6
  route-target both 1:1

router bgp 65000
 address-family vpnv6
  neighbor 4.4.4.4 activate
  neighbor 4.4.4.4 send-community extended
 address-family ipv6 vrf AGENCY-A
  neighbor 2001:db8:0:12::2 remote-as 65001
  neighbor 2001:db8:0:12::2 activate

For intra-agency routing, OSPFv3 (RFC 5340) is recommended as it supports both IPv4 and IPv6 via address families. If IS-IS is already deployed, adding IPv6 requires only interface addressing — no separate protocol version. Use MP-BGP for inter-agency and upstream peering with separate address families.

Pre-Deployment Validation: Ten Mandatory Checks

Before publishing any AAAA record for a public-facing government service, complete this sequence in order:

• Connectivity — ping6 ipv6.google.com from the server confirms a working IPv6 path to internet
• Service listening — ss -6 -tulpn | grep :443 confirms the web server binds on an IPv6 socket
• DNS resolution — dig AAAA www.agency.gov.my returns the correct address
• Reverse DNS — dig -x 2001:db8:1::100 returns the correct PTR record
• TLS handshake — curl -6 -v https://www.agency.gov.my completes without errors
• Firewall rules — ip6tables -L -v -n confirms ICMPv6 and required ports are permitted
• Path MTU — ping6 -s 1452 -M do to external hosts verifies PMTUD is not broken
• External validation — test from test-ipv6.com and ipv6-test.com from external vantage points
• Email auth — verify SPF includes ip6: mechanism, PTR records exist, test delivery to Gmail and Outlook
• Privacy extensions — ip -6 addr show on servers confirms no temporary flagged addresses

The Four-Phase Implementation Roadmap

Three Lessons from Governments That Tried Before Malaysia

1. Voluntary targets without enforcement fail. Australia's three-stage voluntary approach (2008–2012) was formally closed in 2016 due to poor compliance. The EU set procurement-based targets that went largely unmet. The US OMB M-21-07 mandate (80% IPv6-only by FY2025) was sound in structure but lacked agency-level accountability — no federal agency publicly announced achieving the target. Malaysia must embed IPv6 milestones in agency performance plans and publish public dashboards.

2. Dual-stack is a transition, not a destination. The US experience shows agencies that treated dual-stack as permanent added long-term complexity and cost without progressing toward the end state. Every dual-stack deployment decision should include a scheduled review date to assess IPv6-only readiness on that segment.

3. Security parity is non-negotiable from day one. NDP spoofing, rogue RA attacks, and unauthorized tunnelling are real, active threats — not theoretical. The unique risks of IPv6's first-hop behaviour require proactive countermeasures deployed simultaneously with the address configuration, not as a follow-up project.