allnettools

Komentáře

Transkript

allnettools
Jakub Votava
Miroslav Brzek
Dimitar (Mitko) Vasilev
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
11
• The Business Case For IPv6
• How TO2 Sees IPv6
• IPv6 Fundamentals
• IPv6 Enterprise Deployment
• IPv6 In Czech Republic And EU
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
2010
2012
2011
NOVEMBER, 2010
Globalization: 25% of the world s population using 100%
of IPv4 addresses
JAN, 2011
Date the last IPv4 addresses was allocated by IANA
SEPTEMBER, 2012
Civilian US Government Agencies mandated to
provide external IPv6 connectivity
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
3
Registry Exhaustion Dates
100
90
80
Probability (%)
70
60
50
40
30
20
10
0
Jan 2011
Jul 2011
IANA
© 2011 Cisco and/or its affiliates. All rights reserved.
Jan 2012
APNIC
Jul 2012
Jan 2013
RIPENCC
Jul 2013
Jan 2014
ARIN
Source: Geoff Huston, APNIC
Jul 2014
LACNIC
Jan 2015
Jul 2015
AFRINIC
Cisco Confidential
4
2010
2012
2014
•  2010: Low Impact – Buying behavior shift limited to mandated
and early adopter sites
Globalization
Early
Adopters
Transition
Planning
IPv6 Government Mandate
Deadlines
IPv4/IPv6 Coexistence
2011: Internet Evolution begins – …IPv6 is important to all of us (…) to everyone
around the world, It is crucial to our ability to tie together everyone and every device .
John Chambers
• 2012: Mandates take effect – Transition to IPv6 forces customers to acquire product
or managed services to sustain business and customer reach
•  2014: IPv6 is mainstream – customers without transition infrastructure experience
reduced service levels, diminished customer reach, increase operational complexity
IPv6 Business Impact – The Cost of Waiting Goes Up
Low Risk
© 2011 Cisco and/or its affiliates. All rights reserved.
Moderate Risk
High Risk
Cisco Confidential
5
Preserve
Prepare
Prosper
Preserve the customer s existing investment
•  Audit and leverage existing IPv6 capabilities
Prepare a migration and deployment plan
•  Identify and enable critical IPv6 functional areas
Prosper through the transition to IPv6 Internet
•  Enable all systems with dual-stack capabilities
IPv6 is the foundation of a lifecycle management discussion
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
6
Over a Decade of Cisco
Investment - Shipping
Since 1996
IPv6 Security
VRF
BGP v6
v6 CoPP
v6 ACLs
EIGRP
v6
Radius AAA
IPv6 HA
HSRPv6
ISSU
OSPFv3
IPv6
Firewall
IPv6 Forwarding
V6 Netflow
IPv6 QoS
Classification, policing
IPv6
Routing
OSPFv3
IS-IS
EIGRP
IPv6
Multicast
IPv6 Management
Anycast
Syslog v6
DHCPv6, SNMP, DNS, SSH,
ICMPv6
These capabilities and more are already part of yours investment in Cisco networking
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
7
1
Identify the highest priority IPv6-critical areas in your network
2
Perform IPv6 Assessment on high priority areas to determine scope
3
Develop a design that enables IPv6 without disrupting your IPv4 network
4
Test and implement in pilot mode, then extend over time into production
Repeat for the Next IPv6-Critical Area in Your Network
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
8
A well-structured migration plan provides insurance against unexpected costs
as customers, partners, and suppliers move to IPv4 and IPv6 coexistence
Leverage Your
Investment
A Decade of Cisco IPv6
Innovations
Make a Plan
Accelerate
Align Business
and IT Strategy
Prosper through
accelerated global
customer reach.
Unleash new business
models
Invest for Success
Deploy IPv6 Transition
Support Technologies
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
9
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
10
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
11
•  IPv6 addresses are 128 bits long
Segmented into 8 groups of four HEX characters (called HEXtets)
Separated by a colon (:)
Default is 50% for network ID, 50% for interface ID
Network portion is allocated by Internet registries 2^64 (1.8 x 1019)
Still leaves us with ~ 3 billion network prefixes for each person on earth
Global Unicast Identifier Example
Network Portion
Interface ID
gggg:gggg:gggg:ssss: xxxx:xxxx:xxxx:xxxx
Global Routing Prefix
n <= 48 bits
Subnet ID
64 – n bits
Host
2001:0000:0000: 00A1: 0000:0000:0000:1E2A
2001:0:0: A1: :1E2A
© 2011 Cisco and/or its affiliates. All rights reserved.
Full Format
Abbreviated Format
Cisco Confidential
12
•  Addresses are assigned to interfaces
•  An IPv6 interface is “expected” to have multiple addresses and multiple scopes
•  Addresses have scope
Link Local
Unique Local
Global
•  Addresses have lifetime
Valid and preferred lifetime
© 2011 Cisco and/or its affiliates. All rights reserved.
Global
Unique Local
Link Local
Cisco Confidential
13
•  Three types of unicast address scopes
Link-Local – Non routable exists on single layer 2 domain (FE80::/10)
FE80:0000:0000:0000: xxxx:xxxx:xxxx:xxxx
Unique-Local – Routable within administrative domain (FC00::/7)
FCgg:gggg:gggg:ssss: xxxx:xxxx:xxxx:xxxx
FDgg:gggg:gggg: ssss: xxxx:xxxx:xxxx:xxxx
Global – Routable across the Internet (2000::/3)
2ggg:gggg:gggg: ssss: xxxx:xxxx:xxxx:xxxx
3ggg:gggg:gggg: ssss: xxxx:xxxx:xxxx:xxxx
•  Multicast addresses (FF00::/8)
FFfs: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
Flags (f) in 3rd nibble (4 bits) Scope (s) into 4th nibble
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
14
Provider
Site
Host
n Bits
16 Bits
64 Bits
Subnet
Interface ID
Global Routing Prefix
001
•  Addresses for generic use of IPv6
•  Structured as a hierarchy to try and keep the aggregation
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
15
Provider Assigned
Provider Independent
2000::/3
/48
© 2011 Cisco and/or its affiliates. All rights reserved.
2000::/3
Registries
/12
/32
IANA
ISP
/12
Org
/48
Enterprise Level Four
Cisco Confidential
16
•  Interface ID unicast address may be assigned in different ways
Auto-configured from a 64-bit EUI-64 or expanded from a 48-bit MAC
Auto-generated pseudo-random number (to address privacy concerns)
Assigned via DHCP
Manually configured
•  IEEE Extended Unique Identifier (EUI-64) format to do stateless auto-configuration
Expands the 48 bit MAC address to 64 bits by inserting FFFE into the middle
To ensure chosen address is from a unique Ethernet MAC address
The universal/local ( “u” bit) is set to 1 for global scope and 0 for local scope
64 Bits
Global Routing Prefix
© 2011 Cisco and/or its affiliates. All rights reserved.
Subnet
Interface ID
Cisco Confidential
17
•  Cisco uses the EUI-64 format to do stateless
MAC Address
auto-configuration
•  This format expands the 48 bit MAC address to
00
90
90
27
27
17
FC
0F
17
FC
0F
17
FC
0F
64 bits by inserting FFFE into the middle 16 bits
•  To make sure that the chosen address is from a
unique Ethernet MAC address, the
universal/local (“u” bit) is set to 1 for global
scope and 0 for local scope
•  Cisco devices ‘bit-flip’ the 7th bit
00
00
000000U0
U = 1
02
© 2011 Cisco and/or its affiliates. All rights reserved.
90
27
FF
FE
FF
FE
Where U=
90
27
FF
1 = Unique
0 = Not Unique
FE
17
FC
Cisco Confidential
0F
18
/23
/32
/48
/64
2001
Interface ID
•  Temporary addresses for IPv6 host client application,
e.g. web browser
Inhibit device/user tracking
Random 64 bit interface ID, then run Duplicate Address Detection
before using it
Rate of change based on local policy
Recommendation: Use Privacy Extensions for
External Communication but not for Internal
Networks (Troubleshooting and Attack Trace Back)
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
19
54 Bits
64 Bits
Remaining 54 bits = 0
Interface ID
10 Bits
1111 1110 10
FE80::/10
•  Mandatory for communication between two IPv6 devices
•  Automatically assigned by Router using EUI-64
•  Also used for next-hop calculation in routing protocols
•  Only link specific scope
•  Remaining 54 bits could be zero or any manually configured
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
20
n Bits
Global ID
16 Bits
64 Bits
Subnet
Interface ID
1111 110L
FC00::/7
•  ULA are “like” RFC 1918 – not routable on Internet
•  ULA uses include
Local communications
Inter-site VPNs (Mergers and Acquisitions)
•  FC00::/8 is Registry Assigned (L bit = 0), FD00::/8 is self generated (L bit = 1)
Registries not yet assigning ULA space, http://www.sixxs.net/tools/grh/ula/
•  Global ID can be generated using an algorithm
Low order 40 bits result of SHA-1 Digest {EUI-64 && Time}
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
21
•  IP multicast address has a prefix FF00::/8 (1111 1111)
Second octet defines lifetime and scope
8Bits
4 Bits
4 Bits
112 Bits
1111 1111
0 R P T
Scope
Variable Format
Flags
Scope
R = 0
R = 1
No embedded RP
Embedded RP
P = 0
P = 1
Not based on unicast
Based on unicast
T = 0
T = 1
Permanent address (IANA assigned)
Temporary address (local assigned)
© 2011 Cisco and/or its affiliates. All rights reserved.
1
Node
2
Link
3
Subnet
4
Admin
5
Site
8
Organization
E
Global
Cisco Confidential
22
Address
Scope
Meaning
FF01::1
Node-Local
All Nodes
FF01::2
Node-Local
All Routers
FF02::1
Link-Local
All Nodes
FF02::2
Link-Local
All Routers
FF02::5
Link-Local
OSPFv3 Routers
FF02::6
Link-Local
OSPFv3 DR Routers
FF02::1:FFXX:XXXX
Link-Local
Solicited-Node
  “02” means that this is a permanent address and has link scope
  http://www.iana.org/assignments/ipv6-multicast-addresses
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
23
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
24
IPv4 Header
Version
Type of
Service
IHL
Identification
Time to Live
Protocol
IPv6 Header
Total Length
Flags
Fragment
Offset
Header Checksum
Version
Traffic
Class
Payload Length
Flow Label
Next
Header
Hop Limit
Source Address
Destination Address
Legend
Options
Padding
Source Address
Field’s Name Kept from IPv4 to IPv6
Fields Not Kept in IPv6
Name and Position Changed in IPv6
Destination Address
New Field in IPv6
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
25
V
Class
Len
Flow
6
V
Class
Len
Hop
Flow
43
V
Class
Len
Hop
Flow
43
Destination
Destination
Destination
Source
Source
Source
Upper Layer TCP Header
17
Payload
Routing Header
Upper Layer UDP Header
Payload
60
6
Hop
Routing Header
Destination Options
Upper Layer TCP Header
Payload
•  Extension Headers Are Daisy Chained
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
26
•  Extension headers must be in the following sequence
Order
Header Type
Header Code
1
Basic IPv6 Header
-
2
Hop-by-Hop Options
0
3
Dest Options (with Routing options)
60
4
Routing Header
43
5
Fragment Header
44
6
Authentication Header
51
7
ESP Header
50
8
Destination Options
60
9
Mobility Header
135
-
No Next Header
59
Upper Layer
TCP
6
Upper Layer
UDP
17
Upper Layer
ICMPv6
58
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
27
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
28
•  Internet Control Message Protocol version 6
•  Combines several IPv4 functions
ICMPv4, IGMP and ARP
•  Message types are similar to ICMPv4
Destination unreachable (type 1)
Packet too big (type 2)
Time exceeded (type 3)
Parameter problem (type 4)
Echo request/reply (type 128 and 129)
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
29
•  ND uses ICMPv6 messages
Originated from node on link local with a hop limit of 255
Receivers checks hop limit is still 255 (has not passed a router)
•  Consists of IPv6 header, ICMPv6 header, neighbor discovery header, and neighbor discovery
options
•  Five neighbor discovery messages
Message
Purpose
ICMP Code
Sender
Target
Router Solicitation (RS)
Prompt routers to send RA
133
Nodes
All routers
Router Advertisement (RA)
Advertise default router, prefixes
Operational parameters
134
Routers
Sender of RS
All routers
Neighbor Solicitation (NS)
Request link-layer of target
135
Node
Solicited Node
Target Node
Neighbor Advertisement (NA)
Respond to NA
Advertise link-layer address changes
136
Nodes
Redirect
Inform hosts of a better first hop
137
Routers
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
30
•  Each Link has MTU a maximum transmission unit
•  Path MTU minimum MTU of all the links in a path between a source and a destination
•  Minimum link MTU for IPv6 is 1280 octets
In comparison IPv4 minimum MTU is 68 octets
If Link MTU < 1280 then fragmentation and reassembly must be used
If IPv6 payload > 1280 fragmentation may need to be performed
•  PMTU Discovery is expected to be performed by IPv6 end hosts
It should only apply if sending packets > 1280 bytes
For each destination, start by assuming MTU of first-hop link
Exceeding the link MTU invokes ICMP “packet too big” back to source
Message includes the offending link MTU value
MTU is then cached by source for specific destination
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
31
Function
IPv4
IPv6
Address Assignment
DHCPv4
DHCPv6, SLAAC,
Reconfiguration
Address Resolution
ARP
RARP
ICMPv6 NS, NA
Not Used
Router Discovery
ICMP Router Discovery
ICMPv6 RS, RA
Name Resolution
DNS
DNS
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
32
•  Autoconfiguration is used to automatically assigned an address to a host “plug and play”
Generating a link-local address,
Generating global addresses via stateless address autoconfiguration
Duplicate Address Detection procedure to verify the uniqueness of the addresses on a link
MAC
00:2c:04:00:fe:56"
A
R1"
1
2
RS
RA
2001:db8:face::/64
3
DAD
Host Autoconfigured Address comprises"
Prefix Received + Link-Layer Address if
DAD check passes"
2001:db8:face::22c:4ff:fe00:fe56
© 2011 Cisco and/or its affiliates. All rights reserved.
Router
Advertisement (RA)
Ethernet DA/SA
Router R2 / Host A
Prefix Information
2001:db8:face::/64
Default Router
Router R1
Cisco Confidential
33
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
34
•  DNS is a database managing Resource Records (RR)
Storage of RR for various types—IPV4 and IPV6:
Start of Authority (SoA)
Name Server
Address—A and AAAA
Pointer—PTR
•  DNS is an IP application
Uses either UDP or TCP on top of IPv4 or IPv6
•  References
RFC3596: DNS Extensions to Support IP Version 6
RFC3363: Representing Internet Protocol Version 6 Addresses in Domain Name system (DNS)
RFC3364: Tradeoffs in Domain Name System (DNS) Support for Internet Protocol version 6 (IPv6)
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
35
Function
IPv4
Hostname
to
IP Address
A Record
IP Address
To
Hostname
PTR Record
www.abc.test. IN
IPv4
A 92.168.30.1
A record:
1.30.168.192.in-addr.arpa. PTR
www.abc.test.
IPv6
AAAA Record (Quad A)IPv6
www.abc.test. IN
AAAA 2001:db8:C18:1::2
PTR Record
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c
.0.8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test.
IP address to
hostname
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
36
mSecs between last packet sent
Domain name with IPv6 address only
mSecs Source
Destination
Prot
Info
0.000 64.104.197.141
64.104.200.248
DNS
Standard query A ipv6.google.com
0.158 64.104.200.248
64.104.197.141
DNS
Standard query response CNAME ipv6.l.google.com
0.000 64.104.197.141
64.104.200.248
DNS
Standard query AAAA ipv6.google.com
0.135 64.104.200.248
64.104.197.141
DNS
Standard query response CNAME ipv6.l.google.com AAAA 2404:6800:8004::68
Initial Query over IPv4 for IPv4 A record
DNS response refers to an alias/canonical address
Host immediately sends a request for AAAA record (original FQDN)
IPv6 address of canonical name returned
Domain name with both addresses
mSecs
Source
Destination
Prot
Info
0.000
64.104.197.141
64.104.200.248
DNS
Standard query A www.apnic.net
0.017
64.104.200.248
64.104.197.141
DNS
Standard query response A 202.12.29.211
0.000
64.104.197.141
64.104.200.248
DNS
Standard query AAAA www.apnic.net
0.017
64.104.200.248
64.104.197.141
DNS
Standard query response AAAA 2001:dc0:2001:11::211
0.001
2001:420:1:fff:2
2001:dc0:2001:11::211
ICMPv6
Echo request (Unknown (0x00))
0.023
2001:dc0:2001:11::211
2001:420:1:fff::2
ICMPv6
Echo reply (Unknown (0x00))
© 2011 Cisco and/or its affiliates. All rights reserved.
Initial Query over IPv4 for IPv4 A record
IPv4 address returned
Host immediately sends a request for AAAA record
IPv6 address of FQDN returned
Hosts prefers IPv6 address (configurable)
Cisco Confidential
37
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
38
•  Stateful DHCPv6 (RFC 3315)
Allows DHCP to allocate IPv6 address plus other configuration parameters (DNS, NTP etc…)
•  Stateless DHCPv6 (RFC 3736)
Combination of SLAAC for host address allocation
DHCPv6 for additional parameters such as DNS Servers and NTP
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
39
•  RA message contain flags that indicate address allocation combination (A, M and O bits)
Use SLAAC only, Use DHCPv6 stateful, Use SLAAC and DHCPv6 for other options
Router 1
(DHCPv6 Relay)"
A
2001:db8:face::/64
1
DHCP
Server"
RA
3
2
2001:db8:face::1/64, DNS1, DNS2, NTP
Send DHCP Solicit to FF02::1:2 (All DHCP Relays)
Router
Advertisement (RA)
A bit (Address config flag)
M bit (Managed address configuration flag)
O bit (Other configuration flag)
© 2011 Cisco and/or its affiliates. All rights reserved.
Set to 0 - Do not use SLAAC for host config
Set to 1 - Use DHCPv6 for host IPv6 address
Set to 1 - Use DHCPv6 for additional info (DNS, NTP)
Cisco Confidential
40
•  RA message contain flags that indicate address allocation combination (A, M and O bits)
Use SLAAC only, Use DHCPv6 stateful, Use SLAAC and DHCPv6 for other options
2
2001:db8:face::22c:4ff:fe00:fe56
Router 1
(DHCPv6 Relay)"
A
1
DHCP
Server"
RA
2001:db8:face::/64
3
4
DNS1, DNS2, NTP
Send DHCP Solicit to FF02::1:2 for options only
Router
Advertisement (RA)
A bit (Address config flag)
On-link Prefix
M bit (Managed address configuration flag)
O bit (Other configuration flag)
© 2011 Cisco and/or its affiliates. All rights reserved.
Set to 1 - Use SLAAC for host address config
2001:db8:face::/64
Set to 0 - Do not use DHCPv6 for IPv6 address
Set to 1 - Use DHCPv6 for additional info (DNS, NTP)
Cisco Confidential
41
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
42
•  IGP
RIPng (RFC 2080)
Cisco EIGRP for IPv6
Integrated IS-ISv6 (RFC 5308)
OSPFv3 (RFC 5340)
•  EGP
MP-BGP4 (RFC 2858) and Using MP-BGP for IPv6 (RFC 2545)
•  Cisco IOS supports all IPv6 routing protocols
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
43
Area 1
Router 2
POS3/0
2001:db8:ffff:1::1/64
POS 2/0
2001:db8:ffff:1::2/64
Router 1
POS1/1
Area 0
Router1#
interface POS1/1
ipv6 address 2001:410:FFFF:1::1/64
ospfv3 100 area 0 ipv6
!
interface POS2/0
ipv6 address 2001:db8:FFFF:1::2/64
ospfv3 100 area 1 ipv6
!
router ospfv3 100
router-id 0.0.0.3
Router2#
interface POS3/0
ipv6 address 2001:db8:FFFF:1::1/64
ospfv3 100 area 1 ipv6
!
router ospfv3 100
router-id 0.0.0.3
Enables IPv6 facing Area 0
Interlink connection (could use link-local)
Interlink connection (could use link-local)
32 bit ID specified in dotted decimal notation
2001:410:ffff:1::1/64
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
44
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
45
•  Default subnets in IPv6 have 264 addresses
10 Mpps = more than 50 000 years
•  NMAP doesn’t even support ping sweeps on
IPv6 networks
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
46
•  Public servers will still need to be DNS reachable
⇒ More information collected by Google...
•  Increased deployment/reliance on dynamic DNS
⇒ More information will be in DNS
•  Using peer-to-peer clients gives IPv6 addresses of peers
•  Administrators may adopt easy-to-remember addresses (::1,::2,::F00D, ::C5C0 or simply
IPv4 last octet for dual stack)
•  By compromising hosts in a network, an attacker can learn new addresses to scan
•  Transition techniques (see further) derive IPv6 address from IPv4 address
⇒  can scan again
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
47
•  Viruses and email, IM worms: IPv6 brings no change
•  Other worms:
IPv4: reliance on network scanning
IPv6: not so easy (see reconnaissance) => will use
alternative techniques
  Worm developers will adapt to IPv6
  IPv4 best practices around worm detection and mitigation remain valid
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
48
Router Solicitations Are Sent by Booting Nodes to Request Router
Advertisements for Stateless Address Auto-Configuring
1. RS
1.  RS:
Src = ::
Dst = All-Routers
multicast Address
ICMP Type = 133
Data = Query: please send RA
© 2011 Cisco and/or its affiliates. All rights reserved.
2. RA
RA/RS w/o Any
Authentication Gives
Exactly Same Level of
Security as ARP for IPv4
(None)
Attack Tool:
fake_router6
Can Make Any
IPv6 Address the Default
Router
2. RA
2.  RA:
Src = Router Link-local Address
Dst = All-nodes multicast address
ICMP Type = 134
Data= options, prefix, lifetime,
autoconfig flag
Cisco Confidential
49
Security Mechanisms Built
into Discovery Protocol =
None
=> Very similar to ARP
A"
B"
Src = A
Dst = Solicited-node multicast of B
ICMP type = 135
Data = link-layer address of A
Query: what is your link address?
Attack Tool:
Parasite6
Answer to all NS, Claiming to
Be All Systems in the LAN...
Src = B
Dst = A
ICMP type = 136
Data = link-layer address of B
A and B Can Now Exchange
Packets on This Link
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
50
•  SEMI-BAD NEWS: nothing yet like dynamic ARP inspection for IPv6
First phase (Port ACL & RA Guard) available since Summer 2010
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html
•  GOOD NEWS: Secure Neighbor Discovery
SEND = NDP + crypto
IOS 12.4(24)T
But not in Windows Vista, 2008 and 7
Crypto means slower...
•  Other GOOD NEWS:
Private VLAN works with IPv6
Port security works with IPv6
801.x works with IPv6
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
51
•  Port ACL (see later) blocks all ICMPv6 Router
Advertisements from hosts
interface FastEthernet3/13
switchport mode access
ipv6 traffic-filter ACCESS_PORT in
access-group mode prefer port
•  RA-guard feature in host mode (12.2(33)SXI4 & 12.2(54)SG ):
also dropping all RA received on this port
interface FastEthernet3/13
switchport mode access
ipv6 nd raguard
access-group mode prefer port
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
52
•  Significant changes
•  More relied upon
ICMP Message Type
ICMPv4
ICMPv6
Connectivity Checks
X
X
Informational/Error Messaging
X
X
Fragmentation Needed Notification
X
X
Address Assignment
X
Address Resolution
X
Router Discovery
X
Multicast Group Management
X
Mobile IPv6 Support
X
•  => ICMP policy on firewalls needs to change
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
53
•  Rogue clients and servers can be mitigated by using the authentication option in DHCPv6
There are not many DHCPv6 client or server implementations using this today
•  Port ACL can block DHCPv6 traffic from client ports
deny udp any eq 547 any eq 546
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
54
•  Sniffing
IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4
•  Application layer attacks
The majority of vulnerabilities on the Internet today are at the application layer, something that
IPSec will do nothing to prevent
•  Rogue devices
Rogue devices will be as easy to insert into an IPv6 network as in IPv4
•  Man-in-the-Middle Attacks (MITM)
Without strong mutual authentication, any attacks utilizing MITM will have the same likelihood in
IPv6 as in IPv4
•  Flooding
Flooding attacks are identical between IPv4 and IPv6
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
55
•  Scanners
•  Sniffers/packet capture
Snort
TCPdump
Sun Solaris snoop
COLD
Wireshark
Analyzer
Windump
WinPcap
© 2011 Cisco and/or its affiliates. All rights reserved.
IPv6 security scanner
Halfscan6
Nmap
Strobe
Netcat
•  DoS Tools
6tunneldos
4to6ddos
Imps6-tools
•  Packet forgers
Scapy6
SendIP
Packit
Spak6
•  Complete tool
http://www.thc.org/thc-ipv6/
Cisco Confidential
56
•  IPv6 does not require the use of IPsec
•  Some organizations believe that IPsec should be used to secure all flows...
Interesting scalability issue (n2 issue with IPsec)
Need to trust endpoints and end-users because the network cannot secure the traffic: no IPS, no ACL,
no firewall
IOS 12.4(20)T can parse the AH
Network telemetry is blinded: NetFlow of little use
Network services hindered: what about QoS?
Recommendation: do not use IPsec end to end within an administrative domain.
Suggestion: Reserve IPsec for residential or hostile environment or high profile targets.
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
57
•  16+ methods, possibly in combination
•  Dual stack
Consider security for both protocols
Cross v4/v6 abuse
Resiliency (shared resources)
•  Tunnels
Bypass firewalls (protocol 41 or UDP)
Can cause asymmetric traffic (hence breaking stateful firewalls)
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
58
•  Your host:
IPv4 is protected by your favorite personal firewall...
IPv6 is enabled by default (Vista, Linux, Mac OS/X, ...)
•  Your network:
Does not run IPv6
•  Your assumption:
I’m safe
•  Reality
You are not safe
Attacker sends Router Advertisements
Your host configures silently to IPv6
You are now under IPv6 attack
•  => Probably time to think about IPv6 in your network
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
59
•  So, nothing really new in IPv6
Reconnaissance: address enumeration replaced by DNS enumeration
Spoofing & bogons: uRPF is our IP-agnostic friend
NDP spoofing: RA guard and more feature coming
ICMPv6 firewalls need to change policy to allow NDP
Extension headers: firewall & ACL can process them
Amplification attacks by multicast mostly impossible
Potential loops between tunnel endpoints: ACL must be used
•  Lack of operation experience may hinder security for a while: training is required
•  Security enforcement is possible
Control your IPv6 traffic as you do for IPv4
•  Leverage IPsec to secure IPv6 when suitable
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
60
•  Easy to check!
•  Look inside NetFlow records
Protocol 41: IPv6 over IPv4 or 6to4 tunnels
IPv4 address: 192.88.99.1 (6to4 anycast server)
UDP 3544, the public part of Teredo, yet another tunnel
•  Look into DNS server log for resolution of ISATAP
•  Beware of the IPv6 latent threat: your IPv4-only network may be vulnerable to IPv6 attacks
NOW
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
61
Thank you.

Podobné dokumenty