allnettools
Transkript
allnettools
Jakub Votava Miroslav Brzek Dimitar (Mitko) Vasilev © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 • The Business Case For IPv6 • How TO2 Sees IPv6 • IPv6 Fundamentals • IPv6 Enterprise Deployment • IPv6 In Czech Republic And EU © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 2010 2012 2011 NOVEMBER, 2010 Globalization: 25% of the world s population using 100% of IPv4 addresses JAN, 2011 Date the last IPv4 addresses was allocated by IANA SEPTEMBER, 2012 Civilian US Government Agencies mandated to provide external IPv6 connectivity © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 Registry Exhaustion Dates 100 90 80 Probability (%) 70 60 50 40 30 20 10 0 Jan 2011 Jul 2011 IANA © 2011 Cisco and/or its affiliates. All rights reserved. Jan 2012 APNIC Jul 2012 Jan 2013 RIPENCC Jul 2013 Jan 2014 ARIN Source: Geoff Huston, APNIC Jul 2014 LACNIC Jan 2015 Jul 2015 AFRINIC Cisco Confidential 4 2010 2012 2014 • 2010: Low Impact – Buying behavior shift limited to mandated and early adopter sites Globalization Early Adopters Transition Planning IPv6 Government Mandate Deadlines IPv4/IPv6 Coexistence 2011: Internet Evolution begins – …IPv6 is important to all of us (…) to everyone around the world, It is crucial to our ability to tie together everyone and every device . John Chambers • 2012: Mandates take effect – Transition to IPv6 forces customers to acquire product or managed services to sustain business and customer reach • 2014: IPv6 is mainstream – customers without transition infrastructure experience reduced service levels, diminished customer reach, increase operational complexity IPv6 Business Impact – The Cost of Waiting Goes Up Low Risk © 2011 Cisco and/or its affiliates. All rights reserved. Moderate Risk High Risk Cisco Confidential 5 Preserve Prepare Prosper Preserve the customer s existing investment • Audit and leverage existing IPv6 capabilities Prepare a migration and deployment plan • Identify and enable critical IPv6 functional areas Prosper through the transition to IPv6 Internet • Enable all systems with dual-stack capabilities IPv6 is the foundation of a lifecycle management discussion © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Over a Decade of Cisco Investment - Shipping Since 1996 IPv6 Security VRF BGP v6 v6 CoPP v6 ACLs EIGRP v6 Radius AAA IPv6 HA HSRPv6 ISSU OSPFv3 IPv6 Firewall IPv6 Forwarding V6 Netflow IPv6 QoS Classification, policing IPv6 Routing OSPFv3 IS-IS EIGRP IPv6 Multicast IPv6 Management Anycast Syslog v6 DHCPv6, SNMP, DNS, SSH, ICMPv6 These capabilities and more are already part of yours investment in Cisco networking © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 1 Identify the highest priority IPv6-critical areas in your network 2 Perform IPv6 Assessment on high priority areas to determine scope 3 Develop a design that enables IPv6 without disrupting your IPv4 network 4 Test and implement in pilot mode, then extend over time into production Repeat for the Next IPv6-Critical Area in Your Network © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 A well-structured migration plan provides insurance against unexpected costs as customers, partners, and suppliers move to IPv4 and IPv6 coexistence Leverage Your Investment A Decade of Cisco IPv6 Innovations Make a Plan Accelerate Align Business and IT Strategy Prosper through accelerated global customer reach. Unleash new business models Invest for Success Deploy IPv6 Transition Support Technologies © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 • IPv6 addresses are 128 bits long Segmented into 8 groups of four HEX characters (called HEXtets) Separated by a colon (:) Default is 50% for network ID, 50% for interface ID Network portion is allocated by Internet registries 2^64 (1.8 x 1019) Still leaves us with ~ 3 billion network prefixes for each person on earth Global Unicast Identifier Example Network Portion Interface ID gggg:gggg:gggg:ssss: xxxx:xxxx:xxxx:xxxx Global Routing Prefix n <= 48 bits Subnet ID 64 – n bits Host 2001:0000:0000: 00A1: 0000:0000:0000:1E2A 2001:0:0: A1: :1E2A © 2011 Cisco and/or its affiliates. All rights reserved. Full Format Abbreviated Format Cisco Confidential 12 • Addresses are assigned to interfaces • An IPv6 interface is “expected” to have multiple addresses and multiple scopes • Addresses have scope Link Local Unique Local Global • Addresses have lifetime Valid and preferred lifetime © 2011 Cisco and/or its affiliates. All rights reserved. Global Unique Local Link Local Cisco Confidential 13 • Three types of unicast address scopes Link-Local – Non routable exists on single layer 2 domain (FE80::/10) FE80:0000:0000:0000: xxxx:xxxx:xxxx:xxxx Unique-Local – Routable within administrative domain (FC00::/7) FCgg:gggg:gggg:ssss: xxxx:xxxx:xxxx:xxxx FDgg:gggg:gggg: ssss: xxxx:xxxx:xxxx:xxxx Global – Routable across the Internet (2000::/3) 2ggg:gggg:gggg: ssss: xxxx:xxxx:xxxx:xxxx 3ggg:gggg:gggg: ssss: xxxx:xxxx:xxxx:xxxx • Multicast addresses (FF00::/8) FFfs: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx Flags (f) in 3rd nibble (4 bits) Scope (s) into 4th nibble © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Provider Site Host n Bits 16 Bits 64 Bits Subnet Interface ID Global Routing Prefix 001 • Addresses for generic use of IPv6 • Structured as a hierarchy to try and keep the aggregation © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Provider Assigned Provider Independent 2000::/3 /48 © 2011 Cisco and/or its affiliates. All rights reserved. 2000::/3 Registries /12 /32 IANA ISP /12 Org /48 Enterprise Level Four Cisco Confidential 16 • Interface ID unicast address may be assigned in different ways Auto-configured from a 64-bit EUI-64 or expanded from a 48-bit MAC Auto-generated pseudo-random number (to address privacy concerns) Assigned via DHCP Manually configured • IEEE Extended Unique Identifier (EUI-64) format to do stateless auto-configuration Expands the 48 bit MAC address to 64 bits by inserting FFFE into the middle To ensure chosen address is from a unique Ethernet MAC address The universal/local ( “u” bit) is set to 1 for global scope and 0 for local scope 64 Bits Global Routing Prefix © 2011 Cisco and/or its affiliates. All rights reserved. Subnet Interface ID Cisco Confidential 17 • Cisco uses the EUI-64 format to do stateless MAC Address auto-configuration • This format expands the 48 bit MAC address to 00 90 90 27 27 17 FC 0F 17 FC 0F 17 FC 0F 64 bits by inserting FFFE into the middle 16 bits • To make sure that the chosen address is from a unique Ethernet MAC address, the universal/local (“u” bit) is set to 1 for global scope and 0 for local scope • Cisco devices ‘bit-flip’ the 7th bit 00 00 000000U0 U = 1 02 © 2011 Cisco and/or its affiliates. All rights reserved. 90 27 FF FE FF FE Where U= 90 27 FF 1 = Unique 0 = Not Unique FE 17 FC Cisco Confidential 0F 18 /23 /32 /48 /64 2001 Interface ID • Temporary addresses for IPv6 host client application, e.g. web browser Inhibit device/user tracking Random 64 bit interface ID, then run Duplicate Address Detection before using it Rate of change based on local policy Recommendation: Use Privacy Extensions for External Communication but not for Internal Networks (Troubleshooting and Attack Trace Back) © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 54 Bits 64 Bits Remaining 54 bits = 0 Interface ID 10 Bits 1111 1110 10 FE80::/10 • Mandatory for communication between two IPv6 devices • Automatically assigned by Router using EUI-64 • Also used for next-hop calculation in routing protocols • Only link specific scope • Remaining 54 bits could be zero or any manually configured © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 n Bits Global ID 16 Bits 64 Bits Subnet Interface ID 1111 110L FC00::/7 • ULA are “like” RFC 1918 – not routable on Internet • ULA uses include Local communications Inter-site VPNs (Mergers and Acquisitions) • FC00::/8 is Registry Assigned (L bit = 0), FD00::/8 is self generated (L bit = 1) Registries not yet assigning ULA space, http://www.sixxs.net/tools/grh/ula/ • Global ID can be generated using an algorithm Low order 40 bits result of SHA-1 Digest {EUI-64 && Time} © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 • IP multicast address has a prefix FF00::/8 (1111 1111) Second octet defines lifetime and scope 8Bits 4 Bits 4 Bits 112 Bits 1111 1111 0 R P T Scope Variable Format Flags Scope R = 0 R = 1 No embedded RP Embedded RP P = 0 P = 1 Not based on unicast Based on unicast T = 0 T = 1 Permanent address (IANA assigned) Temporary address (local assigned) © 2011 Cisco and/or its affiliates. All rights reserved. 1 Node 2 Link 3 Subnet 4 Admin 5 Site 8 Organization E Global Cisco Confidential 22 Address Scope Meaning FF01::1 Node-Local All Nodes FF01::2 Node-Local All Routers FF02::1 Link-Local All Nodes FF02::2 Link-Local All Routers FF02::5 Link-Local OSPFv3 Routers FF02::6 Link-Local OSPFv3 DR Routers FF02::1:FFXX:XXXX Link-Local Solicited-Node “02” means that this is a permanent address and has link scope http://www.iana.org/assignments/ipv6-multicast-addresses © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 IPv4 Header Version Type of Service IHL Identification Time to Live Protocol IPv6 Header Total Length Flags Fragment Offset Header Checksum Version Traffic Class Payload Length Flow Label Next Header Hop Limit Source Address Destination Address Legend Options Padding Source Address Field’s Name Kept from IPv4 to IPv6 Fields Not Kept in IPv6 Name and Position Changed in IPv6 Destination Address New Field in IPv6 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 V Class Len Flow 6 V Class Len Hop Flow 43 V Class Len Hop Flow 43 Destination Destination Destination Source Source Source Upper Layer TCP Header 17 Payload Routing Header Upper Layer UDP Header Payload 60 6 Hop Routing Header Destination Options Upper Layer TCP Header Payload • Extension Headers Are Daisy Chained © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 • Extension headers must be in the following sequence Order Header Type Header Code 1 Basic IPv6 Header - 2 Hop-by-Hop Options 0 3 Dest Options (with Routing options) 60 4 Routing Header 43 5 Fragment Header 44 6 Authentication Header 51 7 ESP Header 50 8 Destination Options 60 9 Mobility Header 135 - No Next Header 59 Upper Layer TCP 6 Upper Layer UDP 17 Upper Layer ICMPv6 58 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 • Internet Control Message Protocol version 6 • Combines several IPv4 functions ICMPv4, IGMP and ARP • Message types are similar to ICMPv4 Destination unreachable (type 1) Packet too big (type 2) Time exceeded (type 3) Parameter problem (type 4) Echo request/reply (type 128 and 129) © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 • ND uses ICMPv6 messages Originated from node on link local with a hop limit of 255 Receivers checks hop limit is still 255 (has not passed a router) • Consists of IPv6 header, ICMPv6 header, neighbor discovery header, and neighbor discovery options • Five neighbor discovery messages Message Purpose ICMP Code Sender Target Router Solicitation (RS) Prompt routers to send RA 133 Nodes All routers Router Advertisement (RA) Advertise default router, prefixes Operational parameters 134 Routers Sender of RS All routers Neighbor Solicitation (NS) Request link-layer of target 135 Node Solicited Node Target Node Neighbor Advertisement (NA) Respond to NA Advertise link-layer address changes 136 Nodes Redirect Inform hosts of a better first hop 137 Routers © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 • Each Link has MTU a maximum transmission unit • Path MTU minimum MTU of all the links in a path between a source and a destination • Minimum link MTU for IPv6 is 1280 octets In comparison IPv4 minimum MTU is 68 octets If Link MTU < 1280 then fragmentation and reassembly must be used If IPv6 payload > 1280 fragmentation may need to be performed • PMTU Discovery is expected to be performed by IPv6 end hosts It should only apply if sending packets > 1280 bytes For each destination, start by assuming MTU of first-hop link Exceeding the link MTU invokes ICMP “packet too big” back to source Message includes the offending link MTU value MTU is then cached by source for specific destination © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 Function IPv4 IPv6 Address Assignment DHCPv4 DHCPv6, SLAAC, Reconfiguration Address Resolution ARP RARP ICMPv6 NS, NA Not Used Router Discovery ICMP Router Discovery ICMPv6 RS, RA Name Resolution DNS DNS © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 • Autoconfiguration is used to automatically assigned an address to a host “plug and play” Generating a link-local address, Generating global addresses via stateless address autoconfiguration Duplicate Address Detection procedure to verify the uniqueness of the addresses on a link MAC 00:2c:04:00:fe:56" A R1" 1 2 RS RA 2001:db8:face::/64 3 DAD Host Autoconfigured Address comprises" Prefix Received + Link-Layer Address if DAD check passes" 2001:db8:face::22c:4ff:fe00:fe56 © 2011 Cisco and/or its affiliates. All rights reserved. Router Advertisement (RA) Ethernet DA/SA Router R2 / Host A Prefix Information 2001:db8:face::/64 Default Router Router R1 Cisco Confidential 33 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 • DNS is a database managing Resource Records (RR) Storage of RR for various types—IPV4 and IPV6: Start of Authority (SoA) Name Server Address—A and AAAA Pointer—PTR • DNS is an IP application Uses either UDP or TCP on top of IPv4 or IPv6 • References RFC3596: DNS Extensions to Support IP Version 6 RFC3363: Representing Internet Protocol Version 6 Addresses in Domain Name system (DNS) RFC3364: Tradeoffs in Domain Name System (DNS) Support for Internet Protocol version 6 (IPv6) © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 Function IPv4 Hostname to IP Address A Record IP Address To Hostname PTR Record www.abc.test. IN IPv4 A 92.168.30.1 A record: 1.30.168.192.in-addr.arpa. PTR www.abc.test. IPv6 AAAA Record (Quad A)IPv6 www.abc.test. IN AAAA 2001:db8:C18:1::2 PTR Record 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c .0.8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test. IP address to hostname © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 mSecs between last packet sent Domain name with IPv6 address only mSecs Source Destination Prot Info 0.000 64.104.197.141 64.104.200.248 DNS Standard query A ipv6.google.com 0.158 64.104.200.248 64.104.197.141 DNS Standard query response CNAME ipv6.l.google.com 0.000 64.104.197.141 64.104.200.248 DNS Standard query AAAA ipv6.google.com 0.135 64.104.200.248 64.104.197.141 DNS Standard query response CNAME ipv6.l.google.com AAAA 2404:6800:8004::68 Initial Query over IPv4 for IPv4 A record DNS response refers to an alias/canonical address Host immediately sends a request for AAAA record (original FQDN) IPv6 address of canonical name returned Domain name with both addresses mSecs Source Destination Prot Info 0.000 64.104.197.141 64.104.200.248 DNS Standard query A www.apnic.net 0.017 64.104.200.248 64.104.197.141 DNS Standard query response A 202.12.29.211 0.000 64.104.197.141 64.104.200.248 DNS Standard query AAAA www.apnic.net 0.017 64.104.200.248 64.104.197.141 DNS Standard query response AAAA 2001:dc0:2001:11::211 0.001 2001:420:1:fff:2 2001:dc0:2001:11::211 ICMPv6 Echo request (Unknown (0x00)) 0.023 2001:dc0:2001:11::211 2001:420:1:fff::2 ICMPv6 Echo reply (Unknown (0x00)) © 2011 Cisco and/or its affiliates. All rights reserved. Initial Query over IPv4 for IPv4 A record IPv4 address returned Host immediately sends a request for AAAA record IPv6 address of FQDN returned Hosts prefers IPv6 address (configurable) Cisco Confidential 37 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38 • Stateful DHCPv6 (RFC 3315) Allows DHCP to allocate IPv6 address plus other configuration parameters (DNS, NTP etc…) • Stateless DHCPv6 (RFC 3736) Combination of SLAAC for host address allocation DHCPv6 for additional parameters such as DNS Servers and NTP © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39 • RA message contain flags that indicate address allocation combination (A, M and O bits) Use SLAAC only, Use DHCPv6 stateful, Use SLAAC and DHCPv6 for other options Router 1 (DHCPv6 Relay)" A 2001:db8:face::/64 1 DHCP Server" RA 3 2 2001:db8:face::1/64, DNS1, DNS2, NTP Send DHCP Solicit to FF02::1:2 (All DHCP Relays) Router Advertisement (RA) A bit (Address config flag) M bit (Managed address configuration flag) O bit (Other configuration flag) © 2011 Cisco and/or its affiliates. All rights reserved. Set to 0 - Do not use SLAAC for host config Set to 1 - Use DHCPv6 for host IPv6 address Set to 1 - Use DHCPv6 for additional info (DNS, NTP) Cisco Confidential 40 • RA message contain flags that indicate address allocation combination (A, M and O bits) Use SLAAC only, Use DHCPv6 stateful, Use SLAAC and DHCPv6 for other options 2 2001:db8:face::22c:4ff:fe00:fe56 Router 1 (DHCPv6 Relay)" A 1 DHCP Server" RA 2001:db8:face::/64 3 4 DNS1, DNS2, NTP Send DHCP Solicit to FF02::1:2 for options only Router Advertisement (RA) A bit (Address config flag) On-link Prefix M bit (Managed address configuration flag) O bit (Other configuration flag) © 2011 Cisco and/or its affiliates. All rights reserved. Set to 1 - Use SLAAC for host address config 2001:db8:face::/64 Set to 0 - Do not use DHCPv6 for IPv6 address Set to 1 - Use DHCPv6 for additional info (DNS, NTP) Cisco Confidential 41 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42 • IGP RIPng (RFC 2080) Cisco EIGRP for IPv6 Integrated IS-ISv6 (RFC 5308) OSPFv3 (RFC 5340) • EGP MP-BGP4 (RFC 2858) and Using MP-BGP for IPv6 (RFC 2545) • Cisco IOS supports all IPv6 routing protocols © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43 Area 1 Router 2 POS3/0 2001:db8:ffff:1::1/64 POS 2/0 2001:db8:ffff:1::2/64 Router 1 POS1/1 Area 0 Router1# interface POS1/1 ipv6 address 2001:410:FFFF:1::1/64 ospfv3 100 area 0 ipv6 ! interface POS2/0 ipv6 address 2001:db8:FFFF:1::2/64 ospfv3 100 area 1 ipv6 ! router ospfv3 100 router-id 0.0.0.3 Router2# interface POS3/0 ipv6 address 2001:db8:FFFF:1::1/64 ospfv3 100 area 1 ipv6 ! router ospfv3 100 router-id 0.0.0.3 Enables IPv6 facing Area 0 Interlink connection (could use link-local) Interlink connection (could use link-local) 32 bit ID specified in dotted decimal notation 2001:410:ffff:1::1/64 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45 • Default subnets in IPv6 have 264 addresses 10 Mpps = more than 50 000 years • NMAP doesn’t even support ping sweeps on IPv6 networks © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46 • Public servers will still need to be DNS reachable ⇒ More information collected by Google... • Increased deployment/reliance on dynamic DNS ⇒ More information will be in DNS • Using peer-to-peer clients gives IPv6 addresses of peers • Administrators may adopt easy-to-remember addresses (::1,::2,::F00D, ::C5C0 or simply IPv4 last octet for dual stack) • By compromising hosts in a network, an attacker can learn new addresses to scan • Transition techniques (see further) derive IPv6 address from IPv4 address ⇒ can scan again © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47 • Viruses and email, IM worms: IPv6 brings no change • Other worms: IPv4: reliance on network scanning IPv6: not so easy (see reconnaissance) => will use alternative techniques Worm developers will adapt to IPv6 IPv4 best practices around worm detection and mitigation remain valid © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48 Router Solicitations Are Sent by Booting Nodes to Request Router Advertisements for Stateless Address Auto-Configuring 1. RS 1. RS: Src = :: Dst = All-Routers multicast Address ICMP Type = 133 Data = Query: please send RA © 2011 Cisco and/or its affiliates. All rights reserved. 2. RA RA/RS w/o Any Authentication Gives Exactly Same Level of Security as ARP for IPv4 (None) Attack Tool: fake_router6 Can Make Any IPv6 Address the Default Router 2. RA 2. RA: Src = Router Link-local Address Dst = All-nodes multicast address ICMP Type = 134 Data= options, prefix, lifetime, autoconfig flag Cisco Confidential 49 Security Mechanisms Built into Discovery Protocol = None => Very similar to ARP A" B" Src = A Dst = Solicited-node multicast of B ICMP type = 135 Data = link-layer address of A Query: what is your link address? Attack Tool: Parasite6 Answer to all NS, Claiming to Be All Systems in the LAN... Src = B Dst = A ICMP type = 136 Data = link-layer address of B A and B Can Now Exchange Packets on This Link © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50 • SEMI-BAD NEWS: nothing yet like dynamic ARP inspection for IPv6 First phase (Port ACL & RA Guard) available since Summer 2010 http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html • GOOD NEWS: Secure Neighbor Discovery SEND = NDP + crypto IOS 12.4(24)T But not in Windows Vista, 2008 and 7 Crypto means slower... • Other GOOD NEWS: Private VLAN works with IPv6 Port security works with IPv6 801.x works with IPv6 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51 • Port ACL (see later) blocks all ICMPv6 Router Advertisements from hosts interface FastEthernet3/13 switchport mode access ipv6 traffic-filter ACCESS_PORT in access-group mode prefer port • RA-guard feature in host mode (12.2(33)SXI4 & 12.2(54)SG ): also dropping all RA received on this port interface FastEthernet3/13 switchport mode access ipv6 nd raguard access-group mode prefer port © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52 • Significant changes • More relied upon ICMP Message Type ICMPv4 ICMPv6 Connectivity Checks X X Informational/Error Messaging X X Fragmentation Needed Notification X X Address Assignment X Address Resolution X Router Discovery X Multicast Group Management X Mobile IPv6 Support X • => ICMP policy on firewalls needs to change © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53 • Rogue clients and servers can be mitigated by using the authentication option in DHCPv6 There are not many DHCPv6 client or server implementations using this today • Port ACL can block DHCPv6 traffic from client ports deny udp any eq 547 any eq 546 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54 • Sniffing IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4 • Application layer attacks The majority of vulnerabilities on the Internet today are at the application layer, something that IPSec will do nothing to prevent • Rogue devices Rogue devices will be as easy to insert into an IPv6 network as in IPv4 • Man-in-the-Middle Attacks (MITM) Without strong mutual authentication, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4 • Flooding Flooding attacks are identical between IPv4 and IPv6 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55 • Scanners • Sniffers/packet capture Snort TCPdump Sun Solaris snoop COLD Wireshark Analyzer Windump WinPcap © 2011 Cisco and/or its affiliates. All rights reserved. IPv6 security scanner Halfscan6 Nmap Strobe Netcat • DoS Tools 6tunneldos 4to6ddos Imps6-tools • Packet forgers Scapy6 SendIP Packit Spak6 • Complete tool http://www.thc.org/thc-ipv6/ Cisco Confidential 56 • IPv6 does not require the use of IPsec • Some organizations believe that IPsec should be used to secure all flows... Interesting scalability issue (n2 issue with IPsec) Need to trust endpoints and end-users because the network cannot secure the traffic: no IPS, no ACL, no firewall IOS 12.4(20)T can parse the AH Network telemetry is blinded: NetFlow of little use Network services hindered: what about QoS? Recommendation: do not use IPsec end to end within an administrative domain. Suggestion: Reserve IPsec for residential or hostile environment or high profile targets. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57 • 16+ methods, possibly in combination • Dual stack Consider security for both protocols Cross v4/v6 abuse Resiliency (shared resources) • Tunnels Bypass firewalls (protocol 41 or UDP) Can cause asymmetric traffic (hence breaking stateful firewalls) © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58 • Your host: IPv4 is protected by your favorite personal firewall... IPv6 is enabled by default (Vista, Linux, Mac OS/X, ...) • Your network: Does not run IPv6 • Your assumption: I’m safe • Reality You are not safe Attacker sends Router Advertisements Your host configures silently to IPv6 You are now under IPv6 attack • => Probably time to think about IPv6 in your network © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59 • So, nothing really new in IPv6 Reconnaissance: address enumeration replaced by DNS enumeration Spoofing & bogons: uRPF is our IP-agnostic friend NDP spoofing: RA guard and more feature coming ICMPv6 firewalls need to change policy to allow NDP Extension headers: firewall & ACL can process them Amplification attacks by multicast mostly impossible Potential loops between tunnel endpoints: ACL must be used • Lack of operation experience may hinder security for a while: training is required • Security enforcement is possible Control your IPv6 traffic as you do for IPv4 • Leverage IPsec to secure IPv6 when suitable © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60 • Easy to check! • Look inside NetFlow records Protocol 41: IPv6 over IPv4 or 6to4 tunnels IPv4 address: 192.88.99.1 (6to4 anycast server) UDP 3544, the public part of Teredo, yet another tunnel • Look into DNS server log for resolution of ISATAP • Beware of the IPv6 latent threat: your IPv4-only network may be vulnerable to IPv6 attacks NOW © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61 Thank you.