2.ipv6 deployment bn · 2019-10-02 · ipv6 deployment workshop bandar seri begawan, brunei 01...
TRANSCRIPT
10/2/19
1
1
IPv6 Deployment Workshop
Bandar Seri Begawan, Brunei01 October 2019
22
Content• IPv6 Transition Mechanisms
• IPv6 Security
10/2/19
2
3
IPV6 TRANSITION TECHNIQUESModule 2
44
IPv6 in Mobile Networks: Technology
Carrier Economy DeploymentReliance Jio India Dual stack in 2016
SK Telecom Korea 464XLAT in 2014
Telstra Australia 464XLAT since 2016
T-Mobile USA 464XLAT in 2012
Verizon Wireless USA Dual stack in 2011
10/2/19
3
55
Dual-stack
Dual-stack network
66
Dual-stack• Does not solve IPv4 (public) depletion issue
– Still need to use CG-NAT to access IPv4-only sites
• But effective, and the only viable/scalable way forward– IPv6 native access to most of the major content providers– None of the scalability issues of v4 CG-NAT
10/2/19
4
77
Dual-stack in mobile network• Does not solve IPv4 (public) depletion issue
– Still need to use CG-NAT to access IPv4-only sites
• But effective, and the only viable and scalable way forward– IPv6 native access to most of the major content providers– None of the scalability issues of v4 CG-NAT– And of course, no DNSSEC issues
88
464XLAT (RFC6877)
8
CLAT (NAT6
4)v4p(v4 sockets)
v6
IPv6 Core GGSN IPv4 Interne
t
IPv6 Internet
End Host
DNS 64
PLAT (NAT64)
IPv4 embedded IPv6:IPv6 /96 + 32 bit IPv4
(RFC6052)
Stateless NAT64(RFC6145)
Statelful NAT64(RFC6146)
64:ff9b::/96
10/2/19
5
99
CLAT (Stateless NAT64) (RFC6145)• When IPv4 connection is required (an IPv4 socket)
– CLAT function provides private IPv4 address (and default route for applications to bind to)
– a dedicated prefix (/64 or /96) for stateless translation (DHCPv6)– must know the PLAT side translation prefix– Route connections to the PLAT (stateful NAT64)– 1:1 mapping– 2400:6400::[v4p in HEX] (RFC6052)
9
1010
DNS64(RFC6147)• Generate AAAA records from A records
– Allows IPv6-only client to talk to IPv4 hosts– If ‘AAAA’ records exists, no synthesis– If only ‘A’ record exist for the queried name (after recursive query),
synthesize to AAAA record
10
DNS 64
AAAA Query: test.com
Authoritative DNS
AAAA Query: test.com
Empty Response
A Query: test.com
Response: 192.168.2.10Response:
2406:6400::C0A8:20A
10/2/19
6
1111
DNS64 Example• DNS64 options statement in BIND9.8
• https://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html
– mapped: which IPv4 addresses are to be mapped (A records)
– exclude: list of IPv6 addresses to ignore if they appear in the domain’s AAAA records (synthesize it from the NAT64 prefix+v4 address)
– break-dnssec yes: by default, DNS64 module does not process secure queries (DO = 1) or responses. The break-dnssec yes overrides this default. • However, the synthesized response will not have any DNSSEC records added and therefore cannot be verified by the
client!
11
dns64 2406:6400::/96 {clients {any;};mapped {!rfc1918; any;};exclude {0::/3; 2001:DB8::/32;};break-dnssec yes;
};
1212
PLAT (Stateful NAT64) (RFC6146)• IPv6 to IPv4 translation (public)
– and vice versa– bindings for every translation maintained
• need a return path– N:1 mapping (conserves IPv4)– 2400:6400::[v4p in HEX] to [v4]:port (~PAT)
12
10/2/19
7
1313
Stateful NAT64(v6-only to v4-only ‘Internet’)
13
CLAT (NAT6
4)v4p(v4 sockets)
v6IPv6
Mobile Core
GGSN IPv4 Interne
t
Mobile Phone
DNS 64
PLAT (NAT64)
Dst: [2406:6400::C0A8:20A]:80Src: 2406:6400::9
192.168.2.10(test.com)
IPv4 Pool: 202.70.77.1-30Dst: 192.168.2.10:80
Src: 202.70.77.1:6435
Over IPv6
Over IPv4
1414
Stateless NAT64(v4 to v4 – literal IPs)
14
CLAT (NAT6
4)v4p(v4 sockets)
v6IPv6
Mobile Core
GGSN IPv4 Interne
t
Mobile Phone
PLAT (NAT64)
Stateless XLATE prefix: 2406:6400:EEEE::/96
PLAT-side XLATE prefix: 2406:6400:AAAA::/96
v4p address (Src): 192.168.12.99Dst: 202.69.185.252:80
IPv4 Pool: 202.70.77.1-30
PLAT-side XLATE prefix: 2406:6400:AAAA::/96
Src: 202.70.77.1:888Dst: 202.69.185.252:80
202.69.185.252
IPv6 Src: 2406:6400:EEEE::C0A8:C63
IPv6 Dst:[2406:6400:AAAA::CA45:B9FC]:80
10/2/19
8
1515
NAT64/DNS64 public test• Go6lab’s NAT64/DNS64 public testing
– https://go6lab.si/current-ipv6-tests/nat64dns64-public-test/
– http://www.internetsociety.org/deploy360/blog/2016/08/new-nat64dns64-implementations-available-for-public-testing-in-go6lab/
15
1616
IPv6 and Mobile devices• Android supports 464XLAT (4.4 - KitKat)
• IPv6 supported over mobile interface since iOS 9 (supported IPv6 on WiFi for a long time!)– All apps submitted to App Store must support IPv6 (only) since June
2016• https://developer.apple.com/support/ipv6/
10/2/19
9
1717
IPv6 Tethering• RFC6653: DHCPv6-PD for Mobile Networks
– 3GPP Rel-10
• RFC7278: Extending IPv6 /64 prefix from Mobile interface to LAN– “Flaky” support since Android 6.0 (Marshmallow)– Stop-gap until DHCPv6-PD
1818
References• IPv6 in Mobile Networks – Telstra
– Sunny Yeung, Senior Technology Specialist – Presentation @APNIC41 (Feb 2016)– https://conference.apnic.net/data/41/yeung.-s-tutorial-apricot-
2016_1455689286.pdf
• 464XLAT: Breaking free of IPv4 - TMobile– Cameron Byrne’s presentation at SANOG23 (Jan 2014)– http://www.sanog.org/resources/sanog23/SANOG23_464XLAT.pdf
18
10/2/19
10
19
Broadband Network (IPv4)
19
PPP Access Request & Response
(Accept/Reject)
RADIUS (AAA) BRAS/BNGDSLAMCPE/RG
Home LAN
End user NAT
LSN/CGN
DHCP Server
On the BRAS Centralized
2020
IPv6 over PPP (RFC2472)
• Link Control Protocol (LCP) same as in IPv4– Establish the connection, agree packet sizes (MTU/MSS)
• Authentication same as IPv4– (PAP/CHAP)
• Network Control Protocol (NCP) for IPv6 is IPV6CP– Choose the network protocol (IPv6)– Options:
• Interface Identifier (to negotiate the 64-bit int-id for SLAAC)• Compression Protocol (ability to received compressed packets)
20
IPv6 over PPP
BRAS/BNGDSLAMCPE/RG
10/2/19
11
2121
IPv6 CPE WAN
• CPE IPv6 address– SLAAC based on the RA (and set ‘O’ flag for DNS), or – use the link-local, OR
• DHCPv6 over PPP• How will home devices get IPv6 address?
– Proxy RA?
21
ipv6 nd prefix 2400:db8::/64no ipv6 nd ra suppressipv6 nd other-config-flag
ND-RA over PPP
BRAS/BNGDSLAMCPE/RG
Home LAN
DHCPv6 over PPP
DHCPv6 Server
2222
IPv6 on Home LAN (DHCPv6-PD: RFC 3633)
• CPE requests prefix from BRAS (delegator)– DHCPv6 messages over PPP– BRAS delegates /64 prefix from the pool to CPE
• ND-RA to home devices by CPE– Auto-configure IPv6 address (SLAAC) using the delegated prefix
22
BRAS/BNGDSLAMCPE/RG
Home LAN
DHCPv6-PD over PPP
(2001:db8::/64)ipv6 local pool PD-POOL 2001:db8::/60 64ipv6 dhcp pool DHCPv6-PD-POOLprefix-delegation pool PD-POOLdns-server 2001:db8::1
RA
DHCPv6 Server
10/2/19
12
2323
DHCPv6 (RFC3315)• RA message:
– A (auto) flag set by default• SLAAC
– If O (other) flag set: stateless DHCPv6• auto-generate IPv6 address (IPv6 prefix, prefix length in the RA)• obtain other information (DNS server, domain) via DHCPv6
– If M (managed) flag set:• obtain all addressing information via DHCPv6• ‘O’ flag is redundant
23
24
DHCPv6 (RFC3315)
24
Solicit (Client-Id)
Advertise
Request
Reply
IPv6 Client DHCPv6 Server
• DHCPv6 uses DUID + IAID as Client-Id– Servers will drop any Solicit message without Client-id
• Be wary of duplicate DUID!– to uniquely identify & associate (IA) IPv6 addresses with each interface on a host– IAIDs uniquely identifies the interface (one IA per interface)– Have a look at “The Story of IPv6 at FPT Telecom” @APRICOT2017
• DUID types:– Link-layer address, Link-layer+Time, Enterprise number (vendor)
10/2/19
13
2525
RADIUS attributes for IPv6 (RFC6911)
• Framed-IPv6-Prefix:– Which prefix was delegated to the LAN side of the CPE
• Framed-Interface-Id:– Used for accounting and also indicates what address will be used on WAN side
through RA
25
RADIUS (AAA) BRAS/BNG
Access-Request"username, password, NAS"
(Framed-Interface-Id)
Access-Accept/Reject
Accounting Start/Stop(Framed-IPv6-Prefix)
(Framed-Interface-Id)
26
Putting it together
26
RADIUS (AAA) BRAS(DHCPv6)CPE
Access-Request
Access Accept
LCP
NCP (IPv6CP)
Solicit
AdvertiseRequestReply
Accounting Start
NCP Open
IPv6 traffic over the session
PPPoE
DHCPv6
10/2/19
14
2727
Deployment Planning• Assess your network
– Do the existing network nodes support IPv6?• What requires updating (hw/sw)?• What needs upgrading/replacing (hw)?
– Talk to your vendor!
• Clean up your network– Remove unused configs/interfaces/BCPs/etc
• Mistakes in v4 could get carried over to v6
• Get your IPv6 address – very easy J• Address planning – not difficult J• Do you have in-house skills or need consulting?
– Talk to the community – many are willing to help!!
27
2828
Deployment Planning -2• Start from the backbone – not so complicated
– Transit ready?• Dual stack or tunnel?
• Deploy for enterprise customers – not difficult• Deploy in access Network
– Both financial and technical assessment required!!• Vendors and ”IPv6 consultants” will tell you otherwise L
– Mobile: IPv6 PDP license L• Either IPv6-only or dual-stack (IPv4v6)
– Wired broadband: • MSANs, DSLAMS, OLTs should carry IPv6 ether-type (do not assume)• CPEs, wireless routers, APs: https://getipv6.info/display/IPv6/Broadband+CPE
28
10/2/19
15
29
29
30
IPV6 SECURITYModule 3
10/2/19
16
3131
Remember Extension Headers? • IPv6 allows an optional Extension Header in between the
IPv6 header and upper layer header– Allows adding new features to IPv6 protocol without major re-
engineering
31
IPv6 Header Next Header = 6 TCP header + data
IPv6 Header Next Header = 44
Fragment headerNext header = 6 TCP header + data
Next Header values:0 Hop-by-hop option6 TCP17 UDP43 Source routing (RFC5095)44 Fragmentation50 Encrypted security payload51 Authentication58 ICMPv659 Null (No next header)60 Destination option
Extension Header
3232
Extension HeadersNext Header Value
Name Function Remarks
0 Hop-by-Hop To carry additional information (Ex: RSVP)
Must be examined by every node along the path
43 Routing Header
List nodes to be visited on its way to the destination
Deprecated by RFC 5095
44 Fragment Header
To fragment packets that do not fit the path MTU
By the source node
60 Destination Options
To carry optional information
Examined only by destination node
32
10/2/19
17
3333
EHs - security nightmare?• RFC8200 states:
– “Extension headers (except for Hop-by-Hop Options header) are not processed, inserted, or deleted by any node along a packet's delivery path, until the packet reaches the node”• Firewalls (stateful/stateless) should not inspect them?
– But destination nodes must accept and process EH…• “any order and occurring any number of times in the same packet”
3434
EHs - security nightmare?• The number of EH is NOT limited
• The number of options within an Options header (Hop-by-hop and Destinations) is NOT limited
• The order of EH is NOT defined (only a recommendation)• RFC2460/8200 “it is recommended that those headers appear in the following
order”
10/2/19
18
3535
Possible EH threat –covert channel• Use the EH as a covert channel to exchange information
(payload) undetected
• Mitigation:– Drop unknown EH – Which means you need to inspect EH
IPv6 Header Next Header = 4
EHNext header = 0 TCP header + data
EHHidden Data
3636
Possible EH threat –Unlimited EHs• Send packets with huge number of EH
– EH chain itself is fragmented (L4 info could appear in Nth-fragment)– Overwhelm the destination node (DOS)– Evade IPS/IDS/Firewall
IPv6 Header Next Header = 44
EHNext headerEH
Next headerEHNext headerEH
Next headerEHNext headerEH
Next header
IPv6 Header Next Header = 44
EHNext headerEH
Next headerEHNext headerEH
Next headerEHNext header
IPv6 Header Next Header = 44
EHNext headerEH
Next headerEHNext headerEH
Next headerEHNext header
IPv6 Header Next Header = ..
EHNext headerEH
Next headerTCP header +
data
10/2/19
19
3737
EH and Fragments• Should we DROP all IPv6 fragments?
– How does services like DNSSEC work?
• RFC7112– “When a host fragments an IPv6 datagram, it MUST include the
entire IPv6 Header Chain in the First Fragment”• inspect and drop
• RFC8200:– “Extension headers, if any, and Upper-Layer headers MUST be in the
first fragment” IPv6 Header Next Header = 44
Fragment headerNext header = 6
+Fragment offset
Data (first fragment)1st Fragment TCP
header
3838
EH and Fragments• If you cant do stateful inspection, you can use proprietary
solutions– undetermined-transport (Cisco)
• Drop fragments that do not have upper-layer headers in the first fragment (satisfies RFC7112/8200)
• deny any any [undetermined-transport]
• OR, drop fragments destined for network nodes– But allowing fragments to end users (transiting the network)
10/2/19
20
3939
ICMPv6 is important!
http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml
ICMP
v6 M
essa
ge T
ypes
Error Messages (1-127)1:Destination Unreachable 2:Packet Too Big (PMTUD)
3:Time Exceeded (Hop limit) 4:Parameter Problem
Info Messages 128:Echo Request 129:Echo Reply
Multicast Listener Discovery (MLD/2)130:Multicast Listener Query 131/143:Multicast Listener Report
132:Multicast Listener Done
Neighbor Discovery (ND)133:Router Solicitation 134:Router Advertisement
135:Neighbor Solicitation 136:Neigbor Advertisement137:Redirect
Other(Router Renumbering, Mobile IPv6, Inverse NA/NS, etc… )
4040
Filtering ICMPv6 (perimeter)• Filtering ICMPv6 is not straight forward
– You block ICMPv6 => you break IPv6!
• RFC4890: “ICMPv6 Filtering Recommendations”
– Permit Error messages• Destination Unreachable (Type 1) - All codes• Packet Too Big (Type 2)• Time Exceeded (Type 3) - Code 0 only• Parameter Problem (Type 4) - Codes 1 and 2 only
– Permit Connectivity check messages• Echo Request (Type 128)• Echo Response (Type 129)
10/2/19
21
4141
Filtering ICMPv6 (perimeter)• Many recommend rate limiting ICMPv6
ipv6 access-list ICMPv6permit icmp any any
! class-map match-all ICMPv6match protocol ipv6match access-group name ICMPv6
! policy-map ICMPv6_RATE_LIMITclass ICMPv6police 100000 200000 conform-action transmit exceed-action
drop!interface fa0/0service-policy input ICMPv6_RATE_LIMIT
4242
NDP Attacks• Related to Neighbor Discovery (ND)
– NDP Spoofing– DAD DoS
• Related Router Advertisement (RA)– Rogue RA– RA flooding
10/2/19
22
4343
ICMPv6 Attack Tools• THC-IPv6
– https://www.thc.org/thc-ipv6/
• SI6 Networks IPv6 Toolkit– http://www.si6networks.com/tools/ipv6toolkit/
• Chiron– http://www.secfu.net/tools-scripts/
43
4444
DAD - DOS
44
Attacker
Is this address unique?
Client sends Neighbor Solicitation (NS)
Attacker sends Neighbor Advertisement (NA)for each NS
This address is MINE!
10/2/19
23
4545
ND Spoofing
45
Attacker
What is Host B’s MAC address?
Client sends Neighbor Solicitation (NS)asking for Host B’s link layer address
Attacker Neighbor Advertisement (NA)Spoofs Host B, sends his own MAC
I am Host B. This is my MAC.
4646
Rogue RA
46
AttackerClient sends Router Solicitation (RS)
Attacker sends Route Advertisement (RA)
Attacker default router
Hosts autoconfigure IPv6 based on spoofed RA including default router (as well as other info -DNS)
10/2/19
24
4747
Rogue RA
47
Attacker
I am the default router
• Attacker can now intercept, listen and modify the packets coming from Host A and B – MITM
• Or redirect to a site they control
4848
Detection tools• NDPMon
– Can detect anomalies in RAs and NAs• Compares against expected/valid behavior (config file – MAC/LLA of routers,
prefixes, DNS, flags, parameters)
– Can generate syslog events and/or email alerts, or run custom scripts
– http://ndpmon.sourceforge.net/index.php
48
10/2/19
25
4949
Mitigation tools• RA Guard (RFC6105/7113)
– messages between IPv6 devices traverse the controlled L2 networking device
– first-hop security
• Allow or drop RA messages based on policies
49
5050
Mitigation tools• SEND (RFC3971)
– Uses crypto to secure NDP messages• Uses CGA and a set of NDP options
• CGA (crypto–generated address):
– CGA associates a public key with a IPv6 address• RSA signature option
– Node computes interface-ID• Using hash-function of the node’s public key
– and appends to the IPv6 prefix - CGA
50
10/2/19
26
5151
Mitigation tools• SEND (RFC3971)
– The receiver recomputes the hash and compares with the interface-ID• Verifies the public key binding
– Messages sent from a CGA address can be protected by attaching the public key and signing the message with private key.
51
5252
Evading Mitigation tools• RA Guard (RFC6105)
– Can easily be circumvented L• RA Guard relies on ability to identify RA messages correctly
• RFC7113 – EH
• Looks at the NH field and not the whole EH chain
– EH + Frag (effective against all RA Guard)• L2 device unable to identify, thus allowed
52
IPv6 Header NH = 60
EH (Dst_Opt)NH = 58 Fake ICMPv6 RA
IPv6 Header NH = 44
EH (Frag)NH = 60
EH (Dst_Opt)NH = 58
IPv6 Header NH = 44
EH (Frag)NH = 60
EH (Dst_Opt)NH = 58
Fake ICMPv6 RA
Frag-1 Frag-2
10/2/19
27
5353
Problem - Mitigation tools• SEND (RFC3971)
– Lack host implementation of SEND L• NOT on iOS, Android, Mac OS/X, Windows
– Only on router OSes (C&J)
53
5454
IPv6 Bogons• IPv6 has bogons too… filter them!
no ipv6 prefix-list v6-IN-FILTER ipv6 prefix-list v6-IN-FILTER deny 2001::/32 le 128 ! Teredo subnetsipv6 prefix-list v6-IN-FILTER deny 2001:db8::/32 le 128 ! Documentationipv6 prefix-list v6-IN-FILTER deny 2002::/16 le 128 ! 6to4 subnetsipv6 prefix-list v6-IN-FILTER deny <your::/32> le 128 ! Your prefixipv6 prefix-list v6-IN-FILTER deny 3ffe::/16 le 128 ! Old 6boneipv6 prefix-list v6-IN-FILTER deny fc00::/7 le 128 ! ULAipv6 prefix-list v6-IN-FILTER deny fe00::/9 le 128 ! Reserved IETFipv6 prefix-list v6-IN-FILTER deny fe80::/10 le 128 ! Link-localipv6 prefix-list v6-IN-FILTER deny fec0::/10 le 128 ! Site-localipv6 prefix-list v6-IN-FILTER deny ff00::/8 le 128 ! Multicastipv6 prefix-list v6-IN-FILTER permit 2000::/3 le 48 ! Global Unicastipv6 prefix-list v6-IN-FILTER deny ::/0 le 128
10/2/19
28
5555
Aside - Bogons• Not all IP (v4 and v6) are allocated by IANA
• Addresses that should not be seen on the Internet are called “Bogons” (also called “Martians”)– RFC1918s + Reserved space
• IANA publishes list of number resources that have been allocated/assigned to RIRs/end-users
• https://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xhtml
• https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml
5656
Bogons• Commonly found as source addresses of DDoS packets
• We should have ingress and egress filters for bogon routes– Should not route them nor accept them from peers
• We could manually craft prefix filters based on the bogon list from IANA– But bogon list is dynamic– New allocations made out of reserved blocks frequently
10/2/19
29
5757
Bogon Route Server Project• In comes the Bogon Route Server project by Team Cymru
• Provides dynamic bogons information using eBGP multihop sessions
– Traditional bogons (AS65333) • martians plus prefixes not allocated by IANA
– Full-bogons (AS65332) • above plus prefixes allocated to RIRs but not yet assigned to ISPs/end-users by
RIRs
• For details: – http://www.team-cymru.org/bogon-reference-bgp.html
5858
Peering- Bogon Route Servers• To peer with bogon route servers
– Write to [email protected]
• You should provide:• Your ASN• Which bogons you wish to receive• Your peering addresses• MD5 for BGP?• PGP public key (optional)
• It is recommended to have at least 2 (two) peering sessions for redundancy
10/2/19
30
5959
Bogon Filter Configuration
59
router bgp 17821neighbor cymru-bogons peer-groupneighbor cymru-bogons remote-as 65332neighbor cymru-bogons description Peering with Cymru Bogon RSneighbor cymru-bogons ebgp-multihop 255neighbor cymru-bogons password <md5-pw>neighbor cymru-bogons update-source Loopback0!neighbor cymru-v6bogons peer-groupneighbor cymru-v6bogons remote-as 65332neighbor cymru-v6bogons description Peering with Cymru IPv6 Bogon RSneighbor cymru-v6bogons ebgp-multihop 255neighbor cymru-v6bogons password <md5-pw>neighbor cymru-v6bogons update-source Loopback0!neighbor 2620:0:6B0:XXXX::20 peer-group cymru-v6bogons!neighbor 38.XXX.XXX.20 peer-group cymru-bogons!address-family ipv4neighbor cymru-bogons prefix-list DENY-ALL outneighbor cymru-bogons maximum-prefix 10000 90neighbor 38.XXX.XXX.20 activate
!address-family ipv6neighbor cymru-v6bogons prefix-list DENYv6-ALL outneighbor cymru-v6bogons maximum-prefix 100000 90neighbor 2620:0:6B0:XXXX::20 activate
6060
Bogon Filter Configuration
60
ip prefix-list DENY-ALL seq 5 deny 0.0.0.0/0 le 32ipv6 prefix-list DENYv6-ALL seq 5 deny ::/0 le 128!!Define communities for Bogons!Cymru full-bogons are tagged with the community 65332:888ip bgp-community new-formatip community-list 10 permit 65332:888ip community-list 11 permit 17821:888 !our own bogon tag for iBGP peers
!Define route-map to set the next-hop address for the bogons (null routed)!Set local (no-export) community to propagate bogons to partial iBGP peers
route-map CYMRU-BOGONS permit 10match community 10set local-preference 1000set community 17821:888 no-exportset ip next-hop 192.0.2.1
!route-map CYMRU-v6BOGONS permit 10match community 10set local-preference 1000set community 17821:888 no-exportset ipv6 next-hop 2001:db8::1
!
10/2/19
31
6161
Bogon Filter Configuration
61
!Null route the bogon next hops (this is also needed on all iBGP peers)ip route 192.0.2.1 255.255.255.255 null0ipv6 route 2001:db8::1/128 null0!!Define route-map to propagate the bogons to partial iBGP peers:!route-map iBGP-BOGONS permit 10description allow our bogonsmatch community 11
!route-map v6—iBGP-BOGONS permit 10description allow our bogonsmatch community 11
!
6262
Bogon Filter Configuration
62
!Propagate bogons to all iBGP peers:
!router bgp 17821neighbor full-ibgp peer-groupneighbor full-ibgp remote-as 17821neighbor full-ibgp update-source Loopback0!neighbor full-ibgpv6 peer-groupneighbor full-ibgpv6 remote-as 17821neighbor full-ibgpv6 update-source Loopback0!neighbor rr-client peer-groupneighbor rr-client remote-as 17821neighbor rr-client update-source Loopback0!neighbor rrv6-client peer-groupneighbor rrv6-client remote-as 17821neighbor rrv6-client update-source Loopback0!
10/2/19
32
6363
Source IP spoofing – Defense • BCP38 (RFC2827)
– Since 1998!– https://tools.ietf.org/html/bcp38
• Only allow traffic with valid source addresses to– Leave your network
• Only packets with source address from your own address space
– To enter/transit your network• Only source addresses from downstream customer address space
63
6464
uRPF – Unicast Reverse Path• Unicast Reverse Path Forwarding (uRPF)
– Router verifies if the source address of packets received is in the FIB table and reachable (routing table)• Else DROP!
– Recommended on customer facing interfaces
64
(config-if)#ipv6 verify unicast source reachable-via {rx|any}
10/2/19
33
6565
uRPF – Unicast Reverse Path
65
• Modes of Operation:
– Strict: verifies both source address and incoming interface with FIB entries
– Loose: verifies existence of route to source address
pos0/0ge0/0Src = 2406:6400:100::1
Src = 2406:6400:200::1
FIB:2400:6400:100:/48 ge0/02400:6400:200:/48 fa0/0
pos0/0ge0/0Src = 2406:6400:100::1
Src = 2406:6400:200::1
Image source: “Cisco ISP Essentials”, Barry Greene & Philip Smith 2002
6666
What Else?• IPv6 & IPsec
– IPsec should be supported in IPv6 (ESP -50/AH-51)• it still needs to be enabled/used!
• Scanning:– Subnets in IPv6 = 2^64 addresses
• To big to scan?• techniques to harvest reachable addresses
– Admins are lazy• ::BEEF, ::CAFE,
– Simple addresses for infra• Loopbacks – 2001:db8::1, 2001:db8::2, …
– Transition techniques derive IPv6 from IPv4 addresses
66
10/2/19
34
6767
What Else?• Viruses/Worms
– IPv6 any secure?• IMs, emails higher up the stack still same L
• Train your people
• Assess your network - security nodes must understand IPv6
• Do what you did for IPv4 traffic with IPv6– ACLs/filters– Harden hosts and applications– Use crypto protections where necessary/critical
67
68
68
10/2/19
35
69
Thank You!END OF SESSION