ipv6 v podnikových sítích - cisco · begin ipv6 testing and implementation in pilot mode, then...
TRANSCRIPT
Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved. 1Cisco Expo
Cisco Expo
2012
IPv6 v podnikových sítíchT-NET5/L3
Miroslav Brzek
Systems Engineer, Cisco
2© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• IPv6 Current status
• IPv6 Planning Steps
• IPv6 Address consideration
• Transition Mechanisms
• IPv6 Co-existence Considerations
• IPv6 Security
• Conclusion, Q&A
3© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
4© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
This is accelerating !
Consistently beating
estimates
Microsoft has just
purchased 666,624 IP
addresses for
$7.5million
($11.25/addr)
Bankrupt bookseller
Borders is trying to sell
its 65000 IPv4 address
($12/addr)
5© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• World IPv6 Day• Velcí poskytovatelé obsahu a výrobci kom.
technologií (Google, Facebook, Cisco…) zpřístupnili své WWW stránky prostřednictvím protokolu IPv6 na 24 hodin pro účely otestování IPv6 služeb
8 červen2012
• World IPv6 Launch• Hlavní ISP, poskytovatelé obsahu a výrobci
kom. technologií trvale spustí své služby na protokolu IPv6
6 červen
2012
• 2012: začíná platit US Obama Administration Mandate
• 2014 – IPv6 se stává stěžejním komunikačním protokolem
2012 ->
6© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• IPv6 Current status
• IPv6 Planning Steps
• IPv6 Address consideration
• Transition Mechanisms
• IPv6 Co-existence Considerations
• IPv6 Security
• Conclusion, Q&A
7© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• IPv4 & IPv6 will coexist for the foreseeable future
No D-Day / Flag Day.
• Applications will be migrated to IPv6
with the support of dual-stack operating systems (Windows 7, Linux, BSD..)
• Network infrastructure will integrate IPv6 protocol
Both protocols IPv4 and IPv6 will be running in the network at the same time
Most of the devices in the network will support both protocols at the same time (dual-stack routers and L3 switches)
• Education & Careful Planning are crucial
• IPv4 & IPv6 implementations must be scalable, reliable, secure and feature rich
7
© 2012 Cisco and/or its affiliates. All rights reserved. 8
Repeat for the Next IPv6-Critical Area in Your Network
Identify the highest priority IPv6-critical areas in your
network
Perform IPv6 Assessment on highest-priority areas to
determine scope of design
Develop an IPv6 design that enables IPv6 to be introduced
without disrupting your IPv4 network
Begin IPv6 testing and implementation in pilot mode, then extend over time into production deployment
Start with a Phased Plan Alignedwith Your Business Strategy
2
3
4
1
9© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• IPv6 Current status
• IPv6 Planning Steps
• IPv6 Address consideration
• Transition Mechanisms
• IPv6 Co-existence Considerations
• IPv6 Security
• Conclusion, Q&A
10© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Build on the lessons learned from how the IPv4 plan was developed and implemented
Does it make sense to follow the current IPv4 assignment model?
• Must be proportional to current usage and expected growth
• Hierarchy is key
Do you get a prefix for the entire company or do you get one prefix per site (what defines a site?)
• Cisco IPv6 Addressing White Paper
http://www.cisco.com/web/strategy/docs/gov/IPv6_WP.pdf
10
11© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• What type of addressing should I deploy internal to my network? It depends:
ULA only
Not routable on the internet - basically RFC1918 for IPv6 only better, less likelihood of collisions
Default prefix is /48, that limits use in large organizations that will need more space
Semi-random generator prohibits generating sequentially ‗useable‘ prefixes—no easy way to have aggregation when using multiple /48s
Generate your own ULA: http://www.sixxs.net/tools/grh/ula/
ULA + Global
Allows for the best of both worlds but at a price— much more address management with DHCP, DNS, routing and security—SAS does not always work as it should
Global-only
Recommended approach but the old-school security folks that believe topology hiding is essential in security will bark at this option
12© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Everything internal runs the ULA space
• An IPv6 Prefix Translator (NPTv6) or an IPv6 proxy is required to access IPv6 hosts on the internet
Must run filters to prevent any SA/DA in ULA range from being forwarded
NOTE: NPTv6 (NAT66) is still in draft status.
• Removes the advantages of not having a NAT i.e. application interoperability, global multicast, end-to-end connectivity)
Requires NAT for IPv6
Not currently recommended
Corporate HQCorporate Backbone
Unique Local – fd9c:58ab:7f73::/48
fd9c:58ab:7f73:3000::/64
fd9c:58ab:7f73:0000::/56
Branch 1
fd9c:58ab:7f73:2800::/64
Branch 2
fd9c:58ab:7f73:1000::/56
InternetGlobal – 2001:db8:cafe::/48
13© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Corporate HQCorporate Backbone
• Global is used everywhere
• No requirements to have NAT for ULA-to-Global translation—but, NAT may be
used for other purposes
e.g. Printers, Data Bases etc can be on ULA.
• Easier management of DHCP, DNS, security, etc.
• Only downside is breaking the habit of believing that topology hiding is a good
security method
Global – 2001:db8:cafe::/48
2001:db8:cafe:3000::/64
2001:db8:cafe:0000::/56
Branch 1
2001:db8:cafe:2800::/64
Branch 2
2001:db8:cafe:1000::/56
Internet
Recommended
14© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Mainly a Enterprise Issue
• Service Providers will get allocation direct from RIR
• PI space is great for organizations who want to multihome to different SPs
• PA is a great space if you plan to use the same SP for a very long time or you plan to NAT/Proxy everything with IPv6 (not likely)
• Other things to consider
Do you get a prefix for the entire company or do you get one prefix per site
Do you get a prefix per regional registry (RIPE, APNIC, LACNIC, etc)
15© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Registries
Level FourEnterprise
IANA
ISP Org
Provider Assigned
http://www.ripe.net/ripe/policies/proposals/2006-01.html
http://www.ripe.net/ripe/policies/proposals/2006-05.html
2000::/3
/48
2000::/3
/48
/12
/32
/12
Provider Independent
16© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• High Level addressing plan. Indicative only. Can be modified to suit needs
• /48 = 65536 x /64
• Break up into functional blocks ( 4 x /50 in this case)
• Each functional block simplifies security policy
• Assumes up to 64 Branch networks
• Each Branch has access to 256 /64 prefixes for WAN, DMZ, & VLAN use
/48
/50
Branch
/50
WAN
/50
DC
/50
Lab
/56
Branch 1
/56
Branch 2
/56
Branch 3
/56
Branch4
/64
Loop /64
WAN /64
DMZ /64
VLAN4
....
/64
VLAN…
/56
MGMT
/64
Loop /64
WAN /64
DMZ /64
VLAN4 /64
VLAN…
17© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• /64 everywhere
• /64 + /126
64 on host networks
126 on P2P
• /64 + /127
64 on host networks
127 on P2P
• Always use /128 on loop
64 bits > 64 bits
Address space conservation
Special cases:/126—valid for p2p/127—valid for p2p if you are careful (draft-kohno-ipv6-prefixlen-p2p-xx/(RFC3627))/128—loopback
Must avoid overlap with specific addresses:Router Anycast (RFC3513)Embedded RP (RFC3956)ISATAP addresses
Recommended by RFC3177 and IAB/IESG
Consistency makes management easy
MUST for SLAAC (MSFT DHCPv6 also)
Significant address space loss (18.466 Quintillion)
18© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Originally point to point links we numbered with /64, /96, /112, or /126
• /64 simplest
• /96 allowed 32 bits of IPv4 address to be used
• /112 allowed significant 16 bits of IPv4 address to be used
• /126 emulated the /30 behaviour for IPv4
• Use of ample address space opened networks up to attack
• Two conflicting RFCsRFC 3627 ―Use of /127 Prefix Length Between Routers Considered Harmful‖
RFC 6164 ―Using 127-Bit IPv6 Prefixes on Inter-Router Links‖
• /127 not possible in some implementations due to conflict with ―the Subnet-router anycast address‖
• Cisco IOS does not implement Subnet Router Anycast by default
• Issues is with multivendor support
• Industry is moving towards RFC 6164
19© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Allocate /64 everywhere
• Ensures simple allocation and no need to maintain /30 style spreadsheets
• Change the mask to suit purpose
• /64 for LAN
• /127 for p2p link
• Don‘t use EUI-64 with Global Addresses for network infrastructure
• Address will change with RMA
• Will affect DNS
• Higher Operational overhead
20© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Similar to IPv4 New in IPv6
Manually configured
Assigned via DHCP
DHCPv6 Request
DHCPv6 Reply
RS
RA2
1
4
3
Stateless configuration
Router
Solicitation
Router
Announcement2
1
(/64 prefix, timers, etc…)
IPv6 Address = /64 prefix + EUI64 (e.g. MAC address)
Auto-generated pseudo-random
number (rfc3041)
Router
Solicitation
Router
Announcement2
1
IPv6 Address = /64 prefix + Random 64 bits (rfc3041)
21© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• 1 – Stateless Auto Address Configuration (SLAAC) (RFC2462)
Host autonomously configures its own Link-Local address
Router solicitation are sent by booting nodes to request RAs for configuring the interfaces.
• 2 – Stateful DHCPv6
Host uses DHCP to get its IPv6 address (Similar to IPv4 behavior)
• 3 – Stateless DHCP
host uses SLAAC and also DHCP to get additional parameters such as DNS, TFTP Server ,etc.
• Choice relies on RA Flags sent by the router on the LAN
RA with ―M‖, ―A‖ and/or ―O‖ Flags
Router
Host
22© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Both SLAAC and DHCP runs independently. It‘s perfectly valid to have both at the same time. This is the default behaviour when setting the M-Flag
!
interface ethernet0/0
ipv6 nd managed-config-flag
!
!
interface ethernet0/0
ipv6 nd prefix 2001:DB8:1:CAFE::/64 300 300 no-autoconfig
!
!
interface ethernet0/0
ipv6 nd other-config-flag
!
M-Flag – Managed Flag
- if the RA has the M bit set, the host should do DHCP to acquire an IPv6 address
- To enable stateful DHCP
A-Flag – Autoconfiguration Flag
-if the RA has the A bit set, the host should do address autoconfiguration (SLAAC)
-To disable autoconfig and clear the A-flag
O-Flag – To enable stateless DHCP in addition to SLAAC, use the O-Flag
23© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• IPv6 Current status
• IPv6 Planning Steps
• IPv6 Address consideration
• Transition Mechanisms
• IPv6 Co-existence Considerations
• IPv6 Security
• Conclusion, Q&A
24© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Tunneling Services
Connect Islands of IPv6 or IPv4
IPv4 over IPv6 IPv6 over IPv4
Dual Stack
Recommended Enterprise Co-Existence Strategy
Translation Services
Connect to the IPv6 Community
IPv4
IPv6
Business Partners
Internet consumers
Remote Workers
International Sites
Government Agencies
IPv6
IPv4
25© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Hosts today are IPv4+IPv6:
Windows Vista, MAC OSX, Linux, BSD
• Make the network IPv4+IPv6
• Support for every media/WAN
type you want to use (Ethernet,
leased-line, broadband, MPLS,
etc…)
• When forced to deploy IPv6-
only networks, they will be able
to talk with other hosts
• Dual-stack should be the focus
of your implementation
IPv4+IPv6Network
IPv6-onlyHosts or Network
IPv4+IPv6 Hosts
26© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Servers
Branch Branch
WAN
DC Access
DC Aggregation
DC/Campus Core
Campus Block
ISP ISP
InternetEdge
• Based on Timeframe/Use case
• Internet Edge – Business continuity
• Core-to-Edge – Fewer things to touch
• Edge-to-Core – Challenging but doable
27© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Key Steps Summarized – IPv6 to IPv4 Translation using Stateful NAT64
Step 1: Enterprise registers the public facing IPv6 address representing the enterprise e.g. Example-v4.com as
2001:db8:cafe::101 with the authoritative AAAA DNS server
Step 2 : IPv6-only host connects to the service at Example-v4.com by using the IPv6 address received in the AAAA DNS
response from the authoritative server
Step 3: Enterprise edge receives IPv6 packets and performs Stateful NAT64 translation
Step 4: Post translation, the enterprise edge forward the IPv4 packets to Example-v4.com servers as regular IPv4 packets
Step 5: The service hosted at Example-v4.com receives, processes the request and the communication is established
DNS
Server
Server
Farm
6:4
192.0.2.0/24
192.168.2.1/24
2001:db8:abcd:2::1/64
IPv6
IPv4Bi-directional IPv6 Traffic
Flow
Bi-directional IPv4 Traffic
Flow
IPv4-Only Network
192.0.2.0/24
Also representing IPv6
Network
2001:db8:cafe::/48
Enterprise
Edge
SLB44
IPv4-only network
28© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Enable IPv6 Unicast Routing
!
ipv6 unicast-routing
!
Interface Configuration:
interface GigabitEthernet2/3/1
description Connected to IPv4_Network
ip address 172.16.1.1 255.255.255.252
nat64 enable (Enable NAT64 processing
on this interface)
!
interface GigabitEthernet2/3/2
description Connected to IPv6_Network
ipv6 address fd00:1::1/124
ipv6 enable (Enable IPv6 processing)
nat64 enable (Enable NAT64 processing
on this interface)
!
NAT64 Configuration:
nat64 prefix stateful 2001:db8:cafe::/96
nat64 v4 pool mypool 203.0.113.1 203.0.113.100
nat64 v6v4 list mylist pool mypool overload
ipv6 access-list mylist
permit ipv6 2001:db8:cafe::/48 any
GE 2/3/2
fd00:1::1/127
GE 2/3/1
172.16.1.1/30
6:4
IPv6-Only Network
2001:db8:cafe::/48
IPv4-Only Network
192.0.2.0/24
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. 29
• Dual Stack = Two protocols running at the same time (IPv4/IPv6)
• #1 requirement—switching/ routing platforms must support hardware based forwarding for IPv6
• IPv6 is transparent on L2 switches but consider:
L2 multicast—MLD snooping
IPv6 management—Telnet/SSH/HTTP/SNMP
• Expect to run the same IGPs as with IPv4
Dual-stackServer
L2/L3
v6-Enabled
v6-Enabled
v6-Enabled
v6-Enabled
IPv6/IPv4 Dual Stack Hosts
v6-Enabled
v6-Enabled
Aggregation Layer (DC)
Access Layer (DC)
Access Layer
Distribution Layer
Core Layer
Du
al S
tack
Du
al S
tack
© 2012 Cisco and/or its affiliates. All rights reserved. 30
• Plan ―B‖ if Layer 3 device can‘t support IPv6 but you have to get IPv6 over it
• Offers IPv6 connectivity via multiple options
Dual-stack
Configured tunnels—L3-to-L3
ISATAP—Host-to-L3
• Leverages existing network
• Offers natural progression to full dual-stack design
• May require tunneling to less-than-optimal layers (i.e. core layer)
• ISATAP creates a flat network (all hosts on same tunnel are peers)
- Create tunnels per VLAN/subnet to keep same segregation as existing design
• Provides basic HA of ISATAP tunnels via old Anycast-RP idea
Dual-stackServer
L2/L3
v6-Enabled
NOT v6-Enabled
v6-Enabled
NOT v6-Enabled
IPv6/IPv4 Dual Stack Hosts
v6-Enabled
v6-Enabled
ISA
TA
P
ISA
TA
P
Aggregation Layer (DC)
Access Layer (DC)
Access Layer
Distribution Layer
Core Layer
Du
al S
tack
Du
al S
tack
© 2012 Cisco and/or its affiliates. All rights reserved. 31
IPv6-Only SubscriberIPv6 Rapid Deployment
CECE
Dual Stack
WAN
Dual Stack IPv4/IPv6
(Preferred)
Dual Stack CPEs
Dual Stack Headquarters
Dual Stack WAN
Subscriber Network
Subscriber Network
MPLS IPv4 Core
Customer Network
Customer Network
6VPE Core
Dual Stack IPv4 / IPv6
VPN Service
Customer Network
Customer Network
Carrier Grade NAT
Using Tunnels
Manually configured tunnels
IPv6 over GRE
LISP
IPSec Tunnels
Dynamic Multipoint VPN (DMVPN)
IPv4
WAN
© 2012 Cisco and/or its affiliates. All rights reserved. 32
• IPv6 Current status
• IPv6 Planning Steps
• IPv6 Address consideration
• Transition Mechanisms
• IPv6 Co-existence Considerations
• IPv6 Security
• Conclusion, Q&A
33© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• IPv6 Neighbor Cache = ARP for IPv4
In dual-stack networks the first hop routers/switches will now have more memory consumption due to IPv6 neighbor entries (can be multiple per host) + ARP entries
ARP entry for host in the campus distribution layer:
Internet 10.120.2.200 2 000d.6084.2c7a ARPA Vlan2
IPv6 Neighbor Cache entry:
2001:DB8:CAFE:2:2891:1C0C:F52A:9DF1 4 000d.6084.2c7a STALE Vl2
2001:DB8:CAFE:2:7DE5:E2B0:D4DF:97EC 16 000d.6084.2c7a STALE Vl2
FE80::7DE5:E2B0:D4DF:97EC 16 000d.6084.2c7a STALE Vl2
• Full internet route tables—ensure to account for TCAM/memory requirements for both IPv4/IPv6—not all vendors can properly support both
• Multiple routing protocols—IPv4 and IPv6 will have separate routing protocols. Ensure enough CPU/Memory is present
• Control plane impact when using tunnels—terminate ISATAP/configured tunnels in HW platforms when attempting large scale deployments (hundreds/thousands of tunnels)
33
34© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
HSRP for v6• Modification to Neighbor Advertisement, router
Advertisement, and ICMPv6 redirects
• Virtual MAC derived from HSRP group number and virtual IPv6 link-local address
HSRP
Standby
HSRP
Active
GLBP for v6• Modification to Neighbor Advertisement, Router
Advertisement—GW is announced via RAs
• Virtual MAC derived from GLBP group number and virtual IPv6 link-local address
GLBP
AVF,
SVF
GLBP
AVG,
AVF
Neighbor Unreachability Detection• For rudimentary HA at the first HOP
• Hosts use NUD ―reachable time‖ to cycle to next known default gateway (30s by default)
RA Sent
Reach-time =
5,000 msec
35© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• HSRP for IPv4 and IPv6 have similar state-machine
• Differences between HSRP for IPv6 and IPv4:
• Host will learn the default gateway through router RA messages (no need to configure default gateway)
• Active HSRP router will by default send RA every 200 seconds
• Standby HSRP router will suppress its RA messages
• HSRP for IPv6 vs. IPv6 ND
• Provides predictable IPv6 Host-to-Router redundancy and faster failover – default 10 seconds vs. default 30 seconds
• Reduces ND traffic overhead (NS/NA messages) associated with reducing ND Reachable Time timer
interface FastEthernet0/1
ipv6 address 2001:DB8:66:67::2/64
ipv6 cef
standby version 2
standby 1 ipv6 autoconfig
standby 1 timers msec 250 msec 800
standby 1 preempt
standby 1 preempt delay minimum 180
standby 1 authentication md5 key-string cisco
standby 1 track FastEthernet0/0
HSRP
StandbyHSRP
Active
For Your
Reference
36© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• IPv4 and IPv6 QoS features are mostly compatible (RFC 2460/3697)
• Both Transport uses DSCP (aka Traffic Class)
• Future use of Flow label will be a viable options if application differentiation required or source specific traffic characteristics
• IPv4 syntax has used ―ip‖ following match/set statements
Example: match ip dscp, set ip dscp
• Modification in QoS syntax to support IPv6 and IPv4
New match criteria
match dscp — Match DSCP in v4/v6
match precedence — Match Precedence in v4/v6
New set criteria
set dscp — Set DSCP in v4/v6
set precedence — Set Precedence in v4/v6
• Additional support for IPv6 does not always require new Command Line Interface (CLI)
Example—WRED
37© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
RIPRIPv2 for IPv4
RIPng for IPv6
Distinct but similar protocols with RIPng taking advantage of IPv6 specificities
OSPF
OSPFv2 for IPv4
OSPFv3 for IPv6
Distinct but similar protocols with OSPFv3 being a cleaner implementation
that takes advantage of IPv6 specificities
IS-ISExtended to support IPv6
Natural fit to some of the IPv6 foundational concepts
Supports Single and Multi Topology operation
EIGRPExtended to support IPv6
(IPv6_REQUEST_TYPE, IPv6_METRIC_TYPE, IPv6_EXTERIOR_TYPE) Some changes reflecting IPv6 characteristics
BGPNew MP_REACH_NLRI, MP_UNREACH_NLRI, AFI=2 with SAFI for
Unicast/Multicast/Label/VPN
Peering over IPv6 or IPv4 (route maps)
For all intents and purposes, IPv6 IGPs are similar to their IPv4 counterparts
IPv6 IGPs have additional features that could lead to new designs
38© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• IPv6 Current status
• IPv6 Planning Steps
• IPv6 Address consideration
• Transition Mechanisms
• IPv6 Co-existence Considerations
• IPv6 Security
• Conclusion, Q&A
39© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Your host:
IPv4 is protected by your favorite personal firewall...
IPv6 is enabled by default (Windows 7, Linux, Mac OS/X, ...)
• Your network:
Does not run IPv6
• Your assumption:
I‘m safe
• Reality
You are not safe
Attacker sends Router Advertisements
Your host silently configures to IPv6
You are now under IPv6 attack
=> Probably time to think about IPv6 in your network
39
40© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
What is specific with IPv6 in the L2 domain? More addresses!
• More end-nodes allowed on the link (up to 2^64!)
• More states (neighbor cache, etc.) on hosts, routers and switches
• Creates new opportunities for DoS and MiM attacks
Attacks on Router Discovery: Fake router
Attack on Address Configuration
Attack On Address Resolution
DoS Attacks On Neighbor Cache, etc.
R1
A B
41© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
host
router
time server
web server
Trusted end-nodes
un-trusted end-nodes
attacker
DHCP server/relay
• Distributed: security verified between any pair of nodes
• Centralized: security verified between each node and the central switch
42© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Advantages
– No central administration, no central operation
– No bottleneck, no single-point of failure
– Intrinsic part of the link-operations
– No tying up to the L2 infra
– Load distribution
• Disadvantages
– Heavy provisioning of end-nodes
– Only provisioned end-nodes are protected
– Tied up to nodes capability
– Bootstrapping issue
– Complexity spread all over the domain.
ProvisioningInfra-structure
ConfigurationServer
DHCPServer
TimeServer
CertificateServer
Hosts
L2/linkInfra-structure
Internet
43© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• SeND is NOT a new protocol
• SeND is ―just‖ an extension to NDP
• Therefore ND+SeND remains a protocol operating on the link
• SeND is a distributed mitigation mechanism
• Provides Address ownership proof and Router authorization
• It does not verify other key role legitimacy (DHCP server, NTP server, etc.)
• SeND does not provide any ―end-to-end‖ security
• SeND specified in RFC3971 and RFC3972
• Requires IOS 12.4(24)T
44© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• To benefit fully from SeND, nodes must be:
Provisioned with CA certificate(s)
Time synchronized/have access to the NTP server
Have access to a CRL or OCSP server
Have Private/public key pair for CGA
• Overhead introduced
Routers have to do many public/private key calculation (some may be done in advance of use)
=> Potential DoS target
Routers need to keep more state
• Available:
Unix (DoCoMo), Cisco IOS 12.4(24)T
• Microsoft:
no support in Windows Vista, 2008 and Windows7
45© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Advantages
– central administration, central operation
– Complexity and provisioning limited to first hop
– All nodes protected
– Transitioning lot easier
• Disadvantages
– Applicable only to certain topologies
– Requires first-hop to learn about end-nodes
– First-hop can be a bottleneck and single-point of failure
ProvisioningInfra-structure
ConfigurationServer
DHCPServer
TimeServer
CertificateServer
Hosts
L2/linkInfra-structure
Internet
46© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Takes care of all nodes security, primarily from a link-operations standpoint
• Leverage information gleaned by snooping link-operations
• The switch does/will integrate a set of monitoring, inspection and guard features
• Port ACL
• ACL Based RA Guard
• ACL based DHCP Guard
• RA Guard
• NDP Inspection
• Device Tracking
47© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ipv6 access-list ACCESS_PORT
remark Block all traffic DHCP server -> client
deny udp any eq 547 any eq 546
remark Block Router Advertisements
deny icmp any any router-advertisement
permit any any
Interface gigabitethernet 1/0/1
switchport
ipv6 traffic-filter ACCESS_PORT in
For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. 48
IPv6 FHS
IPv6
Integrity
Guard
IPv6
RA Guard
IPv6
DHCP Guard
IPv6
Source Guard
IPv6
Destination
Guard
• Integrity
protection for
FHS binding
table
• Protection
against IPv6
address theft
• Protection
against MiM
Attacks
• Protection
against rouge
or malicious
Router
Advertisement
• Protection
against MiM&
DoS attacks
• Rejects invalid
DHCP Offers
• Validate
source
address or
prefix
• Protects
against source
address
spoofing
• Validates
destination
address of
IPv6 traffic
reaching the
link
• Protects
against
scanning or
DoS attacks
49© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• IPv6 Current status
• IPv6 Planning Steps
• IPv6 Address consideration
• Transition Mechanisms
• IPv6 Co-existence Considerations
• IPv6 Security
• Conclusion, Q&A
50© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• IPv6 is coming if you want it or not! – and yes, it did take some time before that was a reality
• IPv4 & IPv6 will coexist for the foreseeable future
No D-Day / Flag Day
• IPv6 is NOT a feature.
It is about the fundamental IP network layer model developed for end-to-end services and network transparency
• ―Dual stack where you can, Tunnel where you must‖
• IPv4/IPv6 Translation (NAT64) as transient solution
• Now is time to build an IPv6 transition strategy for your IT infrastructure
Create a virtual team of IT representatives from every area of IT to ensure coverage for OS, Apps, Network, Security and Operations/Management
• Deploy it – at least in a lab – IPv6 won‘t bite
© 2010 Cisco and/or its affiliates. All rights reserved. 51
52© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Prosíme, ohodnoťte tuto přednášku.
T-NET5