ipv6 workshop-tm-gd-va
DESCRIPTION
update to the IPv6 workshop. Version A (10 for the decimal crowd)TRANSCRIPT
© 2012 Cisco and/or its affiliates. All rights reserved. 1
Cisco “Tech Session” Preparing for BYOD & the Internet of Everything, an IPv6 Workshop
Tim Martin
CCIE #2020
Solutions Architect
Fall 2013
© 2012 Cisco and/or its affiliates. All rights reserved. 2
• BYOD and the Internet of Everything • IPv6 Addressing Deep Dive • IPv6 Security Concerns • IPv6 Securing the Access Layer • IPv6 Securing the Perimeter • IPv6 Deployment Strategies • Summary
© 2012 Cisco and/or its affiliates. All rights reserved. 3
89%
10%
1% 23%
36%
26% 75%
22%
Desktops Smart Phones Tablets • Boomers are retiring, GenX is “tech savvy”, GenY is “tech dependent”
• 2016 GenY (the millennia's (18-34)) become the largest workforce segment
• 43% of 18-24 year-olds say that texting is just as meaningful as a phone conversation -eMarketer
• 40% of GenY believe that blogging about workplace issues is acceptable –Iconoculture
• 24% of GenY say that technology use is what makes their generation unique -Pew Research
• 74% of GenY used a smartphone for work purposes in the last year, compared to 37 percent of Baby Boomers -CompTIA
© 2012 Cisco and/or its affiliates. All rights reserved. 4 4
© 2012 Cisco and/or its affiliates. All rights reserved. 5
National IPv6 Strategies STEM
IPv6
IPv4 Address Depletion
Infrastructure Evolution IPv6 OS, Content & Applications
2011
• Eliminate Complexities Associated with RFC 1918, NAT, ALG’s, CIDR
Mandate
Pref. by App’s in W7, S2008, OSX 4G, DOCSIS 3.0, CGN
© 2012 Cisco and/or its affiliates. All rights reserved. 6
“I thought this (v4) was still an experiment and that if it worked we would then design a production version” - Vint Cerf
- outer Vendors
1.85% - Internet User Traffic Worldwide
© 2012 Cisco and/or its affiliates. All rights reserved. 7
Standards - Leadership in IP protocols within IETF & IPv6 development
Experience - Professional Services offering years of experience in IPv6
Solutions - Innovation, Feature Acceleration
© 2012 Cisco and/or its affiliates. All rights reserved. 8
© 2012 Cisco and/or its affiliates. All rights reserved. 9
• BYOD and the Internet of Everything • IPv6 Addressing Deep Dive • IPv6 Security Concerns • IPv6 Securing the Access Layer • IPv6 Securing the Perimeter • IPv6 Deployment Strategies • Summary
32,768|16,384|8,192|4,096|2,048|1,024|512|256¡¡128|64|32|16|8|4|2|1
© 2012 Cisco and/or its affiliates. All rights reserved. 10
340,282,366,920,938,463,374,607,432,768,211,456 (IPv6 Address Space - 340 undecillion, 282 decillion, 366 nonillion, 920 octillion, 938 septillion, 463 sextillion, 463 quintillion, 374 quadrillion, 607 trillion, 431 billion, 768 million, 211 thousand and 456
vs 4,294,967,296 (IPv4 Address Space - 4 Billion)
. • Lot’s of talk about how big, it’s BIG, do NOT worry about waste
• Each /64 prefix contains 18 Quintillion host address’s (18,446,744,073,709,551,616)
• Theoretical vs. Practical deployment, still not an issue
Antares 15th Brightest star in the sky
Our Sun
.
© 2012 Cisco and/or its affiliates. All rights reserved. 11
2 3 4 5 6 7 8 9
2 3 4 5 6 7 8 9
1
2 3 4 5 6 7 8 9
10
Data Link
Physical
Network
Transport Session
Pres. App.
2 3 4 5
6 7 8 9
© 2012 Cisco and/or its affiliates. All rights reserved. 12
• IPv6 has a specific Ethernet Protocol ID • IPv6 relies heavily on Multicast
Destination Ethernet Address!
Source Ethernet Address!
0x0800!!
IPv4 Header and Payload!
Destination Ethernet Address!
Source Ethernet Address!
0x86DD!!
IPv6 Header and Payload!
xx 33 33 xx xx xx
I bit = Local Admin, L bit = Multicast/Broadcast
0000 00IL
© 2012 Cisco and/or its affiliates. All rights reserved. 13
Fragment Offset Flags
Total Length Type of Service IHL
Padding Options Destination Address
Source Address
Header Checksum Protocol Time to Live
Identification
Version
IPv4 Header (20)
Next Header Hop Limit
Flow Label Traffic Class
Destination Address
Source Address
Payload Length
Version
IPv6 Header (40)
• Length is constant in IPv6 • Fragmentation occurs in (EH)
• Option’s occur in (EH) • UDP must have valid Checksum, unlike v4.
• Upper layer checksums use the Pseudo Header format: SRC/DST Addr + Next Header
© 2012 Cisco and/or its affiliates. All rights reserved. 14
Class Flow 6 Hop
Destination
V Len
Source
Upper Layer TCP Header
Payload
Class Flow 60 Hop
Destination
V Len
Source
Upper Layer TCP Header
Payload
Destination Options 6
Class Flow 0 Hop
Destination
V Len
Source
Upper Layer TCP Header
Payload
Hop-by-Hop 60
Destination Options 6
Extension Header * Type Hop-by-Hop Options 0
Routing Header 43
Destination Options 60
Fragment Header 44
ESP Header 50
Authentication Header 51
Destination Options 60
Mobility Header 135
IPv6 Header Hop-by-Hop Destination Opt TCP Header Payload
• EH are daisy chained, processed in order • Length is variable, must be on 8 byte boundary, typically 24 bytes • If HbH is present, must be first, must be processed, likely in SW
*order of appearance
© 2012 Cisco and/or its affiliates. All rights reserved. 15
Type Code Data
Checksum
• Neighbor Discovery, Router Discovery, Path MTU Discovery and (MLD) Type – (1-127) = Error Messages, (128-255) = Informational Messages Code – More Granularity within the Type Checksum – computed over the entire ICMPv6 Data - Original Header Return (8 bytes), then fill to Min MTU (1280)
58
IPv6 basic header
ICMPv6 Header
Next Header *58, not 1 (ICMP)
© 2012 Cisco and/or its affiliates. All rights reserved. 16
• Will break ICMP error message rule (by responding for Multicast)
• Must set ALL interfaces to 1280 MTU if you disallow PTB at your FW
Source Destination Link
MTU 1500 MTU 1500 MTU 1400 MTU 1300
Packet, MTU=1500
ICMPv6 Packet Too Big, Use MTU=1400
Packet, MTU=1400
ICMPv6 Type 2 PTB, Use MTU=1300
Packet, MTU=1300
© 2012 Cisco and/or its affiliates. All rights reserved. 17
IPv6 Address Family
Multicast Anycast Unicast
Assigned Solicited Node
Unique Local Link Local Global Special Embedded
*IPv6 does not use broadcast addressing
© 2012 Cisco and/or its affiliates. All rights reserved. 18
• IPv6 addresses are 128 bits long Segmented into 8 groups of 16 bits separated by (:) 32 HEX characters – CAsE DoEs not mAttEr • It’s a Prefix, not a mask, no more 255.255.255.0 • Word, Quad or mouthful?..
Host
:HHHH:HHHH:HHHH:HHHH
Network Portion Host Portion
Subnet ID
SSSS
Global Routing Prefix
NNNN:NNNN:NNNN:
© 2012 Cisco and/or its affiliates. All rights reserved. 19 19
• Recommended Alloca,ons • Consumer, SMB /56 /60 /64 • Municipal Government, Enterprise, Single AS /48 • State Governments, Universi,es (LIR) /32 /36 /40 /44 /48
• Addressing Plan, Site Count • IPv4 Allocation, Multi-homed ISP • Point of Contact, Org ID • Submit, Verify • Review, Officer Certification • Approval, Fees Paid, Assignment
Registries
Level Four Entity
IANA
ISP Org
PA
/48
2000::/3
/12
/32
2000::/3
/48
/12
PI
/32 ARIN
© 2012 Cisco and/or its affiliates. All rights reserved. 20
• Leading 0’s can be omitted
• The double colon (::) can appear only once
2001:0DB8:0000: :0000:0000:0000:1E2A 00A4 Full Format
2001:DB8:0: :0:0:0:1E2A A4 Abbreviated Formats
2001:DB8:0: ::1E2A A4
© 2012 Cisco and/or its affiliates. All rights reserved. 21
Link-Local – Non routable exists on single layer 2 domain (FE80::/64) FE80:0000:0000:0000
:: xxxx:xxxx:xxxx:xxxx
FCgg:gggg:gggg: xxxx:xxxx:xxxx:xxxx ssss:
FDgg:gggg:gggg: xxxx:xxxx:xxxx:xxxx ssss:
Unique-Local – Routable within administrative domain (FC00::/7)
2000:NNNN:NNNN HHHH:HHHH:HHHH:HHHH Global – Routable across the Internet (2000::/3)
:SSSS:
2NNN:NNNN:NNNN HHHH:HHHH:HHHH:HHHH :SSSS:
© 2012 Cisco and/or its affiliates. All rights reserved. 22
Similar to IPv4 New in IPv6
Manually configured StateLess Address AutoConfiguration SLAAC EUI64
SLAAC Ephemeral Addressing pseudo-random
Assigned via DHCP
*Secure Neighbor Discovery SeND
© 2012 Cisco and/or its affiliates. All rights reserved. 23
00 90 27 FF FE 17 FC 0F
OUI Device Identifier
00 90 27 17 FC 0F
02 90 27 FF FE 17 FC 0F
0000 00U0 U= 1 = Unique
0 = Not Unique U bit must be flipped
FF FE 00 90 27 17 FC 0F
© 2012 Cisco and/or its affiliates. All rights reserved. 24
• Temporary or Ephemeral addresses for client application (web browser) • Random 64 bit interface ID, then run DAD before using it • Enabled by default in Windows, Android, iOS 4.3, Mac OS/X 10.7
Recommendation: Good for the consumer, but not for your organization/corporate networks (Troubleshooting and Trace Back)
24
2001 DB8
/32 /48 /64
Random Generated Interface ID 0000 1234
© 2012 Cisco and/or its affiliates. All rights reserved. 25
C:\Documents and Settings\>netsh netsh>interface ipv6 netsh interface ipv6>show address Querying active state... Interface 5: Local Area Connection Addr Type DAD State Valid Life Pref. Life Address --------- ---------- ------------ ------------ ----------------------------- Temporary Preferred 6d21h48m47s 21h46m 2002:500e:2301:1:bd86:eac2:f5f1:39c1 Public Preferred 29d23h58m25s 6d23h58m25s 2002:500e:2301:1:202:8a34:bead:a136 Link Preferred infinite infinite fe80::202:8a34:bead:a136 netsh interface ipv6>show route Querying active state... Publish Type Met Prefix Idx Gateway/Interface Name ------- -------- ---- ------------------------ --- --------------------- no Autoconf 8 2002:500e:2301:1::/64 5 Local Area Connection no Autoconf 256 ::/0 5 fe80::20d:bdff:fe87:f6f9
Windows 7 uses pseudo random by default. Mac OSX uses EUI. iPad & iPhone generate a new temporary address per association
© 2012 Cisco and/or its affiliates. All rights reserved. 26
• Functionality is to assess reachability of neighbors • Maps Layer 3 IPv6 address to Layer 2 MAC address • LINK OPERATIONS (control plane) • Neighbor discovery messages
• Router solicitation (ICMPv6 type 133) • Router advertisement (ICMPv6 type 134) • Neighbor solicitation (ICMPv6 type 135) • Neighbor advertisement (ICMPv6 type 136) • Redirect (ICMPV6 type 137)
IPv4 IPv6 ARP Request Neighbor Solicitation
Broadcast Solicited Node Multicast
ARP Reply Neighbor Advertisement
Unicast Unicast
NDP
RA RS
NS NA Redirects
NUD DAD
IPv6
© 2012 Cisco and/or its affiliates. All rights reserved. 27
• Router solicitations (RS) are sent by nodes at bootup
• Host needs an RA to finish building it’s Address’s
RS
ICMP Type 133 IPv6 Source Link Local (FE80::A) IPv6 Destination All Routers Multicast
(FF02::2) Option SRC Link Layer Address
RA
ICMP Type 134 IPv6 Source Link Local (FE80::2)
IPv6 Destination FE80::A Data Options, subnet prefix,
lifetime, autoconfig flag
RS RA
A
© 2012 Cisco and/or its affiliates. All rights reserved. 28
• M-Flag – Stateful DHCP to acquire an IPv6 address • O-Flag – Stateless DHCP in addition to SLAAC • H-Flag – Mobile IP home agent
• Preference Bits – Low, Med, High • Router Lifetime – Must be >0 for Default (1800-9000)
• Options - Prefix Information, Prefix Length • L bit – Only way a host get a On Link Prefix • A bit – MUST set to 0 for DHCP to work properly
type = 134 code = 0 checksum hop limit M|O|H|pref router lifetime
reachable time retransmit timer options (variable)
Type: 134 (RA) Code: 0 Checksum: 0xff78 [correct] Cur hop limit: 64 ∞ Flags: 0x84 1… …. = Managed (M flag) .0.. …. = Not other (O flag) ..0. …. = Not Home (H flag) …0 1… = Router pref: High Router lifetime: 1800 Reachable time: 60000 Retrans timer: 1000 ICMPv6 Option 3 (Prefix Info) Prefix length: 64 ∞ Flags: 0x80 1… …. = On link (L Bit) .0.. …. = No Auto (A Bit) Prefix: 2001:0db8:4646:1234::
RA
© 2012 Cisco and/or its affiliates. All rights reserved. 29
Node A can start using address A
B A C
• Probe neighbors to verify address uniqueness
ICMP Type 135 NS IPv6 Source UNSPEC = ::
IPv6 Dest. A Solicited Node Multicast FF02::1:FF00:A
Data FE80::A Query Anyone using A?
NS
© 2012 Cisco and/or its affiliates. All rights reserved. 30
• For each Unicast and Anycast address configured there is a corresponding solicited-node multicast
• Multicast for resolution, Unicast for reachability
• Solicited-node multicast consists of FF02::1:FF/104 {lower 24 bits from IPv6 Unicast interface ID}
FF02 0000 0000 0000 0000 0001 FF17 FC0F
2001 0DB8 1234 0001 0200 CAFF FE17 FC0F
33 33 17 FC 0F FF Ethernet Multicast Uses last 32 bits
© 2012 Cisco and/or its affiliates. All rights reserved. 31
R1#sh ipv6 int e0 Ethernet0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::200:CFF:FE3A:8B18 Global unicast address(es):
2001:DB8:0:1234::1 subnet is 2001:DB8:0:1234::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FF3A:8B18 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds *If EUI format is used then the 1rst solicited node mcast addr is used for both the LL & GU
Solicited-Node Multicast Address*
© 2012 Cisco and/or its affiliates. All rights reserved. 32
A! B!
ICMP Type 135 NS IPv6 Source FE80::A
IPv6 Destination B Solicited Node Multicast FF02::1:FF00:B
Target Address 2001:db8:1:46::B Code 0 (need link layer) Query What is B link layer
address?
ICMP Type 136 NA IPv6 Source FE80::B
IPv6 Destination FE80::A Target Type 2
Data Link Layer address of B *Flags R = Router
S = Response to Solicitation O = Override cache information
NS NA
• Local Link only, Not Routed
• ARP replacement, Map’s L3 to L2.
• Multicast for resolution, Unicast for reachability
© 2012 Cisco and/or its affiliates. All rights reserved. 33
Neighbors are only considered “reachable” for 30-seconds. “Stale” indicates that, we MAY need to send a NS packet.
© 2012 Cisco and/or its affiliates. All rights reserved. 34
• Prefix FF00::/8 8-bit 4-bit 4-bit 112-bit
1111 1111 0 R P T Scope Variable format
Flags
O Reserved
R = 0 R = 1
No embedded RP Embedded RP
P = 0 P = 1
Without Prefix Address based on Prefix
T = 0 T = 1
Well Known Address (IANA assigned) Temporary address (local assigned)
Scope 1 Node
2 Link
3 Subnet
4 Admin
5 Site
8 Organization
E Global
© 2012 Cisco and/or its affiliates. All rights reserved. 35
• Every Unicast prefix can build custom multicast addresses
• Last 32 bits of unicast address mapped into Group ID (112 Bits) 8 Bits 4 Bits 4 Bits 8 Bits 8 Bits 64 Bits 32 Bits
1111 1111 0 0 1 1 1110 Rsvd plen Unicast Prefix Group ID
Example plen 40 = 64 bits
Prefix 2001:db8:cafe:1::
Group ID 11d7:4cd3
FF3E:0040:2001:DB8:CAFE:1:11D7:4CD3
© 2012 Cisco and/or its affiliates. All rights reserved. 36
• Static mapping of RP into Multicast group
• Solves MSDP and scaling issues 8 Bits 4 Bits 4 Bits 4 Bits 4 Bits 8 Bits 64 Bits 32 Bits
1111 1111 0 1 1 1 1110 Rsvd RPid plen Unicast Prefix Group ID
Example Rsvd/RPid 0000 | 0101
Prefix 2001:db8:cafe:1::
Group ID 645
FF7E:0540:2001:DB8:CAFE:1:0000:0645
FF7E:540:2001:db8:cafe:1::645
2001:db8:cafe:1::5
© 2012 Cisco and/or its affiliates. All rights reserved. 37
Address Scope Meaning FF01::1 Node-Local This Node
FF05::2 Site-Local All Routers
FF02::1 Link-Local All Nodes
FF02::2 Link-Local All Routers
FF02::5 Link-Local OSPFv3 Routers
FF02::6 Link-Local OSPFv3 DR Routers
FF02::9 Link-Local RIPng
FF02, is a permanent address and has link scope
Link Operations, Routing Protocols, Streaming Services
© 2012 Cisco and/or its affiliates. All rights reserved. 38
• MLD uses LL source addresses
• 3 msg types: Query, Report, Done
• MLD packets use “Router Alert” in HBH
• MLDv1 = (*,G) shared, MLDv2 = (S,G) source
MLD snooping
MLD IGMP Message Type
ICMPv6 Type Function
MLDv1 (RFC2710) IGMPv2 (RFC 2236) Listener Query
Listener Report
Listener Done
130
131
132
Used to find out if there are any multicast listeners
Response to a query, joins a group
Sent by node to report it has stopped listening
MLDv2 (RFC 3810) IGMPv3 (RFC 3376) Listener Query
Listener Report
130
143
Used to find out if there are any multicast listeners
Enhanced reporting, multiple groups and sources
© 2012 Cisco and/or its affiliates. All rights reserved. 39
• Hosts send MLD report to alert router they wish to join a multicast group
• Router then joins the tree to the source or RP
MLD Report (A)
ICMP Type 131
IPv6 Source fe80::209:5bff:fe08:a674
IPv6 Destination FF38::276
Hop Limit 1
Group Address ff38::276
Hop-by-Hop Header
Router Alert Yes
MLD Report
A MLD Report
B I wish to receive
ff38::276 I wish to receive
ff38::276
MLD Report (B)
ICMP Type 131
IPv6 Source fe80::250:8bff:fE55:78de
IPv6 Destination FF38::276
Hop Limit 1
Group Address ff38::276
Hop-by-Hop Header
Router Alert Yes
(S, G)
Source for multicast ff38::276
fe80::209:5bff:fe08:a674 fe80::250:8bff:fE55:78de fe80::207:85ff:fe80:692
© 2012 Cisco and/or its affiliates. All rights reserved. 40
MLD Done (A)
ICMP Type 132
IPv6 Source fe80::209:5bff:fe08:a674
IPv6 Destination FF02::2 (All routers)
Hop Limit 1
Group Address ff38::276
Hop-by-Hop Header
Router Alert Yes
MLD Done (A)
A
fe80::209:5bff:fe08:a674 MLD Report (B)
B
fe80::250:8bff:fE55:78de
I wish to leave ff38::276
I am watching ff38::276
MLD Query (C)
ICMP Type 130
IPv6 Source fe80::207:85ff:fe80:692
IPv6 Destination FF38::276
Hop Limit 1
Hop-by-Hop Header
Router Alert Yes Q
uery (C)
fe80::207:85ff:fe80:692
C MLD Report (B)
ICMP Type 131
IPv6 Source fe80::250:8bff:fE55:78de
IPv6 Destination FF38::276
Hop Limit 1
Group Address ff38::276
Hop-by-Hop Header
Router Alert Yes
© 2012 Cisco and/or its affiliates. All rights reserved. 41
• MLDv2 Report FF02::16
ICMPv6 type 143
• Group Specific Query FF38::4000:BA11
ICMPv6 type 130
• Group & Source Specific Query 2001:DB8:CAFÉ::1, FF38::4000:BA11
• Leaving a Group MLDv2 Ignore Query (silent)
Filter mode Change Record (report)
MLD Report (A)
ICMP Type 143
IPv6 Source fe80::209:5bff:fe08:a674
IPv6 Destination FF02::16
Hop Limit 1
# of Records Include/exclude
Group Address FF38::4000:BA11
Hop-by-Hop Header
Router Alert Yes
MLD Report
A I wish to receive FF38:4000:BA11
(S, G)
Source for multicast FF38::4000:BA11
fe80::209:5bff:fe08:a674
© 2012 Cisco and/or its affiliates. All rights reserved. 42
• Loopback 0:0:0:0:0:0:0:1=> ::1
• Unspecified address 0:0:0:0:0:0:0:0=> 0::0 => :: => ::/128
• Documentation Prefix 2001:0DB8::/32
• Discard Prefix 0100::/64
• 6to4 Automatic Tunneling 2002::/16
• Default Route ::/0
© 2012 Cisco and/or its affiliates. All rights reserved. 43
• IPv4 Compatible 0:0:0:0:0:0.A.B.C.D/96 0:0:0:0:0:0.192.168.30.1 ::C0A8:1E01 Used by IPv6 aware devices, now deprecated
• IPv4 Mapped 0:0:0:0:0:FFFF.A.B.C.D/96 0:0:0:0:0:FFFF.192.168.30.1 ::FFFF:C0A8:1E01
Used in automatic tunneling by device with no IPv6 knowledge
IPv4
IPv6 Internet
IPv6 Network
© 2012 Cisco and/or its affiliates. All rights reserved. 44
DNS1 2001:db8:aa::21
2001:db8:aa::21
2001:db8:aa:: Cost 10
• Uses the same address in multiple locations • Must not be used as a source address • Router is configured for /64, Host is configured /128 • Routers use Metric of Routing Protocol to determine closest device
I pick DNS1 closest metric
2001:db8:aa:: Cost 30
2001:db8:aa:: Cost 20
DNS2 2001:db8:aa::21
DNS3 2001:db8:aa::21
© 2012 Cisco and/or its affiliates. All rights reserved. 45
2001:db8:C18:2::/64
R1 R2 A B
Packet
IPv6 Source B IPv6 Dest. 2001:db8:c18:2::1 ULP variable
Redirect
ICMP Type 137 IPv6 Source Link Local (R2) IPv6 Dest. B Data Use Link Local (R1)
Redirect Packet
• Cannot be used if destination is multicast • Hosts should not send redirects • Should be turned off on routed links
© 2012 Cisco and/or its affiliates. All rights reserved. 46
HSRP for IPv6 • Modification to Neighbor Advertisement, router Advertisement,
and ICMPv6 redirects
• Virtual MAC derived from HSRP group # and virtual IPv6 LLA
HSRP Standby
HSRP Active
Neighbor Unreachability Detection • For rudimentary HA at the first HOP
• Hosts use NUD “reachable time” to cycle next known default GW
RA Reach-time
GLBP for IPv6 • Modification to Neighbor Advertisement, Default Gateway is
announced via RA’s from Virtual MAC
• Active Virtual Gateway (AVG), assigns MAC’s, responds to NDP and directs hosts to Active Virtual Forwarder (AVF)
GLBP AVG AVF
GLBP AVG AVF
Default Gateway . . . . . . . . . : 10.121.10.1 fe80::211:bcff:fec0:d000%4 fe80::211:bcff:fec0:c800%4
© 2012 Cisco and/or its affiliates. All rights reserved. 47
DHCP Messages IPv4 IPv6
Initial Message Exchange 4-way handshake 4-way handshake
Message Types Broadcast, Unicast Multicast, Unicast
Client Server (1) DISCOVER SOLICIT
Server Client (2) OFFER ADVERTISE
Client Server (3) REQUEST REQUEST
Server Client (4) ACK REPLY
• FF02::1:2 = All DHCP Agents (servers or relays, Link-local scope) • FF05::1:3 = All DHCP Servers (Site-local scope) • Clients listen on UDP port 546; Servers/relays on UDP port 547 • Rapid Commit, 2 packet exchange. Assignment of Options (O flag) • ipv6 dhcp relay destination replaces ip helper address
© 2012 Cisco and/or its affiliates. All rights reserved. 48
IPv4 IPv6
A record:
Function IPv4 IPv6
Hostname to
IP Address
A Record www.abc.test. A 192.168.30.1
AAAA Record (Quad A) www.abc.test AAAA 2001:db8:C18:1::2
IP Address To
Hostname
PTR Record 1.30.168.192.in-addr.arpa. PTR www.abc.test.
PTR Record 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test.
DNSServer!
2001:db8:1::1!
IPv4 IPv6
IPv4
IPv6
192.168.0.3!
www IN A 192.168.0.3 www IN AAAA 2001:db8:1::1
• AAAA = easy, PTR = messy!• Draft RFC 6106, RA Option 25!
© 2012 Cisco and/or its affiliates. All rights reserved. 49
Fast0/0
interface FastEthernet0/0 ip address 10.151.1.1 255.255.255.0 ipv6 enable Link Local
ipv6 access-list VTY permit ipv6 2001:db8:0:1::/64 any line vty 0 4 ipv6 access-class VTY in Best to secure me
ipv6 unicast-routing ! interface FastEthernet0/0 ip address 10.151.1.1 255.255.255.0 ipv6 address 2006:1::1/64 ipv6 nd managed-config-flag
I am a Router now
Routable IPv6 Control of RA’s
© 2012 Cisco and/or its affiliates. All rights reserved. 50
C:\Documents and Settings\>netsh netsh>interface ipv6 netsh interface ipv6>show address Querying active state... Interface 5: Local Area Connection Addr Type DAD State Valid Life Pref. Life Address --------- ---------- ------------ ------------ ----------------------------- Temporary Preferred 6d21h48m47s 21h46m 2002:500e:2301:1:bd86:eac2:f5f1:39c1 Public Preferred 29d23h58m25s 6d23h58m25s 2002:500e:2301:1:202:8a34:bead:a136 Link Preferred infinite infinite fe80::202:8a34:bead:a136 netsh interface ipv6>show route Querying active state... Publish Type Met Prefix Idx Gateway/Interface Name ------- -------- ---- ------------------------ --- --------------------- no Autoconf 8 2002:500e:2301:1::/64 5 Local Area Connection no Autoconf 256 ::/0 5 fe80::20d:bdff:fe87:f6f9
© 2012 Cisco and/or its affiliates. All rights reserved. 51
• BYOD and the Internet of Everything • IPv6 Addressing Deep Dive • IPv6 Security Concerns • IPv6 Securing the Access Layer • IPv6 Securing the Perimeter • IPv6 Deployment Strategies • Summary
© 2012 Cisco and/or its affiliates. All rights reserved. 52
1995: RFC 1883 2013: IPv6
Is IPv6 (a teenager) really ‘better and more secure’?…
52
© 2012 Cisco and/or its affiliates. All rights reserved. 53
• Your host: IPv4 is protected by your favorite personal firewall... IPv6 is enabled by default (Vista, Linux, Mac OS/X, ...)
• Your network: Does not run IPv6
• Your assumption: I’m safe
• Reality You are not safe Attacker sends Router Advertisements Your host configures silently to IPv6 You are now under IPv6 attack
• => Probably time to think about IPv6 in your network
53
© 2012 Cisco and/or its affiliates. All rights reserved. 54
• Sniffing IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4
• Application layer attacks The majority of vulnerabilities on the Internet today are at the application layer, something that IPSec will do nothing to prevent
• Rogue devices Rogue devices will be as easy to insert into an IPv6 network as in IPv4
• Man-in-the-Middle Attacks (MITM) Without strong mutual authentication, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4
• Flooding Flooding attacks are identical between IPv4 and IPv6
54
© 2012 Cisco and/or its affiliates. All rights reserved. 55
• Public servers will still need to be DNS reachable More information collected by Google...
• Port scan of 18 Quintillion address from a 40G link (~5,000 years)
• Using peer-to-peer clients gives IPv6 addresses of peers
• Administrators should not adopt easy-to-remember addresses (::10,::20,::F00D, ::C5C0, :ABBA:BABE or simply IPv4 last octet for dual stack)
• Social engineering, enumeration through DNS, EUI-64, could reduce scope
55
© 2012 Cisco and/or its affiliates. All rights reserved. 56
ICMP REQ D=160.154.5.255 S= 172.18.1.2 160.154.5.0
Attempt to Overwhelm Destination
ICMP REPLY D=172.18.1.2 S=160.154.5.19
ICMP REPLY D=172.18.1.2 S=160.154.5.18
ICMP REPLY D=172.18.1.2 S=160.154.5.17
ICMP REPLY D=172.18.1.2 S=160.154.5.16
ICMP REPLY D=172.18.1.2 S=160.154.5.15
ICMP REPLY D=172.18.1.2 S=160.154.5.14
172.18.1.2
© 2012 Cisco and/or its affiliates. All rights reserved. 57
• Broadcast address functionality is replaced with appropriate link local multicast addresses
Link Local All Nodes Multicast—FF02::1 Link Local All Routers Multicast—FF02::2 Link Local All mDNS Multicast—FF02::FB
• Hosts “SHOULD” reply to an multi-casted echo request Note: anti-spoofing also blocks amplification attacks because a remote attacker cannot masquerade as his victim
http://iana.org/assignments/ipv6-multicast-addresses/
57
© 2012 Cisco and/or its affiliates. All rights reserved. 58
• RFC 4443 ICMPv6 ICMP error message MUST not be generated in response to a packet with a multicast destination address Section 2.4 (e.3)
Exceptions for Section 2.4 (e.3)
Packet Too Big message – Fragmentation needed Parameter Problem message – Where an OS may not understand an EH
ICMP information message (echo reply) SHOULD be generated even if destination is multicast
58
• Rate Limit egress ICMP Packets
• Rate limit ICMP messages generation
• Secure the multicast network (source specific multicast)
• Note: Implement Ingress Filtering of Packets with IPv6 Multicast Source Addresses
• Note: anti-spoofing also blocks amplification attacks because a remote attacker cannot masquerade as his victim
© 2012 Cisco and/or its affiliates. All rights reserved. 59
• Viruses – involve “human” interaction to propagate
• Worms – spread by scanning for vulnerable hosts from infected host
• Other worms: IPv4: reliance on network scanning IPv6: not so easy => will use alternative techniques
• (W32/Sdbot-VJ) Spyware hiding as “wipv6.exe”
Worm developers will adapt to IPv6 IPv4 best practices around worm detection and
mitigation remain valid
59
© 2012 Cisco and/or its affiliates. All rights reserved. 60
Scanning Made Bad for CPU Remote Neighbor Cache Exhaustion
• Potential router CPU/memory attacks if aggressive scanning Router will do Neighbor Discovery... And waste CPU and memory Similar attack on local LAN
2001:db8::/64
2001:db8::1
NS: 2001:db8::1
NS: 2001:db8::2
NS: 2001:db8::3
NS: 2001:db8::1
NS: 2001:db8::2
NS: 2001:db8::3
NS: 2001:db8::1
NS: 2001:db8::2
NS: 2001:db8::3
60
© 2012 Cisco and/or its affiliates. All rights reserved. 61
• IPv6 originally mandated the implementation of IPsec (but not its use)
• Now, RFC 6434 “IPsec SHOULD be supported by all IPv6 nodes” • Some organizations still believe that IPsec should be used to secure all flows...
Interesting scalability issue (n2 issue with IPsec) Need to trust endpoints and end-users because the network cannot secure the traffic Network telemetry is blinded: NetFlow of little use Network services hindered: what about QoS?
Recommendation: Reserve IPsec for residential or hostile environment or high profile targets EXACTLY as for IPv4
61
© 2012 Cisco and/or its affiliates. All rights reserved. 62
• ARP is replaced by Neighbor Discovery Protocol Nothing authenticated Static entries overwritten by dynamic ones
• Stateless Address Autoconfiguration rogue RA (malicious or not)
• Attack tools are real! Parasit6 Fakerouter6 Alive6 Scapy6 …
62
© 2012 Cisco and/or its affiliates. All rights reserved. 63
• BYOD and the Internet of Everything • IPv6 Addressing Deep Dive • IPv6 Security Concerns • IPv6 Securing the Access Layer • IPv6 Securing the Perimeter • IPv6 Deployment Strategies • Summary
© 2012 Cisco and/or its affiliates. All rights reserved. 64
WHEN WHAT
WHERE
HOW WHO
Identity Centralized Policy Engine
Business-Relevant Policies
Dynamic Policy & Enforcement
APPLICATION CONTROLS
MONITORING REPORTING
SECURITY POLICY ENFORCEMENT
Security Policy Attributes
SWITCHPORT
AC
Employee
© 2012 Cisco and/or its affiliates. All rights reserved. 65
• Each device has a RSA key pair • Ultra light check for validity
SHA-1
RSA Keys Priv Pub
Subnet Prefix
Interface Identifier
Crypto. Generated Address
Signature
SeND Messages
Modifier
Public Key Subnet Prefix CGA Params
65
© 2012 Cisco and/or its affiliates. All rights reserved. 66
Router R host
Certificate Authority CA0 Certificate Authority Certificate C0
Router certificate request
Router certificate CR
Certificate Path Solicit (CPS): I trust CA0, who are you ?
Certificate Path Advertize (CPA): I am R, this is my certificate CR
1
2
3
4
5
6 Verify CR against CA0
7 Start using R as default gateway
Router Advertisement
• Most OS’s do NOT support it (Vista, 2007/8, OSX, iOS, Android)
© 2012 Cisco and/or its affiliates. All rights reserved. 67
• Microsoft Windows Deploy a Group Policy Object (GPO)
• Alternatively disabling stateless auto-configuration and force DHCPv6 Send Router Advertisements with
all prefixes with A-bit set to 0 (disable SLAAC) M flag set to 1 to force stateful DHCPv6
Use DHCP to a specific pool + ingress ACL allowing only this pool
netsh interface ipv6 set global randomizeidentifiers=disabled netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent netsh interface ipv6 set privacy state=disabled store=persistent
For Your Reference
interface fastEthernet 0/0 ipv6 nd prefix default no-autoconfig ipv6 dhcp server . . . (or relay) ipv6 nd managed-config-flag
67
© 2012 Cisco and/or its affiliates. All rights reserved. 68
• Catalyst Integrated Security Features (CISF)
• Dug Song - dsniff Port
Security
© 2012 Cisco and/or its affiliates. All rights reserved. 69
IPv6 Snooping
IPv6 FHS RA
Guard DHCPv6 Guard
Source/Prefix Guard
Destination Guard
Protection: • Rouge or
malicious RA • MiM attacks
Protection: • Invalid DHCP
Offers • DoS attacks • MiM attacks
Protection: • Invalid source
address • Invalid prefix • Source address
spoofing
Protection: • DoS attacks • Scanning • Invalid
destination address
RA Throttler
ND Multicast Suppress
Reduces: • Control traffic
necessary for proper link operations to improve performance
Core Features Advance Features Scalability & Performance
Facilitates: • Scale
converting multicast traffic to unicast
© 2012 Cisco and/or its affiliates. All rights reserved. 70
• Attacker spoofs Router Advertisement with false on-link prefix • Incoming packets can't reach victim • The most frequent threat by non-malicious user
A sourcing off-link traffic to B with BAD::A
B
B filters out BAD::A
RA Src = B’s link-local address Dst = All-nodes Options = prefix 2001:db8 Src = B link-local address Dst = All-nodes Options = prefix BAD
RA Computes BAD::A and DAD it
Deprecates 2001:db8::A
A C
© 2012 Cisco and/or its affiliates. All rights reserved. 71
• Flooding RA’s overwhelms the system, OSX, iPAD, MSFT, Android
B RA, prefix BAD1
A C 2 3 5
RA, prefix BAD2 RA, prefix BAD3 RA, prefix BAD4 RA, prefix BAD5 RA, prefix BAD6
© 2012 Cisco and/or its affiliates. All rights reserved. 72
• Attacker spoofs Router Advertisement with false on-link prefix • MITM, Splash Screen, Capture
B
RA Src = B’s link-local address Dst = All-nodes Options = prefix 2001:0db8 Src = B’s link-local address Dst = All-nodes Options = prefix BAD
RA
A C
© 2012 Cisco and/or its affiliates. All rights reserved. 73
• Port ACL blocks all ICMPv6 RA from hosts interface FastEthernet0/2
ipv6 traffic-filter ACCESS_PORT in
deny icmp any any router-advertisement
• RA-guard lite (12.2(33)SXI4 & 12.2(54)SG ): also dropping all RA received on this port
interface FastEthernet0/2
ipv6 nd raguard
access-group mode prefer port
• RA-guard (12.2(50)SY, 15.0(2)SE)
ipv6 nd raguard policy HOST device-role host
ipv6 nd raguard policy ROUTER device-role router
ipv6 nd raguard attach-policy HOST vlan 100
interface FastEthernet0/0
ipv6 nd raguard attach-policy ROUTER
HOST Device-role
RA
RA
RA
RA
RA
ROUTER Device-role
© 2012 Cisco and/or its affiliates. All rights reserved. 74
• Attacker hacks any victim's DAD attempts
• Victim will need manual intervention to configure IP address
Src = UNSPEC Dst = Solicited-node multicast A Data = A Query = Does anybody use A?
Src = any C’s IF address Dst = A Data = A Option = link-layer address of C
A B
NS
NA
C
© 2012 Cisco and/or its affiliates. All rights reserved. 75
Prevent Rogue DHCP responses from misleading the client
Before DHCP Guard After DHCP Guard
Host First Hop Switch Host First Hop Switch
DHCP Server DHCP Server
I am a DHCP Server
DHCP Req. DHCP Req.
I am a DHCP Server
© 2012 Cisco and/or its affiliates. All rights reserved. 76
• Deep control packet Inspection • Address Glean (ND , DHCP, data) • Address watch • Binding Guard
Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table to ensure rogue users cannot spoof or steal addresses.
Intf IPv6 MAC VLAN State
g1/0/10 ::001A 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
IPv6 Binding Table
IPv6 Source Guard
IPv6 Destination
Guard Device Tracking
© 2012 Cisco and/or its affiliates. All rights reserved. 77
Before IPv6 Source Guard After IPv6 Source Guard
Host A First Hop Switch Host A First Hop Switch
Allow traffic only from sources that was present in the binding table
Intf IPv6 MAC VLAN State
g1/0/10 ::001A 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
g1/0/21 ::0021 0021 200 Active
Intf IPv6 MAC VLAN State
g1/0/10 ::001A 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
g1/0/21 ::0021 0021 200 Active
NA NA
NA
NA
~Host A ~Host A
© 2012 Cisco and/or its affiliates. All rights reserved. 78
• Mitigate prefix-scanning attacks and Protect ND cache • Drops packets for destinations without a binding entry
Intf IPv6 MAC VLAN State
g1/0/10 ::0001 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
Forward packet
Lookup Table
found No
Yes
NS 2001:db8::1
Ping 2001:db8::1
Ping 2001:db8::4 Ping 2001:db8::3
Ping 2001:db8::2
© 2012 Cisco and/or its affiliates. All rights reserved. 79
Router Solicitation (RS)
Triggered (RA)
• Scaling the mobility access environment • NDP process is multicast “chatty”, consumes airtime • Rate limit RA’s from the legitimate router • Inspect the RS, convert the responding RA to L2 Unicast
Periodic (RA’s)
© 2012 Cisco and/or its affiliates. All rights reserved. 80
(NS)
MAC IPv6 Address 00:24:56:75:44:33 2001:db8:0:20::2 00:24:56:11:93:28 2001:db8:0:20::4
(Unicast NA)
• Scaling the mobility access environment • NDP process is multicast “chatty”, consumes airtime • Caching allows the Controller to “proxy” the NA, based on gleaning • Intercepting the NS and unicasting it over L2 to the target
2
4
© 2012 Cisco and/or its affiliates. All rights reserved. 81
• BYOD and the Internet of Everything • IPv6 Addressing Deep Dive • IPv6 Security Concerns • IPv6 Securing the Access Layer • IPv6 Securing the Perimeter • IPv6 Deployment Strategies • Summary
© 2012 Cisco and/or its affiliates. All rights reserved. 82
http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf
© 2012 Cisco and/or its affiliates. All rights reserved. 83
ICMPv6 Filtering
• PERMIT Transit IN: Too-big, Unreachable, TTL Exceeded, Parameter Problem, Echo Reply
• PERMIT Transit OUT: Too-big, Parameter Problem, Echo Request, (maybe Unreachables )
• PERMIT to a firewall interface (Local Configuration Traffic): Too-big, Unreachable, TTL Exceeded, Parameter Problem, Echo Request/Reply, (RA/RS), NA/NS
• BLOCK all other
• …or you follow RFC 4890 - Recommendations for Filtering ICMPv6 Messages in Firewalls
© 2012 Cisco and/or its affiliates. All rights reserved. 84
• Can match on Upper layers: TCP, UDP, SCTP port numbers, ICMPv6 code and type TCP flags SYN, ACK, FIN, PUSH, URG, RST Traffic class (only six bits/8) = DSCP, Flow label (0-0xFFFFF)
• IPv6 extension header routing matches any RH, routing-type matches specific RH mobility matches any MH, mobility-type matches specific MH dest-option matches any destination options auth matches AH hbh matches hop-by-hop (since 15.2(3)T)
• fragments keyword matches Non-initial fragments (same as IPv4)
• undetermined-transport keyword does not match TCP/UDP/SCTP and ports are in the fragment ICMP and type and code are in the fragment Everything else matches (including OSPFv3, …) Only for deny ACE
84
© 2012 Cisco and/or its affiliates. All rights reserved. 85
© 2012 Cisco and/or its affiliates. All rights reserved. 86
• RFC 1858 Firewall Processing Fragments
• RFC 5722 Host Handling Overlapping Fragments
• Atomic frags (offset =0, M =0), Tiny fragments (<1280 bytes), Predictable-ID, etc.
IPv6 hdr NH = 60, Offset = 0, M=1 DO - Frag 1, >1400 Bytes
ICMP RA IPv6 hdr NH = 58, Offset = >0, M=0 Fragment 2
ICMP RA IPv6 hdr NH = 58, Offset = 1, M=0 Fragment 2
IPv6 hdr NH = 58, Offset = 0, M=1 Fragment 1 ICMP
Hidden ULP
Overlapping Fragments
Offset Flags
Length ToS IHL
Checksum Prot TTL
ID
Ver
Routing Type!Reserved Next Header Fragment Offset Reserved | M!Identification
Fragmentation EH (type 44)
Aug 2013 RFC 6980
© 2012 Cisco and/or its affiliates. All rights reserved. 87
• Potential DoS with poor IPv6 stack implementations • PadN in DO, covert channeling – RFC 2460 states a max of 5 bytes (0x00) • IPv6 Inspection – Only known EH, strict order, granular filtering • What constitutes an acceptable EH maximum?
Perfectly Valid IPv6 Packet According to the Sniffer
Routing Header out of order. DH should be last
Header Should Only Appear Once
Destination Header Which Should Occur at Most Twice
87
© 2012 Cisco and/or its affiliates. All rights reserved. 88
Routing Type!Ext Hdr Length
• An extension header
• Processed by the listed intermediate routers
• Two types (RH) Type 0: similar to IPv4 source routing - blocked by default beginning 12.4(15)T Type 2: used for mobile IPv6
Next Header RH Type
IPv6 Basic Header
Routing Header
Next Header = 43 Routing Header
Routing Header Segments Left!
Routing Header Data
© 2012 Cisco and/or its affiliates. All rights reserved. 89
IPv6 Extention Header Filtering
• Allow only Fragmentation Extension Header • Allow other header only on special need e.g.
ESP/AH Header for IPsec Destination Header, Routing Header-2, Mobility Header for mobility
• Allow all other non-TCP/UDP protocols you might need e.g. GRE. • Block more than one fragmentation header if possible
Multiple cascaded fragmentation headers don’t make sense There should be only one fragmentation header per packet Don’t confuse this with multiple fragments
© 2012 Cisco and/or its affiliates. All rights reserved. 90
• Bogon filtering (data plane & BGP route-map): http://www.cymru.com/Bogons/ipv6.txt • Anti-spoofing (RFC2827, BCP38), Multi homed filtering (RFC3704, BCP 84) • uRPF – Unicast Reverse Path Forwarding
IPv6 Intranet
Inter-Networking Device with uRPF Enabled
X IPv6 Intranet/Internet
No Route to SrcAddr => Drop
90
© 2012 Cisco and/or its affiliates. All rights reserved. 91
Other IPv6 Filtering Considerations
• Allow rules should always have Source Address 2000::/3 instead of ‘any’* - Implicit DENY will deny anything else
• If you want more granularity, you can filter the assigned numbers, (IPv6 Legitimate Prefixes)
• Block documentation prefixes 2001:db8::/32 • If you do that, keep in mind to update the rule set when IANA makes new assignments (5 years since last change) • What about Multicast and Special address’s
IANA Allocations Prefixes IPv6 unicast 2001::/16
6to4 2002::/16
RIPE NCC 2003::/18
APNIC 2400::/12
ARIN (US DoD) 2600::/12
ARIN 2610::/23
ARIN 2620::/23
LACNIC 2800::/12
RIPE NCC 2A00::/12
AfriNIC 2C00::/12
© 2012 Cisco and/or its affiliates. All rights reserved. 92
• Teredo navalis A shipworm drilling holes in boat hulls
• Teredo Microsoftis IPv6 in IPv4 punching holes in NAT devices
IPv4 Intranet
IPv4 Internet IPv6 Internet
Tunneling
! 6to4, ISATAP access-list deny 41 any any ! Teredo access-list deny udp any any eq 3544 access-list deny udp any eq 3544 any
IPv4 IPv6 41
© 2012 Cisco and/or its affiliates. All rights reserved. 93
interface Ethernet0/0 ipv6 ospf 1 area 0 ipv6 ospf authentication ipsec spi 500 md5 1234567890ABCDEF1234567890ABCDEF
interface Ethernet0/0 ipv6 authentication mode eigrp 100 md5 ipv6 authentication key-chain eigrp 100 MYCHAIN key chain MYCHAIN key 1 key-string 1234567890ABCDEF1234567890ABCDEF accept-lifetime local 12:00:00 Dec 31 2011 12:00:00 Jan 1 2012 send-lifetime local 00:00:00 Jan 1 2012 23:59:59 Dec 31 2013
• OSPFv3, RIPng, PIM - No crypto maps, no ISAKMP: transport mode with static keys • EIGRP, BGP, ISIS - use their own MD5 authentication mechanism
93
© 2012 Cisco and/or its affiliates. All rights reserved. 94
• BYOD and the Internet of Everything • IPv6 Addressing Deep Dive • IPv6 Security Concerns • IPv6 Securing the Access Layer • IPv6 Securing the Perimeter • IPv6 Deployment Strategies • Summary
© 2012 Cisco and/or its affiliates. All rights reserved. 95
Planning and coordination is required from many across the organization, including … Network engineers & operators Security engineers Application developers Desktop / Server engineers Web hosting / content developers Business development managers …
Moreover, training will be required for all involved in supporting the various IPv6 based network services
• Build your IPv6 Transition Team
© 2012 Cisco and/or its affiliates. All rights reserved. 96 96
WAN Pt 2 Pt /127
Core /64 or /127
Servers /64
Hosts /64
Loopback /128
• /64 everywhere a host
• /127 Point to Point out of a single /64 1&2 not in same subnet
• /128 Loopback out of a single /64
• /64, /64, /64
© 2012 Cisco and/or its affiliates. All rights reserved. 97
• Methods Follow IPv4 (/24 only), Organizational, Location, Function based
• Hierarchy is key (A /48 example) Bit twiddle's dream (16 bit subnet strategy) 8 bits = (256) Regions (states, counties, agencies, etc..) 4 more bits = (16) Sub Levels within those Regions 4 more bits = (16) Traffic Types (Admin, Guest, Telephony, Video, etc..)
• Cisco IPv6 Addressing White Paper http://www.cisco.com/go/IPv6
• Monotonically (1000, 2000, 3000, etc.) vs. Sparse (0000, 4000, 8000, c000 )
97
© 2012 Cisco and/or its affiliates. All rights reserved. 98
Translation Services IPv4
IPv6
Tunneling Services
IPv4 over IPv6 IPv6 over IPv4
Dual Stack
Recommended Enterprise Co-existence Strategy
IPv6 IPv4
© 2012 Cisco and/or its affiliates. All rights reserved. 99 99
DNS Server!
2001:db8:1::1!
IPv4
IPv6
192.168.0.3!
www IN A 192.168.0.3 www IN AAAA 2001:db8:1::1
• Host security on a dual-stack device Fate sharing: least secure stack..
• In a dual stack case, an application can: Query DNS for IPv4 and/or IPv6 records Parallel connection request vs. serial
RFC 6555
• RFC 6724 – Default Address Selection (IPv6) Scope, Smallest Scope, Preferred, Transitional, Longest Prefix
Application Layer
TCP/UDP
IPv6
TCP/UDP
IPv4
Network Interface Card
Application Layer
TCP/UDP
IPv6 IPv4
Network Interface Card
© 2012 Cisco and/or its affiliates. All rights reserved. 100
6rd (RFC 5569)
6to4 (RFC 3056)
ISATAP (RFC 5214)
Teredo
AYIYA
GRE (RFC 2473)
Manual Tunnel (RFC 2893)
DMVPN
MPLS 6VPE
LISP
© 2012 Cisco and/or its affiliates. All rights reserved. 101
MTU & Frag issue
Server Load Balancer Stateful NAT64
IPv6
IPv4
Most widely deployable
IPv4
IPv6
SW = Poor Performance
Proxy
IPv6
IPv4
IPv6 Internet
IPv4 Internet
IPv6 Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 102 102
• Stateless NAT (~ASA static) RFC 6145 (IP/ICMP Translation Algorithm) Gives an IPv6-only host access to the IPv4 world and vice versa Consumes an IPv4 address for each IPv6-only device
• Stateful NAT (~ASA dynamic) RFC 6146 (Framework for IPv4/IPv6 Translation) - NAT-PT successor (deprecated) Can aggregate many IPv6 users into a single (or more) IPv4 address Used mainly where IPv6-only clients need to access IPv4 servers Only supports IPv6-initiated flows Similar as IPv4-to-IPv4 PAT works, a translation table is required
Version IHL Type of Service Total Length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Version Traffic Class Flow Label
Payload Length Next Header Hop Limit
Source Address
Destination Address
Connects IPv6 islands to the IPv4 world
TCP/UDP/ICMP Unicast traffic only
© 2012 Cisco and/or its affiliates. All rights reserved. 103 103
• IP-MIB & IP-FORWARD-MIB IPv4. CISCO-IETF-IP-MIB & CISCO-IETF-IP-FORWARDING-MIB • Protocol Version Independent (PVI) manage the same OID’s (RFC’s 4292, 4293) • Syslog must be able to recieve1180 bytes, no ack, no retransmission facility • NetFlow, Deep Packet Inspection, IPSLA, all work with IPv6
© 2012 Cisco and/or its affiliates. All rights reserved. 104
• Core-to-Access – Gain experience with v6
• Turn up your servers – Enable the experience
• Access-to-Core – Securing and monitoring
• Internet Edge – Business continuity
Servers
Branch Access
WAN
Campus Core
Access Layer
ISP ISP
Internet Edge
© 2012 Cisco and/or its affiliates. All rights reserved. 105
• BYOD and the Internet of Everything • IPv6 Addressing Deep Dive • IPv6 Security Concerns • IPv6 Securing the Access Layer • IPv6 Securing the Perimeter • IPv6 Deployment Strategies • Summary
© 2012 Cisco and/or its affiliates. All rights reserved. 106
• Address Spoofing (-> uRPF, ACLs) [IOS, ASA]
• Neighbor Discovery Attacks (NS,NA,RS,RA,REDIR..) (-> First Hop Security, RA Guard, ND Inspection, SEND, ACL, IPv6 Inspects) [Catalyst, ASA]
• Routing Header (RH0) source routing like attacks (-> no ipv6 source route (before 12.4.(15)T, blocked on ASA by default ) [IOS, ASA]
• Extention Header (e.g. Fragmentation) Games (-> ACLs e.g. deny ip any any undetermined-transport) [IOS, ASA, Catalyst]
• DHCP Attacks (-> DHCP Authentication, PACL) [IOS, ASA, Catalyst]
• Transition Technologies (6to4, Teredo, ISATAP, etc) Attacks (-> ACL, disabled on device, enable IPv6 ) [IOS, ASA, IPS]
• Smurf Attack (-> uRPF) [IOS, ASA]
• Routing Protocol Attacks (-> Authentication) [IOS,ASA]
• … and more. To be continued… have fun defending them.
© 2012 Cisco and/or its affiliates. All rights reserved. 107
WWW.CISCO.COM/GO/IPv6
Cisco Live! - www.ciscolive365.com
© 2012 Cisco and/or its affiliates. All rights reserved. 108
IPv6 Assessment Service Determine how your network needs to change to support your IPv6 strategy
IPv6 Discovery Service Guidance in the early stages of considering a transition to IPv6
IPv6 Planning and Design Service Designs, transition strategy, and support to enable a smooth migration
IPv6 Implementation Service Validation testing and implementation consulting services
Network Optimization Service Absorb, manage, and scale IPv6 in your environment
A Phased-Plan Approach for Successful IPv6 Adoption
© 2012 Cisco and/or its affiliates. All rights reserved. 109
• Gain Operational Experience now
• Security enforcement is possible
• Control IPv6 traffic as you would IPv4
• Plan, Prepare, Preserve, Prosper
• “Poke” your Provider’s
• IPv6 is here now are you?
109
© 2012 Cisco and/or its affiliates. All rights reserved. 110
© 2012 Cisco and/or its affiliates. All rights reserved. 111
Address Spoofing (-> uRPF, ACLs) [IOS, ASA] Neighbor Discovery Attacks (NS,NA,RS,RA,REDIR..) (-> FHS, RA Guard, ND Inspection, SEND, ACL) [Catalyst, ASA] Routing Header (RH0) source routing like attacks (-> no ipv6 source route, blocked on ASA by default ) [IOS, ASA] Extention Header (Fragmentation) (-> ACLs, undetermined-transport) [IOS, ASA, Catalyst] DHCP Attacks (-> DHCP Authentication, PACL) [IOS, ASA, Catalyst] Transition Technologies (6to4, Teredo, ISATAP, etc) Attacks (-> ACL, disabled on device, enable IPv6 ) [IOS, ASA, IPS] Smurf Attack (-> uRPF) [IOS, ASA] Routing Protocol Attacks (-> Authentication) [IOS,ASA]
DHCPv6 Guard Source Guard Destination Guard RA Throttler ND Mcast Suppress
Core Features Advance Features Scalability & Performance
RA Guard
Your host: IPv4 is protected IPv6 is enabled by default
Your network: Does not run IPv6 Your assumption: I’m safe Reality: You are not safe, Linksys? Time to enable IPv6 in your network
"The Hacker's Choice" THC IPv6 Attack Toolkit V2.0
GGGG:GGGG:GGGG: HHHH:HHHH:HHHH:HHHH SSSS: Global/48 Subnet Host/64
Internet of Everything, increasing the number of non-PC devices connecting to the Internet
Cisco’s core expertise is IP
End Nodes compromised by default configuration flaw in IPv6
Dual
Stack
Dual
Stack
ISATA
P
ISATA
P
Internet Tunnels
Translation LISP
NAT64
ipv6 nd Managed-config-flag
ipv6 nd Other-config-flag
DH
CP
Tech Tip* permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any log
© 2012 Cisco and/or its affiliates. All rights reserved. 112
© 2012 Cisco and/or its affiliates. All rights reserved. 113
© 2012 Cisco and/or its affiliates. All rights reserved. 114