IPv6 INFRASTRUCTURE SECURITY WORKSHOP SESSION 10 BUILDING IPv6 INFRASTRUCTURE NETWORK SECURITY
|
|
- Brett Davidson
- 8 years ago
- Views:
Transcription
1
2 IPv6 INFRASTRUCTURE SECURITY WORKSHOP SESSION 10 BUILDING IPv6 INFRASTRUCTURE NETWORK SECURITY Alastair JOHNSON July 2013
3 INTRODUCTION This module will cover network infrastructure security relating to: Rogue Router Advertisements and protection DHCPv6 vs. Router Advertisements Cryptographically Generated Addresses (CGA) and Secure Neighbor Discovery (SeND) VPN Leakage in Dual Stack Hosts Using Link Local Addressing only 3
4 AGENDA 1. Recap 2. Rogue Router Advertisements 3. DHCPv6 vs. Router Advertisements 4. CGA and SeND 5. VPN Leakage in Dual Stack Hosts 6. Use of Link Local Addressing only 4
5 RECAP In Session 9 we covered topics that include: General network element infrastructure security practices and what they re used for What the different planes in a router are, how and why they must be protected Threats from IPv6 in a network Issues arising from IPv4 shortage and how those may impact operators Device security Transition technology issues 5
6 AGENDA 1. Recap 2. Rogue Router Advertisements 3. DHCPv6 vs. Router Advertisements 4. CGA and SeND 5. VPN Leakage in Dual Stack Hosts 6. Use of Link Local Addressing only 6
7 ROGUE ROUTER ADVERTISEMENTS FINDING A DEFAULT ROUTER Every host needs to find a default router Unlike in IPv4 where default routers are either manually configured, or configuration information is provided via DHCP, in IPv6 a host must discover its default router(s) using Router Advertisement information Any routers out there? (Router Solicitation) Hello host! I m a router (Solicited Router Advertisement) Hello everyone! I m a router (Router Advertisement) 7
8 ROGUE ROUTER ADVERTISEMENTS THE ROUTER ADVERTISEMENT The link-local IP address of the router So we know where to send traffic not on-link Stuff about the link (like default hop limit) How long I should assume you are a router (Router Lifetime) What addresses exist on this link? (Global addresses or ULA) And whether there are any DHCP servers! We make sure we hear from you regularly, just in case you go away So we can assign our addresses automatically And how long are they valid for ROUTER ADVERTISMENT Src: fe80::2aa:00ff:fe99:9999 Dst: ff02::1 Hop Limit: 255 Default Hop Limit: 64 Managed: 1 Other: 1 Router Lifetime: 1800s Source Link-Layer Address: 00-AA Prefix: 2001:db8:: /64 On-link, Autonomous Valid: 30days Preferred: 7 days 8
9 ROGUE ROUTER ADVERTISEMENTS STATELESS ADDRESS AUTOCONFIGURATION Once a host hears about a Router Advertisement it can assign itself an address by adding the interface ID to the prefix advertised in the RA A host could also use DHCPv6 to be assigned an address Hello everyone! I m a router You can use 2001:DB8::/64 I want to be 2001:DB8::1234:1234:AABB:BBAA Does anyone else have that address? 9
10 ROGUE ROUTER ADVERTISEMENTS IMPACT OF ROGUE ROUTER ADVERTISEMENTS Router Advertisements are an implicit requirement for IPv6 networking to function correctly In a perfect network, only the configured routers for a segment will generate and send Router Advertisements as configured by the operators In the imperfect world that we live in, we need to be aware of the potential for rogue Router Advertisements Accidental RAs could be sent by a misconfigured host on the network Or by a misconfigured router (e.g. old router config restored; two VLANs have been bridged; someone has brought a home CPE into the office) Or by someone malicious, deliberately wanting to cause problems on the network RTR ADV IPV4 DEFAULT ROUTER RTR ADV IPV6 DEFAULT ROUTER 10
11 ROGUE ROUTER ADVERTISEMENTS PROTECTING FROM ROGUE ROUTER ADVERTISEMENTS There are two general approaches that can be taken to protect from Rogue Router Advertisements in your network 1. Filter Router Advertisements at the network access edge (L2 switch, DSLAM, WiFi access point) 2. Monitor for unauthorised RAs and react when they are seen (automatic or manual process) Router Advertisement Guard (RA-Guard) as defined in RFC6105 describes an implementation that filters our RA-Guard messages on access ports on a L2 access device An alternative approach for devices that do not support RA-Guard is to use L3 filter on your access ports: filter ra-guard { term block-ra { from { icmp-type router-advertisement; } then discard; term default { then accept; } } } ipv6 access-list ra-guard deny icmp any any 134 permit ip any any ipv6-filter 134 create entry 10 create match next-header ipv6-icmp icmp-type router-advt action drop 11
12 AGENDA 1. Recap 2. Rogue Router Advertisements 3. DHCPv6 vs. Router Advertisements 4. CGA and SeND 5. VPN Leakage in Dual Stack Hosts 6. Use of Link Local Addressing only 12
13 DHCPv6 vs. ROUTER ADVERTISEMENTS Stateless Address Autoconfiguration (SLAAC) allows devices in IPv6 networks to automatically configure themselves and start networking functions However it is device driven and non-deterministic by operators IPv6 also supports DHCP functionality approximately equivalent to IPv4, which can be beneficial to operators that want to: Have deterministic configuration behavior of devices Assign more configuration parameters to the devices than RA supports Have IPv6 and IPv4 networks behave equivalently Need specific functionality that is only available in DHCPv6 such as Circuit Identifier information Want to use IPv6 Prefix Delegation to assign Prefixes to downstream devices/routers Continuously poll for configuration information 13
14 DHCPv6 vs. ROUTER ADVERTISEMENTS DIFFERENCES BETWEEN DHCPv4 AND DHCPv6 In IPv4, DHCP configured devices would start the DHCP discover process when the network interface is ready (up and plumbed) In IPv6, the DHCPv6 process may start when the interface is up if the device is configured to do so Or a device may wait for a Router-Advertisement to be seen, with the M-bit set to 1 This allows IPv6 Routers to tell hosts attaching to the network to start and use DHCPv6 for IPv6 addressing DHCPv6 does not contain information about default routers, unlike DHCPv4 Instead Router Advertisements are used for this This means an IPv6 network must use both DHCPv6 and Router Advertisements in conjunction 14
15 DHCPv6 vs. ROUTER ADVERTISEMENTS WHEN TO USE DHCPv6? Many operators want to have IPv6 look and feel like IPv4, and thus use DHCPv6 for consistency between the two address families DHCPv4 Option 82 (Relay Agent Information: Circuit-ID, Remote-ID) behavior can be replicated with DHCPv6 Option 18 (Interface-ID) and Option 37 (Remote-ID) which allows for deterministic behavior based on DHCPv6 relay information Centralized DHCP pool behavior can be used for assignment of addresses, including logging which device had what address and when Specific configuration information such as DNS servers, TR-069 ACS servers, etc can be provided at network attachment in the DHCPv6 messaging It s very common to find the deployment of DHCPv6 into enterprise environments and broadband operator environments where DHCPv4 was used extensively for network management and AAA purposes In smaller environments (small business, home networks, etc) the use of SLAAC is probably preferred Home CPE should support both DHCPv6 and SLAAC to cover both use cases 15
16 DHCPv6 VS. ROUTER ADVERTISEMENTS DHCPv6 IN BROADBAND EXAMPLE Subnet A Subnet B Routed Gateway Access Node (LDRA) BNG RADIUS DHCPv6 SOLICIT IA_PD-Option, (IA_NA-Option), DNS-Servers Option DHCPv6 ADVERTISE IA_PD-Option + Prefix, (IA_NA) DHCPv6 REQUEST IA_PD-Option, (IA_NA-Option), DNS-Servers Option DHCPv6 REPLY IA_PD-Option + Prefix, (IA_NA) LDRA Insert Option-18/37 information RADIUS Access-Request User-Name, Password, Service-Name VSA Service-Type=Framed RADIUS Access-Accept Delegated-IPv6-Prefix, IPv6-DNS, (IPv6-Address) Anti-spoofing installed Router Advertisement 16
17 AGENDA 1. Recap 2. Rogue Router Advertisements 3. DHCPv6 vs. Router Advertisements 4. CGA and SeND 5. VPN Leakage in Dual Stack Hosts 6. Use of Link Local Addressing only 17
18 SECURE NEIGHBOR DISCOVERY (SeND) IPv6 Neighbor Discovery has no authentication mechanism built into it The closest thing to authentication is that you are attached to the same network segment Basically, blind trust This leads to Neighbor Discovery being vulnerable to a number of hijacking issues Covered some of these yesterday Very similar to the ways in which ARP is vulnerable in IPv4 Secure Neighbor Discovery (SeND) is defined in RFC3971 and specifies a mechanism to secure neighbor discovery messaging These extensions are to NDP to provide a mechanism for using CGAs, and only accepting/sending secured NS/NA messages on an interface While it was defined some time ago, it is not particularly widely deployed yet Still further work to be done in making SeND truly usable Some operators are now experimenting with it 18
19 SECURE NEIGHBOR DISCOVERY (SeND) CRYPTOGRAPHICALLY GENERATED ADDRESSES (CGA) CGAs are IPv6 addresses generated from a cryptographic hash of a public key and other parameters A node generating a CGA must first obtain an RSA public/private key pair, then using the public key, the subnet prefix, and a modifier a SHA-1 hash is performed to generate an interface identifier. This identifier result is appended to the subnet prefix to form a 128-bit CGA CGA generation is a one-time occurrence on a system (typically at boot, or at configuration of SeND on that interface) Generate RSA keys Modifier + Pub Key + Subnet prefix = CGA Many calculation operations required at the router Scaling problem? SeND-NS Certificate distribution may be used for these messages (with trust anchors) SeND-NA SeND-RS SeND-RA 19
20 SECURE NEIGHBOR DISCOVERY WHAT S THE USE CASE? 1. Security on common L2 infrastructure One operator has spoken about using SeND for peering interfaces (i.e. towards IXPs) to ensure their peering adjacencies are formed with trusted neighbors that have not been spoofed or hijacked 2. Security for network management infrastructure One operator has spoken about using SeND for their cable modem management interfaces (CM to L3PE) to ensure that they are speaking to legitimate cable modems that have not been tampered with or compromised If the Cable Modem cannot form a valid CGA and form secure neighbor adjacency, the CM will not be able to attach to the network and receive configuration, and thus all downstream services will be blocked 20
21 AGENDA 1. Recap 2. Rogue Router Advertisements 3. DHCPv6 vs. Router Advertisements 4. CGA and SeND 5. VPN Leakage in Dual Stack Hosts 6. Use of Link Local Addressing only 21
22 VPN LEAKAGE IN DUAL STACK HOSTS An interesting problem with dual stack services being deployed is that some VPN clients do not handle the separation of traffic properly One example of this is DNS traffic: Windows will prefer to use IPv6 DNS servers if it knows about them (e.g. via DHCPv6 configuration information) When a VPN is established, usually new DNS servers are provided to the client in order to resolve addresses within the intranet network The client should use these DNS servers, or connectivity within the internal network may not be possible (e.g. split horizon DNS rules, internal-only zones) If the VPN is not IPv6 or dual stack, with appropriate IPv6 DNS server information, Windows preference for IPv6 DNS servers will lead it to continue to query the IPv6 DNS servers! If the VPN client doesn t block connectivity on the IPv6 path, DNS resolution may fail I found this out the hard way VPN clients seem to be getting better at managing this, either by blocking IPv6 connectivity altogether, or by enforcing DNS priority to use the IPv4 DNS servers Thinking about IPv6 on your corporate VPNs is probably a good idea 22
23 AGENDA 1. Recap 2. Rogue Router Advertisements 3. DHCPv6 vs. Router Advertisements 4. CGA and SeND 5. VPN Leakage in Dual Stack Hosts 6. Use of Link Local Addressing only 23
24 USE OF LINK LOCAL ADDRESSING ONLY In a service provider backbone network, is there a need to number network interfaces with global unicast addresses? Some operators took this approach in IPv4 by using RFC1918 address space Traceroute could/would break Address uniqueness could be a problem, particularly with B2B/B2C interfaces Some networks are effectively hiding their core with MPLS today anyway, so they are completely invisible to transit traffic IPv6 Link Local Addressing is designed to be unique to an IP interface, so address collisions are not a problem Routing protocols often use LLA for NEXT_HOP information ICMPv6 also knows how to correctly source ICMPv6 messaging from a valid scope address on the node Traceroute shouldn t break draft-opsec-lla-only 24
25 USE OF LINK LOCAL ADDRESSING ONLY Therefore, it seems in a hypothetical case it would be possible to use LLA only within the service provider network What are the benefits? Infrastructure numbering becomes relatively simple Reduced threat horizon due to reduced GUA configuration on the node (IACLs become much less complex) Core will still transport packets, traceroute will still work, but interfaces do not consume GUA Configuration can be simplified as addresses don t need to be configured on interfaces (using SLAAC) What are the disadvantages? Interface troubleshooting can become a problem Must remember to ping fe80::1%gi-1/3/37 instead of 2001:db8::1:3:37 Traceroute output becomes less informative since all hops look the same (loopback vs. interface specific responses) Interface IP addressing will change when the interface MAC/interface-identifier changes (e.g. hardware replacement) Traffic engineering/strict path approaches will not work (e.g. RSVP-TE strict LSPs with FRR) 25
26 USE OF LINK LOCAL ADDRESSING ONLY IS IT A GOOD IDEA? Analysis is still ongoing It s theoretically possible, and is an interesting idea The ex-network operations guy in me says don t do this at 3am you ll regret it 26
27
28
29
IPv6 First Hop Security Protecting Your IPv6 Access Network
IPv6 First Hop Security Protecting Your IPv6 Access Network What You Will Learn This paper provides a brief introduction to common security threats on IPv6 campus access networks and will explain the value
More informationIPv6 Infrastructure Security
IPv6 Infrastructure Security 2013 North American IPv6 Summit Jeffrey L Carrell Network Conversions Network Security Consultant IPv6 SME/Trainer 1 Agenda IPv6 address fundamentals Operating Systems support
More informationVulnerabili3es and A7acks
IPv6 Security Vulnerabili3es and A7acks Inherent vulnerabili3es Less experience working with IPv6 New protocol stack implementa3ons Security devices such as Firewalls and IDSs have less support for IPv6
More informationSecurity Assessment of Neighbor Discovery for IPv6
Security Assessment of Neighbor Discovery for IPv6 Fernando Gont project carried out on behalf of UK Centre for the Protection of National Infrastructure LACNIC XV 15 al 20 de Mayo de 2011. Cancún, México
More informationIPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region
IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express
More informationImplementing DHCPv6 on an IPv6 network
Implementing DHCPv6 on an IPv6 network Benjamin Long benlong@iol.unh.edu 8-11-2009 Implementing DHCPv6 on an IPv6 network 2 Table of Contents DHCPv6 Overview...3 Terms used by DHCPv6...3 DHCPv6 Message
More informationIPv6 Infrastructure Security
TXv6TF 2013 Summit IPv6 Infrastructure Security Jeffrey L Carrell Network Conversions Network Security Consultant IPv6 SME/Trainer 1 Agenda IPv6 address fundamentals Operating Systems support ICMPv6 -
More informationIPv6 Infrastructure Security Jeffrey L Carrell Network Conversions Network Security Consultant, IPv6 SME/Trainer
IPv6 Infrastructure Security Jeffrey L Carrell Network Conversions Network Security Consultant, IPv6 SME/Trainer 1 IPv6 Infrastructure Security v1.1 - Copyright 2013 Jeffrey L. Carrell Agenda IPv6 address
More informationIPv6 Associated Protocols
IPv6 Associated Protocols 1 New Protocols (1) New features are specified in IPv6 Protocol -RFC 2460 DS Neighbor Discovery (NDP) -RFC 4861 DS Auto-configuration : Stateless Address Auto-configuration -RFC
More informationDedication Preface 1. The Age of IPv6 1.1 INTRODUCTION 1.2 PROTOCOL STACK 1.3 CONCLUSIONS 2. Protocol Architecture 2.1 INTRODUCTION 2.
Dedication Preface 1. The Age of IPv6 1.1 INTRODUCTION 1.2 PROTOCOL STACK 1.3 CONCLUSIONS 2. Protocol Architecture 2.1 INTRODUCTION 2.2 COMPARISONS OF IP HEADER FORMATS 2.3 EXTENSION HEADERS 2.3.1 Options
More informationIPv6 Opportunity and challenge
Juniper Networks Solution from enterprise to service provider Jean-Marc Uzé juze@juniper.net 10 May 2004 1 Opportunity and challenge More devices demanding more addresses 3G Mobile IP multimedia specifies
More informationIPv6 Diagnostic and Troubleshooting
8 IPv6 Diagnostic and Troubleshooting Contents Introduction.................................................. 8-2 ICMP Rate-Limiting........................................... 8-2 Ping for IPv6 (Ping6)..........................................
More informationIPv6 Trace Analysis using Wireshark Nalini Elkins, CEO Inside Products, Inc. Nalini.elkins@insidethestack.com
1 IPv6 Trace Analysis using Wireshark Nalini Elkins, CEO Inside Products, Inc. Nalini.elkins@insidethestack.com Agenda What has not changed between IPv4 and IPv6 traces What has changed between IPv4 and
More informationIPV6 DEPLOYMENT GUIDELINES FOR. ARRIS Group, Inc.
IPV6 DEPLOYMENT GUIDELINES FOR CABLE OPERATORS Patricio i S. Latini i ARRIS Group, Inc. Current IPv4 Situationti IANA has already assigned the last IPv4 Blocks to the RIRs. RIRs address exhaustion may
More informationCisco Certified Network Associate Exam. Operation of IP Data Networks. LAN Switching Technologies. IP addressing (IPv4 / IPv6)
Cisco Certified Network Associate Exam Exam Number 200-120 CCNA Associated Certifications CCNA Routing and Switching Operation of IP Data Networks Operation of IP Data Networks Recognize the purpose and
More informationStep-by-Step Guide for Setting Up IPv6 in a Test Lab
Step-by-Step Guide for Setting Up IPv6 in a Test Lab Microsoft Corporation Published: July, 2006 Author: Microsoft Corporation Abstract This guide describes how to configure Internet Protocol version 6
More informationCIRA s experience in deploying IPv6
CIRA s experience in deploying IPv6 Canadian Internet Registration Authority (CIRA) Jacques Latour Director, Information Technology Ottawa, April 29, 2011 1 About CIRA The Registry that operates the Country
More informationTR-187 IPv6 for PPP Broadband Access
TECHNICAL REPORT TR-187 IPv6 for PPP Broadband Access Issue: 2 Issue Date: February 2013 The Broadband Forum. All rights reserved. Notice The Broadband Forum is a non-profit corporation organized to create
More informationInterconnecting Cisco Networking Devices Part 2
Interconnecting Cisco Networking Devices Part 2 Course Number: ICND2 Length: 5 Day(s) Certification Exam This course will help you prepare for the following exam: 640 816: ICND2 Course Overview This course
More informationChapter 3 Configuring Basic IPv6 Connectivity
Chapter 3 Configuring Basic IPv6 Connectivity This chapter explains how to get a ProCurve Routing Switch that supports IPv6 up and running. To configure basic IPv6 connectivity, you must do the following:
More informationBasic IPv6 WAN and LAN Configuration
Basic IPv6 WAN and LAN Configuration This quick start guide provides basic IPv6 WAN and LAN configuration information for the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N. For complete IPv6 configuration
More informationIPv6 End Station Addressing: Choosing SLAAC or DHCP Jeff Harrington - NYSERNet
IPv6 End Station Addressing: Choosing SLAAC or DHCP Jeff Harrington - NYSERNet 1 Important Planning Decisions Planning for IPv6 on Campus Three major areas need to be addressed during planning. There are
More informationSecurity of IPv6 and DNSSEC for penetration testers
Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions
More information640-816: Interconnecting Cisco Networking Devices Part 2 v1.1
640-816: Interconnecting Cisco Networking Devices Part 2 v1.1 Course Introduction Course Introduction Chapter 01 - Small Network Implementation Introducing the Review Lab Cisco IOS User Interface Functions
More informationMoonv6 Test Suite DRAFT
Moonv6 Test Suite DHCP Interoperability Test Suite DRAFT Technical Document Revision 0.1 IPv6 Consortium 121 Technology Drive, Suite 2 InterOperability Laboratory Durham, NH 03824-3525 Research Computing
More informationJoe Davies. Principal Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group June 1, 2011
Joe Davies Principal Writer Windows Server Information Experience Presented at: Seattle Windows Networking User Group June 1, 2011 2011 Microsoft Corporation IPv6 addressing and DNS review IPv6 subnetting
More informationIPv6 Fundamentals, Design, and Deployment
IPv6 Fundamentals, Design, and Deployment Course IP6FD v3.0; 5 Days, Instructor-led Course Description The IPv6 Fundamentals, Design, and Deployment (IP6FD) v3.0 course is an instructor-led course that
More informationIP(v6) security. Matěj Grégr. Brno University of Technology, Faculty of Information Technology. Slides adapted from Ing.
IP(v6) security Matěj Grégr Brno University of Technology, Faculty of Information Technology Slides adapted from Ing. Tomáš Podermański What is IP security? Encryption? Authentication? Authorization? Surveillance?
More informationTypes of IPv4 addresses in Internet
Types of IPv4 addresses in Internet PA (Provider Aggregatable): Blocks of addresses that may be sub-assigned to other ISPs or to other companies that also may leased the addresses to their customers May
More informationSSVVP SIP School VVoIP Professional Certification
SSVVP SIP School VVoIP Professional Certification Exam Objectives The SSVVP exam is designed to test your skills and knowledge on the basics of Networking, Voice over IP and Video over IP. Everything that
More informationSECURITY IN AN IPv6 WORLD MYTH & REALITY. SANOG XXIII Thimphu, Bhutan 14 January 2014 Chris Grundemann
SECURITY IN AN IPv6 WORLD MYTH & REALITY SANOG XXIII Thimphu, Bhutan 14 January 2014 Chris Grundemann WHO AM I? DO Director @ Internet Society CO ISOC Founding Chair NANOG PC RMv6TF Board NANOG-BCOP Founder
More informationPersonal Firewall Default Rules and Components
Personal Firewall Default Rules and Components The Barracuda Personal Firewall comes with a default access ruleset. The following tables aim to give you a compact overview of the default rules and their
More informationGuide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP
Guide to Network Defense and Countermeasures Third Edition Chapter 2 TCP/IP Objectives Explain the fundamentals of TCP/IP networking Describe IPv4 packet structure and explain packet fragmentation Describe
More information19531 - Telematics. 9th Tutorial - IP Model, IPv6, Routing
19531 - Telematics 9th Tutorial - IP Model, IPv6, Routing Bastian Blywis Department of Mathematics and Computer Science Institute of Computer Science 06. January, 2011 Institute of Computer Science Telematics
More informationIPv6 for AT&T Broadband
IPv6 for AT&T Broadband Chris Chase, AT&T Labs Sept 15, 2011 AT&T Broadband ~15 million subscribers Legacy DSL, PPP subscribers, ATM aggregation Not many CPE IPv6 capable Customer owned, unmanaged CPE
More informationNetworking 4 Voice and Video over IP (VVoIP)
Networking 4 Voice and Video over IP (VVoIP) Course Objectives This course will give delegates a good understanding of LANs, WANs and VVoIP (Voice and Video over IP). It is aimed at those who want to move
More informationIPv6 Functionality. Jeff Doyle IPv6 Solutions Manager jeff@juniper.net
IPv6 Functionality Jeff Doyle IPv6 Solutions Manager jeff@juniper.net Copyright 2003 Juniper Networks, Inc. Agenda ICMPv6 Neighbor discovery Autoconfiguration Agenda ICMPv6 Neighbor discovery Autoconfiguration
More informationCampus LAN at NKN Member Institutions
Campus LAN at NKN Member Institutions RS MANI rsm@nkn.in 1/7/2015 3 rd Annual workshop 1 Efficient utilization Come from: Good Campus LAN Speed Segregation of LANs QoS Resilient Access Controls ( L2 and
More informationSecuring IPv6. What Students Will Learn:
Securing IPv6 When it comes to IPv6, one of the more contentious issues is IT security. Uninformed analysts, anit-v6 pundits, and security ne're-do-wells have created a mythos that IPv6 is inherently less
More informationIPv6 Fundamentals: A Straightforward Approach
IPv6 Fundamentals: A Straightforward Approach to Understanding IPv6 Rick Graziani Cisco Press 800 East 96th Street Indianapolis, IN 46240 IPv6 Fundamentals Contents Introduction xvi Part I: Background
More informationAbout the Technical Reviewers
About the Author p. xiii About the Technical Reviewers p. xv Acknowledgments p. xvii Introduction p. xix IPv6 p. 1 IPv6-Why? p. 1 IPv6 Benefits p. 2 More Address Space p. 2 Innovation p. 3 Stateless Autoconfiguration
More informationIPv6 Security Best Practices. Eric Vyncke evyncke@cisco.com Distinguished System Engineer
IPv6 Best Practices Eric Vyncke evyncke@cisco.com Distinguished System Engineer security 2007 Cisco Systems, Inc. All rights reserved. Cisco CPub 1 Agenda Shared Issues by IPv4 and IPv6 Specific Issues
More informationOLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS
OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS Eric Vyncke (@evyncke) Cisco Session ID: ARCH W01 Session Classification: Advanced Agenda Status of WorldWide IPv6 Deployment IPv6 refresher:
More informationIPv6 Security Analysis
CENTER FOR CONVERGENCE AND EMERGING NETWORK TECHNOLOGIES CCENT School of Information Studies Syracuse University IPv6 Security Analysis TECHNICAL REPORT: T.R. 2014-002 Authored by: Jose Gonzalo Bejar (revised
More informationCCT vs. CCENT Skill Set Comparison
Operation of IP Data Networks Recognize the purpose and functions of various network devices such as Routers, Switches, Bridges and Hubs Select the components required to meet a given network specification
More informationIPv6 Security - Opportunities and Challenges
IPv6 Security - Opportunities and Challenges Thomas Scheffler Beuth Hochschule Berlin, Germany {scheffler@beuth-hochschule.de} The Basics Agenda 1 The Basics IPv6 Network Security ICMPv6 / Autoconfiguration
More informationIndustry Automation White Paper Januar 2013 IPv6 in automation technology
Table of contents: 1 Why another White Paper IPv6?... 3 2 IPv6 for automation technology... 3 3 Basics of IPv6... 3 3.1 Turning point/initial situation... 3 3.2 Standardization... 4 3.2.1 IPv6 address
More informationIPv6 Security. Scott Hogg. Global Technology Resources, Inc. Director of Technology Solutions CCIE #5133, CISSP #4610
IPv6 Security Scott Hogg Global Technology Resources, Inc. Director of Technology Solutions CCIE #5133, CISSP #4610 IPv6 Security Latent Threat Even if you haven t started using IPv6 yet, you probably
More informationNeighbour Discovery in IPv6
Neighbour Discovery in IPv6 Andrew Hines Topic No: 17 Email: hines@zitmail.uni-paderborn.de Organiser: Christian Schindelhauer University of Paderborn Immatriculation No: 6225220 August 4, 2004 1 Abstract
More informationTomás P. de Miguel DIT-UPM. dit UPM
Tomás P. de Miguel DIT- 15 12 Internet Mobile Market Phone.com 15 12 in Millions 9 6 3 9 6 3 0 1996 1997 1998 1999 2000 2001 0 Wireless Internet E-mail subscribers 2 (January 2001) Mobility The ability
More informationVirtual Private Network (VPN)
Configuration Guide 5991-2120 April 2005 Virtual Private Network (VPN) VPN Using Preset Keys, Mode Config, and Manual Keys This Configuration Guide is designed to provide you with a basic understanding
More informationSEcure Neighbour Discovery: A Report
SEcure Neighbour Discovery: A Report Arun Raghavan (Y6111006) CS625: Advanced Computer Networks Abstract The IPv6 [5] Neighbour Discovery [12] protocol is used by nodes in IPv6 for such purposes as discover
More informationAPNIC IPv6 Deployment
APNIC IPv6 Deployment Ulaanbaatar, Mongolia 19 October 2015 Issue Date: Revision: Overview Deployment motivation Network deployment IPv6 Services deployment IPv6 Anycast service IPv6 Cloud service Summary
More informationIPv6 Security 111 Short Module on Security
IPv6 Security 111 Short Module on Security IPv6 Security 1 Copy Rights This slide set is the ownership of the 6DEPLOY project via its partners The Powerpoint version of this material may be reused and
More informationIPv6 Security. Scott Hogg, CCIE No. 5133 Eric Vyncke. Cisco Press. Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA
IPv6 Security Scott Hogg, CCIE No. 5133 Eric Vyncke Cisco Press Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA Contents Introduction xix Chapter 1 Introduction to IPv6 Security 3 Reintroduction
More informationIPv6 Addressing and Subnetting
APNIC elearning: IPv6 Addressing and Subnetting Contact: training@apnic.net eip602_v1.0 Overview IPv6 Address Text Representation IPv6 Addressing Structure IPv6 Address Management Hierarchy Local Addresses
More informationWhite Paper. Cisco MPLS based VPNs: Equivalent to the security of Frame Relay and ATM. March 30, 2001
The leading edge in networking information White Paper Cisco MPLS based VPNs: Equivalent to the security of Frame Relay and ATM March 30, 2001 Abstract: The purpose of this white paper is to present discussion
More informationUnderstanding Windows Server 2003 Networking p. 1 The OSI Model p. 2 Protocol Stacks p. 4 Communication between Stacks p. 13 Microsoft's Network
Introduction p. xix Assessment Test p. xxxviii Understanding Windows Server 2003 Networking p. 1 The OSI Model p. 2 Protocol Stacks p. 4 Communication between Stacks p. 13 Microsoft's Network Components
More informationThe Myth of Twelve More Bytes. Security on the Post- Scarcity Internet
The Myth of Twelve More Bytes Security on the Post- Scarcity Internet IPv6 The Myth of 12 More Bytes HTTP DHCP HTTP TLS ARP TCP UDP Internet Protocol Link Layer Physical Layer ICMP The Myth of 12 More
More informationIPv6 Hardening Guide for Windows Servers
IPv6 Hardening Guide for Windows Servers How to Securely Configure Windows Servers to Prevent IPv6-related Attacks Version: 1.0 Date: 22/12/2014 Classification: Public Author(s): Antonios Atlasis TABLE
More informationIPv6 Network Security. its-security@lsu.edu
IPv6 Network Security its-security@lsu.edu IPv6 Raising awareness about IPv6 IPv6 Basics Windows notes Windows Firewall Demo Linux(RHEL) Firewall Demo [Mac OS 10.7 Lion Firewall Notes] [AAAA record via
More informationGregSowell.com. Mikrotik Security
Mikrotik Security IP -> Services Disable unused services Set Available From for appropriate hosts Secure protocols are preferred (Winbox/SSH) IP -> Neighbors Disable Discovery Interfaces where not necessary.
More informationCloudEngine Series Switches. IPv6 Technical White Paper. Issue 01 Date 2014-02-19 HUAWEI TECHNOLOGIES CO., LTD.
Issue 01 Date 2014-02-19 HUAWEI TECHNOLOGIES CO., LTD. 2014. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of
More informationDeploying IPv6 for Service Providers. Benoit Lourdelet IPv6 Product Manager, NSSTG
Deploying IPv6 for Service Providers Benoit Lourdelet IPv6 Product Manager, NSSTG Agenda Business case IPv6 basics Deployment scenarios Business case IPv6 - Key drivers for Next Generation Ubiquitous Networking
More informationWindows 7 Resource Kit
Windows 7 Resource Kit Mitch Tulloch, Tony Northrup, and Jerry Honeycutt To learn more about this book, visit Microsoft Learning at http://www.microsoft.com/mspress/books/ 9780735627000 2009 Microsoft
More informationMPLS VPN over mgre. Finding Feature Information. Prerequisites for MPLS VPN over mgre
The feature overcomes the requirement that a carrier support multiprotocol label switching (MPLS) by allowing you to provide MPLS connectivity between networks that are connected by IP-only networks. This
More informationDiscovering IPv6 with Wireshark. presented by Rolf Leutert
Discovering IPv6 with Wireshark presented by Rolf Leutert Instructor: Rolf Leutert, Network Expert & Trainer Leutert NetServices Troubleshooting & Trainings Zürich-Airport, Switzerland Sniffer certified
More information"Charting the Course...
Description "Charting the Course... Course Summary Interconnecting Cisco Networking Devices: Accelerated (CCNAX), is a course consisting of ICND1 and ICND2 content in its entirety, but with the content
More informationNetwork Security Workshop
Network Security Workshop Threat Pragmatics Fakrul (Pappu) Alam bdhub Limited fakrul@bdhub.com Targets Many sorts of targets: Network infrastructure Network services Application services User machines
More informationAbout Me. Work at Jumping Bean. Developer & Trainer Contact Info: Twitter @mxc4 Twitter @jumpingbeansa mark@jumpingbean.co.za
IPv6 & Linux About Me Work at Jumping Bean Developer & Trainer Contact Info: Twitter @mxc4 Twitter @jumpingbeansa mark@jumpingbean.co.za Goals & Motivation Why? Why IPv6? Why this talk? Information on
More informationIPv6 Autoconfiguration Best Practice Document
IPv6 Autoconfiguration Best Practice Document Produced by the CESNET-led working group on IPv6 (CBPD117) Authors: Tomáš Podermański, Matěj Grégr August 2011 Original version 2011 English translation TERENA
More informationIPv4/IPv6 Transition Mechanisms. Luka Koršič, Matjaž Straus Istenič
IPv4/IPv6 Transition Mechanisms Luka Koršič, Matjaž Straus Istenič IPv4/IPv6 Migration Both versions exist today simultaneously Dual-stack IPv4 and IPv6 protocol stack Address translation NAT44, LSN, NAT64
More informationResidential IPv6 IPv6 a t at S wisscom Swisscom a, n an overview overview Martin Gysi
Residential IPv6 at Swisscom, an overview Martin Gysi What is Required for an IPv6 Internet Access Service? ADSL L2 platform, IPv6 not required VDSL Complex Infrastructure is Barrier to Cost-efficient
More informationInterconnecting Cisco Network Devices 1 Course, Class Outline
www.etidaho.com (208) 327-0768 Interconnecting Cisco Network Devices 1 Course, Class Outline 5 Days Interconnecting Cisco Networking Devices, Part 1 (ICND1) v2.0 is a five-day, instructorled training course
More informationMobile IP. Bheemarjuna Reddy Tamma IIT Hyderabad. Source: Slides of Charlie Perkins and Geert Heijenk on Mobile IP
Mobile IP Bheemarjuna Reddy Tamma IIT Hyderabad Source: Slides of Charlie Perkins and Geert Heijenk on Mobile IP IP Refresher Mobile IP Basics 3 parts of Mobile IP: Outline Advertising Care-of Addresses
More informationIntroduction to IP v6
IP v 1-3: defined and replaced Introduction to IP v6 IP v4 - current version; 20 years old IP v5 - streams protocol IP v6 - replacement for IP v4 During developments it was called IPng - Next Generation
More informationHow To Learn Cisco Cisco Ios And Cisco Vlan
Interconnecting Cisco Networking Devices: Accelerated Course CCNAX v2.0; 5 Days, Instructor-led Course Description Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v2.0 is a 60-hour instructor-led
More informationFirewall Security. Presented by: Daminda Perera
Firewall Security Presented by: Daminda Perera 1 Firewalls Improve network security Cannot completely eliminate threats and a=acks Responsible for screening traffic entering and/or leaving a computer network
More informationHughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R
HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R HughesNet Managed Broadband Network Services include a high level of end-toend security utilizing a robust architecture designed by
More informationDHCP, ICMP, IPv6. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley DHCP. DHCP UDP IP Eth Phy
, ICMP, IPv6 UDP IP Eth Phy UDP IP Eth Phy Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley Some materials copyright 1996-2012 J.F Kurose and K.W. Ross, All Rights
More informationInternetworking Microsoft TCP/IP on Microsoft Windows NT 4.0
Internetworking Microsoft TCP/IP on Microsoft Windows NT 4.0 Course length: 5 Days Course No. 688 - Five days - Instructor-led Introduction This course provides students with the knowledge and skills required
More informationConfiguring the Transparent or Routed Firewall
5 CHAPTER This chapter describes how to set the firewall mode to routed or transparent, as well as how the firewall works in each firewall mode. This chapter also includes information about customizing
More informationFirewalls und IPv6 worauf Sie achten müssen!
Firewalls und IPv6 worauf Sie achten müssen! Pascal Raemy CTO Asecus AG pascal.raemy@asecus.ch Asecus AG Asecus AG Security (Firewall, Web-Gateway, Mail-Gateway) Application Delivery (F5 Neworks with BIGIP)
More informationIP/MPLS-Based VPNs Layer-3 vs. Layer-2
Table of Contents 1. Objective... 3 2. Target Audience... 3 3. Pre-Requisites... 3 4. Introduction...3 5. MPLS Layer-3 VPNs... 4 6. MPLS Layer-2 VPNs... 7 6.1. Point-to-Point Connectivity... 8 6.2. Multi-Point
More informationIPv6 Secure Neighbor Discovery
IPv6 Secure Neighbor Discovery Andreas Hunkeler January 2015 Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch IPv6
More informationIPv6 in Axis Video Products
TECHNICAL NOTE REFERENCE DOCUMENT IPv6 in Axis Video Products Created: 2006-01-31 Last updated: 2006-05-29 TABLE OF CONTENTS DOCUMENT HISTORY... 2 1 IPV6 IN GENERAL... 3 1.1 The IPv6 address... 3 1.1.1
More informationBroadband Network Architecture
Broadband Network Architecture Jan Martijn Metselaar May 24, 2012 Winitu Consulting Klipperaak 2d 2411 ND Bodegraven The Netherlands slide Broadband Services! Dual play, Triple play, Multi play! But what
More informationFirewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles
Firewalls Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations
More informationNetwork Security IPv4 + IPv6
Network Security IPv4 + IPv6 by Managing Director SuperInternet Overview Confidentiality? Integrity? Availability! IPv6 Issues (Compared with IPv4) Physical Security of the Network Assumptions: Generally
More informationJunos OS. IPv6 Neighbor Discovery Feature Guide for Routing Devices. Release 15.1. Modified: 2015-05-26. Copyright 2015, Juniper Networks, Inc.
Junos OS IPv6 Neighbor Discovery Feature Guide for Routing Devices Release 15.1 Modified: 2015-05-26 Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net
More informationV310 Support Note Version 1.0 November, 2011
1 V310 Support Note Version 1.0 November, 2011 2 Index How to Register V310 to Your SIP server... 3 Register Your V310 through Auto-Provision... 4 Phone Book and Firmware Upgrade... 5 Auto Upgrade... 6
More informationTechnology Brief IPv6 White Paper.
Technology Brief White Paper. Page 1 of 37 Table of Contents 1 Overview... 3 1.1 Background... 3 1.2 Advantages of... 5 2 Packet... 9 2.1 Basic Header... 9 2.1.1 Extension Headers... 11 2.1.2 ICMP Packet...
More informationCPE requirements and IPv6. Ole Trøan, ot@cisco.com February 2010
CPE requirements and IPv6 Ole Trøan, ot@cisco.com February 2010 Past and present: Worked as an implementer on every aspect of the IOS IPv6 stack. Routing, access, provisioning, ND, DHCP PD, Transition
More informationΕΠΛ 674: Εργαστήριο 5 Firewalls
ΕΠΛ 674: Εργαστήριο 5 Firewalls Παύλος Αντωνίου Εαρινό Εξάμηνο 2011 Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized
More informationSupporting Document PPP
Supporting Document PPP Content 1 Starter Kit... 3 2 Technical Specification Access... 3 2.1 Overview... 3 2.2 Upstream Policing for PPP@ISP... 3 2.3 Supported Protocols... 3 2.4 PPPoA... 3 2.5 PPPoE...
More informationFirewall Design Principles Firewall Characteristics Types of Firewalls
Firewall Design Principles Firewall Characteristics Types of Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for these slides. Fall 2008
More informationConfiguring IP Load Sharing in AOS Quick Configuration Guide
Configuring IP Load Sharing in AOS Quick Configuration Guide ADTRAN Operating System (AOS) includes IP Load Sharing for balancing outbound IP traffic across multiple interfaces. This feature can be used
More informationProCurve Networking. Hardening ProCurve Switches. Technical White Paper
ProCurve Networking Hardening ProCurve Switches Technical White Paper Executive Summary and Purpose... 3 Insecure Protocols and Secure Alternatives... 3 Telnet vs. Secure Shell... 3 HTTP vs. HTTPS... 3
More informationSecuring a Core Network
Securing a Core Network Manchester, 21 Sep 2004 Michael Behringer Christian Panigl Session Number Presentation_ID 325_mbehring 2001, 2003 Cisco Systems, Inc. All
More informationAculab digital network access cards
Aculab digital network access cards Adding and Using IPv6 Capabilities Guide Revision 1.0.2 PROPRIETARY INFORMATION Aculab Plc makes every effort to ensure that the information in this document is correct
More information