Escolar Documentos
Profissional Documentos
Cultura Documentos
harprsin@cisco.com
IPv4 Exhaustion
Market Drivers
IPv6 Technical Overview IPv6 Transition Mechanisms Security
Cisco Confidential
IP Video / Collaboration
Embedded Internet
2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential For BarrettXplore
Internet-Enabled Devices2
5B Today 2015+
1 Geoff Huston, APNIC, www.potaroo.net, tracking /8 address-blocks managed by the Internet Assigned Numbers Authority 2 Cisco Visual Networking Index / Intel Embedded Internet Projections
Cisco Confidential
For BarrettXplore
3rd February 2011 The last five remaining /8 pools were allocated amongst the five Regional Internet Registries
15th April 2011, APNIC pool consists of the final /8 block IPv4 allocation policy has now changed APNIC members eligible for a SINGLE /22 (1024 addresses) from the pool
Source: http://www.icann.org/en/news/releases/release-03feb11-en.pdf
Cisco Confidential
RIRs still have addresses available from local pools APNIC, RIPE, and ARIN will all be exhausted by 2012
Nortel sold 666,624 IP addresses to Microsoft on 23rd March for $7.5M ($11.25 each)
Cisco Confidential
6.5 Billion
500 Million
6.8 Billion
12.5 Billion
7.2 Billion
25 Billion
7.6 Billion
50 Billion
0.08
2003
1.84
2010
3.47
2015
6.58
2020
2008
Cisco Confidential
Government Mandates
Cable market address scaling Population densities in APAC 4G deployments Smart Grids/Sensor Networks Connected Communities IPv4 connects computers IPv6 connects people and things
Cisco Confidential
IPv6
IPv6 OS, Content & Applications Infrastructure Evolution
End Point Explosion Smart Grid Smart Meters Smart Cities Internet of Things Cable Set Top Boxes Mobile Telephony
https://www.arin.net/knowledge/v4-v6.html
2010 Cisco and/or its affiliates. All rights reserved. C3RS 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
10
100%
2001:0205:8:1/64
100%
Total Capacity
Overload Condition
50%
50%
0%
2001:0205:8:2/64
100% 50%
Power Consumption
0%
0%
2001:0205:8:3/64
100% 50% 0%
2001:0205:8:4/64
100%
50% 0%
2001:0205:8:5/64
100% 50%
0%
Cisco Confidential
11
Yosemite
http://[2402:6000:200:100::4]
http://[2001:470:d:2ed::1]
http://[2001:4830:20e0:1::5]
ipv6.google.com
http://[2001:b48:12:1::2]
http://[2001:da8:200:200::4:28]
http://[2405:5000:1:2::99]
http://[2001:44b8:8020:f501:250:56ff:feb3:6633]
http://[2001:218:2001:3005::8a]
http://[2001:470:0:64::2]
Helsingborg Dagblad
http://[2001:2040:2000::6]
http://[2001:470:1:1d::d8da:84ea]
http://[2001:558:1004:9:69:252:76:96] http://[2a01:a8:0:5::26]
http://[2001:470:0:e6::4a52:2717]
http://[2607:f4e8:12:fffe:230:48ff:fe96:f99e]
http://[2001:4f8:fff6::21]
http://[2001:9b0:1:104:230:48ff:fe56:31ae]
http://[2001:470:1:3a::13]
http://[2620:0:ef0:13::20]
http://[2607:f0d0:3001:62:1::53]
http://[2a01:48:1:0:2e0:81ff:fe05:4658]
http://[2001:440:fff9:100:202:b3ff:fea4:a44e]
http://[2620:0:1cfe:face:b00c::3]
http://[2607:f238:2::51]
http://[2001:838:1:1:210:dcff:fe20:7c7c]
The IPv4 address exhaustion problem is real and depleting at a rapid rate Asia has used up its allocation, US and European will be exhausted by early 2012 Service Providers need to act as soon as possible A roadmap to IPv6 must be considered
Cisco Confidential
13
IPv4 and IPv6 implementations must be scalable, reliable, secure and feature rich Many ways to deliver IPv6 services to End Users.
Cisco Confidential
For BarrettXplore
14
IP NGN
Prosper
Prepare Preserve
= IPv4
= Private IP
= IPv6
Cisco Confidential For BarrettXplore
15
harpreets@cisco.com rsnaraya@cisco.com
Cisco Confidential
16 16
IPv6 Addressing IPv6 Header ICMPv6 and Neighbor Discovery IPv6 Interface Configuration
Cisco Confidential
17
Cisco Confidential
18
IPv4 32-bit, NAT DHCP IPSec Mobile IP Differentiated Service, Integrated Service
IPv6 128-bit, Multiple Scopes SLAAC, Renumbering, DHCP IPSec Mobile IP with Direct Routing Differentiated Service, Integrated Service
Quality-of-Service
Multicast
IGMP/PIM/MBGP
Cisco Confidential
19
Network Portion
Interface ID
gggg:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx
Global Routing Prefix Subnet ID 64 n bits n <= 48 bits Host
2001:0000:0000: 00A1:0000:0000:0000:1E2A
Full Format
2001:0:0: A1::1E2A
2011 Cisco and/or its affiliates. All rights reserved.
Abbreviated Format
Cisco Confidential
20
340,282,366,920,938,463,374,607,432,768,211,456
(IPv6 Address Space - 340 Trillion Trillion Trillion)
vs 4,294,967,296
(IPv4 Address Space - 4 Billion)
Cisco Confidential
21
/23
/32
/48
/64 Interface ID
2001
Registry ISP prefix Site prefix Subnet prefix
0DB8
Represented as:
x:x:x:x:x:x:x:x where x is a 16-bit hexadecimal field
2001:0DB8:C003:0001:0000:0000:0000:BEEF
2001:DB8:C003:1:0:0:0:BEEF
2001:DB8:C003:1::BEEF 0:0:0:0:0:0:0:1 --> ::1 - Loopback address
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
2001:DB8:0001:0001:/64
2001:DB8:0001:0002:/64
Site 1
2001:DB8:0002:0001:/64
2001:DB8:0002:0002:/64
2001:DB8:0001:/48 Site 2
0410
2001:0db8:0:130F::87C:140B
Double colon can only appear once in the address IPv6 uses CIDR representation IPv4 address looks like 98.10.0.0/16 IPv6 address is represented the same way 2001:db8:12::/48 Notation must be represented in 16 bit blocks irrespective of the mask e.g. FE80::/10, or FF00::/8 Only leading zeros are omitted, trailing zeros cannot be omitted 2001:0db8:0012::/48 = 2001:db8:12::/48 2001:db80:1200::/48 2001:db8:12::/48
Cisco Confidential
24
0:0:0:0:0:0:0:1 == ::1
Same as 127.0.0.1 in IPv4 Identifies self Unspecified address representation 0:0:0:0:0:0:0:0 == :: Used as a placeholder when no address available (Initial DHCP request, Duplicate Address Detection DAD) NOT the default route Default Route representation ::/0
Cisco Confidential
25
Unique Local
Global Addresses have lifetime
Global
Unique Local
Link Local
Cisco Confidential
26
Cisco Confidential
28
Cisco Confidential
29
Provider Assigned
2000::/3
IANA
Provider Independent
2000::/3
/12
Registries
/12
/32
ISP
Org
/48
/48
Cisco Confidential
30
Provider
Site
Host
n Bits
64-n Bits
64 Bits
Subnet
Interface ID
Addresses for generic use of IPv6 Structured as a hierarchy to try and keep the aggregation
Cisco Confidential
31
Subnet
Interface ID
Cisco Confidential
32
auto-configuration
This format expands the 48 bit MAC address to 00 00 90 90 27
unique Ethernet MAC address, the universal/local (u bit) is set to 1 for global scope and 0 for local scope
Cisco devices bit-flip the 7th bit
27
Cisco Confidential
33
Cisco Confidential
34
10 Bits
54 Bits
64 Bits
Interface ID
Mandatory for communication between two IPv6 devices Automatically assigned by device using EUI-64 Also used for next-hop calculation in routing protocols Only link specific scope Remaining 54 bits could be zero or any manually configured
Cisco Confidential
35
n Bits
16 Bits
64 Bits
Subnet
Interface ID
ULA are like RFC 1918 not routable on Internet ULA uses include Local communications
Cisco Confidential
1111 1111
Flags R = 0 R = 1 P = 0 P = 1 T = 0 T = 1
0 R P T
Scope
Variable Format
Scope
No embedded RP Embedded RP Not based on unicast Based on unicast Permanent address (IANA assigned) Temporary address (local assigned)
1 2
Node Link
3
4 5 8 E
Subnet
Admin Site Organization Global
Cisco Confidential
37
8 Bits
8 Bits
64 Bits
32 Bits
1111 1111
0011
Scope ReservedLen
Unicast Prefix
Group ID
Example
Flags Scope Length Prefix Group ID P=1 (Unicast), T=1 (Temp) E (Global - 0011 in binary) 64 bits (0x40) 2001:db8:cafe:1:: 11ff:11ee
ff3e:40:2001:db8:cafe:1:11ff:11ee
Cisco Confidential
38
Address FF01::1 FF01::2 FF02::1 FF02::2 FF02::5 FF02::6 Node-Local Node-Local Link-Local Link-Local Link-Local Link-Local
Meaning
All Routers All Nodes All Routers OSPFv3 Routers OSPFv3 DR Routers
FF02::1:FFXX:XXXX
Link-Local
Solicited-Node
02 means that this is a permanent address (t = 0) and has link scope (2)
http://www.iana.org/assignments/ipv6-multicast-addresses
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
For each Unicast and Anycast address configured there is a corresponding solicited-node
Routing Prefix
Interface ID
FF02
0000
0000
0000
0000
0001
FF
Low 24
Cisco Confidential
40
Corresponding Ethernet Address 33 IPv6 Ethernet Frame Multicast Prefix IPv6 multicast address to Ethernet mapping
33
FF
17
FC
0F
Cisco Confidential
41
64 Bits Network ID
64 Bits Interface ID
FE80
0000
0000
0000
0200
0CFF
FE3A
8B18 24 bits
Link-Local
FF02
0000
0000
0000
0000
0001
FF
3A8B18 32 bits
33
33
FF
3A
8B
18
Ethernet Multicast
Cisco Confidential
42
R1#show ipv6 interface e0 Ethernet0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::200:CFF:FE3A:8B18 No global unicast address is configured Joined group address(es): All Nodes FF02::1 All Routers FF02::2 Solicited Node Multicast Address FF02::1:FF3A:8B18 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses. R1#
Cisco Confidential
43
Cisco Confidential
44
IPv4 Header
Version IHL Type of Service Total Length Flags Protocol Fragment Offset Version
IPv6 Header
Traffic Class
Flow Label
Header Checksum
Payload Length
Next Header
Hop Limit
Padding
Source Address
Legend
Fields Name Kept from IPv4 to IPv6 Fields Not Kept in IPv6 Name and Position Changed in IPv6 New Field in IPv6 Destination Address
Cisco Confidential
45
Flow 6
Hop
Flow 43
Hop
Flow 43
Hop
Source
Source 17
Source 60 6
Routing Header
Payload
Cisco Confidential
46
3
4 5 6 7 8 9 Upper Layer Upper Layer Upper Layer
2011 Cisco and/or its affiliates. All rights reserved.
60
43 44 51 50 60 135 59 6 17 58
Cisco Confidential 47
Cisco Confidential
48
Next Header
44
Reserved
Fragment Offset
00
Fragmentation is left to end devices in IPv6 Routers do not perform fragmentation Fragment header used when an end node has to send a packet larger than the path MTU
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Next Header is the original value of the next protocol, before fragmentation
Fragment Offset (13 bits) Represented in 8-octet units of the data following this header relative to the start of fragmentable part of the packet First fragment offset will always be zero M = more fragments flag
Cisco Confidential
50
Path MTU minimum MTU of all the links in a path between a source and a destination
Minimum link MTU for IPv6 is 1280 octets In comparison IPv4 minimum MTU is 68 octets
If Link MTU < 1280 then fragmentation and reassembly must be used
If IPv6 payload > 1280 fragmentation may need to be performed PMTU Discovery is expected to be performed by IPv6 end hosts
Cisco Confidential
51
Packet, MTU=1400
ICMPv6 Too Big, Use MTU=1300 Packet, MTU=1300
Store PMTU per destination (if received) Age out PMTU (10 mins), reset to first link MTU
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Cisco Confidential
53
Cisco Confidential
54
Next Header
58
ICMPv6 Code
Checksum
Also used for Neighbor Discovery, Path MTU discovery and Mcast listener discovery
(MLD)
Type - identifies the message or action needed Code is a type-specific sub-identifier. Checksum computed over the entire ICMPv6
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
options
Five neighbor discovery messages
Message Router Solicitation (RS) Router Advertisement (RA) Neighbor Solicitation (NS) Purpose Prompt routers to send RA Advertise default router, prefixes Operational parameters Request link-layer of target ICMP Code 133 134 135 Sender Nodes Routers Node Target All routers Sender of RS All routers Solicited Node Target Node
136
Nodes
Redirect
2011 Cisco and/or its affiliates. All rights reserved.
137
Routers
Cisco Confidential 56
Cisco Confidential
57
Function
Address Assignment
Address Resolution Router Discovery Name Resolution
IPv4
DHCPv4
ARP RARP ICMP Router Discovery DNS
IPv6
DHCPv6, SLAAC, Reconfiguration ICMPv6 NS, NA Not Used ICMPv6 RS, RA DNS
Cisco Confidential
58
RS
RA
Router Solicitation ICMP Type IPv6 Source IPv6 Destination Query 133 A Link Local (FE80::1) All Routers Multicast (FF02::2) Please send RA
Router Advertisement ICMP Type IPv6 Source IPv6 Destination Data 134 A Link Local (FE80::2) All Nodes Multicast (FF02::1) Options, subnet prefix, lifetime, autoconfig flag
Router solicitations (RS) are sent by booting nodes to request RAs for configuring the interfaces Routers send periodic Router Advertisements (RA) to the all-nodes multicast address
Cisco Confidential
59
Unicast ::0
Neighbor Advertisement (NA) Response to neighbor solicitation (NS) message A node may also send unsolicited Neighbor Advertisements to announce a link-layer address change.
Cisco Confidential
60
A
NS NA
Neighbour Solicitation ICMP Type IPv6 Source IPv6 Destination 135 A Unicast B Solicited Node Multicast
Data Query
Cisco Confidential
61
Multicast MAC derived from IPv6 Solicited Node At this point we do not know actual MAC address MAC address of source
Cisco Confidential
62
IPv6 source address of Neighbor Advertisement IPv6 Destination of original Neighbor Solicitation
Cisco Confidential
63
Neighbors are only considered reachable for 30-seconds Stale indicates that ND packet must be sent again
Cisco Confidential
64
Cisco Confidential
65
INCOMPLETE
Address resolution is in progress and the link-layer address of the neighbor has not yet been determined
REACHABLE The neighbor is known to have been reachable recently (within tens of seconds ago)
STALE
The neighbor is no longer known to be reachable but until traffic is sent to the neighbor, no attempt should be made to verify its reachability DELAY Delay sending probes for a short while in order to give upper layer protocols a chance to provide reachability confirmation PROBE
The neighbor is no longer known to be reachable, and unicast Neighbor Solicitation probes are being sent to verify reachability
Cisco Confidential
66
Neighbour Solicitation ICMP Type Ethernet DA 135 (Neighbour Solicitation) 33-33-FF-52-F9-D8 IPv6 Header IPv6 Source IPv6 Destination Hop Limit :: FF02::1:FF52:F9D8 255 NS Header Target Address FE80::260:8FF:FE52:F9D8
MAC 00-60-08-52-F8-D8
NS
NS
Actual IP FE80::260:8FF:FE52:F9D8
C
MAC 00-60-08-52-F9-D8
Host B
Cisco Confidential
67
Neighbour Solicitation ICMP Type Ethernet DA 135 (Neighbour Solicitation) 33-33-00-00-00-01 IPv6 Header IPv6 Source IPv6 Destination Hop Limit FE80::260:8FF:FE52:F9D8 FF02::1 255 NA Header Target Address FE80::260:8FF:FE52:F9D8
Actual IP FE80::260:8FF:FE52:F9D8
C
MAC 00-60-08-52-F9-D8
Cisco Confidential 68
Host B
2
Redirect
IPv6 Payload
Redirect Router R2 / Host A 2001:db8:c18:2:: / Host A IPv6 Payload IPv6 Dest / Source Hop Limit ICMP Type Ethernet DA / SA 137 (Neighbour Solicitation) Host A / Router R2 IPv6 Header Host A / Router R2 255 Redirect Data Target Address Redirected Prefix Router R1 2001:db8:c18:2::/64
R1
2001:db8:c18:2::/64
Cisco Confidential
69
Autoconfiguration is used to automatically assigned an address to a host plug and play Generating a link-local address, Generating global addresses via stateless address autoconfiguration Duplicate Address Detection procedure to verify the uniqueness of the addresses on a link
MAC 00:2c:04:00:fe:56
A 1
RS
R1 2
RA
2001:db8:face::/64
3
DAD
Host Autoconfigured Address comprises Prefix Received + Link-Layer Address if DAD check passes 2001:db8:face::22c:4ff:fe00:fe56
Router Advertisement (RA) Ethernet DA/SA Prefix Information Default Router Router R2 / Host A 2001:db8:face::/64 Router R1
Cisco Confidential
70
Prefixes can be given a lifetime in RA messages Allows seamless transition for renumbering to a new prefix
2001:db8:face::22c:4ff:fe00:fe56
A 1
RA
R1
2001:db8:face::/64 2001:db8:beef::/64
2
DAD for new prefix Router Advertisement (RA) Ethernet DA/SA Router R2 / Host A 2001:db8:face::/64, Lifetime 30 seconds 2001:db8:beef::/64, Lifetime 30 seconds
Cisco Confidential
71
Valid Lifetime for advertised prefixes (default 30 days) Preferred lifetime for addresses generated from SLAAC (default 7 days) interface Ethernet0 Original advertised prefix - new hosts will not use SLAAC with this prefix ipv6 nd prefix 2001:db8:face::/64 43200 0 New advertised prefix - new hosts will use SLAAC with this prefix ipv6 nd prefix 2001:db8:beef::/64 43200 43200 ! ! Alternative configuration ! interface Ethernet0 Time based configuration ipv6 nd prefix 2001:db8:face::/64 at Jul 31 2008 23:59 Jul 20 2008 23:59 ipv6 nd prefix 2001:db8:beef::/64 43200 43200
Cisco Confidential
72
r1#show ipv6 interface fast0/0 FastEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::207:50FF:FE5E:9460 Global unicast address(es): None Joined group address(es): FF02::1 FF02::2 FF02::1:FF5E:9460 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 30 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses. r1# show interface fast0/0 FastEthernet0/0 is up, line protocol is up Hardware is AmdFE, address is 0007.505e.9460 (bia 0007.505e.9460)
Listening for all hosts multicast Listening for all routers multicast Solicited Node multicast for link-local address
Cisco Confidential
73
Cisco Public
74
DHCPv6
Updated version of DHCP for IPv4 to supports new addressing Can be used for renumbering DHCP Process is same as in IPv4, but,
Client first detects the presence of routers on the link If found, then examines router advertisements (RA) to determine if DHCPv6 can be used If no router found or if DHCPv6 can be used, then DHCPv6 Solicit message is sent to the All-DHCP-Agents multicast address using link-local as source
Cisco Public
75
DHCP Messages Initial Message Exchange Message Types Client Server (1) Server Client (2) Client Server (3) Server Client (4)
Cisco Confidential
76
RA message contain flags that indicate address allocation combination (A, M and O bits) Use SLAAC only, Use DHCPv6 stateful, Use SLAAC and DHCPv6 for other options
Router 1 (DHCPv6 Relay) 1
RA
2001:db8:face::/64
DHCP Server
2
Send DHCP Solicit to FF02::1:2 (All DHCP Relays)
3
2001:db8:face::1/64, DNS1, DNS2, NTP
Router Advertisement (RA) A bit (Address config flag) M bit (Managed address configuration flag) O bit (Other configuration flag) Set to 0 - Do not use SLAAC for host config Set to 1 - Use DHCPv6 for host IPv6 address Set to 1 - Use DHCPv6 for additional info (DNS, NTP)
Cisco Confidential
77
RA message contain flags that indicate address allocation combination (A, M and O bits) Use SLAAC only, Use DHCPv6 stateful, Use SLAAC and DHCPv6 for other options
2
2001:db8:face::22c:4ff:fe00:fe56
A
1
RA
3
Send DHCP Solicit to FF02::1:2 for options only
4
DNS1, DNS2, NTP
Router Advertisement (RA) A bit (Address config flag) On-link Prefix M bit (Managed address configuration flag) O bit (Other configuration flag) Set to 1 - Use SLAAC for host address config 2001:db8:face::/64 Set to 0 - Do not use DHCPv6 for IPv6 address Set to 1 - Use DHCPv6 for additional info (DNS, NTP)
Cisco Confidential
78
Host get address from SLAAC and other config from DHCP server (2001:db8::10)
Cisco Confidential
79
Cisco Confidential
80
Default subnets in IPv6 have 264 addresses 10 Mpps = more than 58 000 years NMAP doesnt even support ping sweeps on
IPv6 networks
reconnaissance attacks will NOT go away in an
18,446,744,073,709,551,616 addresses / 10,000,000 pps = 1,844,674,407,370 seconds = 21,350,398 days = 58,494 years
Cisco Confidential
81
Potential router CPU attacks if aggressive scanning Router will do Neighbor Discovery... And waste CPU and memory Built-in rate limiter but no option to tune it Using a /64 on point-to-point links => a lot of addresses to scan! Using /127 could help (RFC 6164) Using infrastructure ACL prevents this scanning iACL: edge ACL denying packets addressed to your routers
Cisco Confidential
82
Viruses and email, IM worms: IPv6 brings no change Other worms: IPv4: reliance on network scanning
IPv6: not so easy (see reconnaissance) => will use alternative techniques
Worm developers will adapt to IPv6 IPv4 best practices around worm detection and mitigation remain valid
Cisco Confidential
83
An extension header Processed by the listed intermediate routers Two types Type 0: similar to IPv4 source routing (multiple intermediate routers) Type 2: used for mobile IPv6
Next Header
43
Next Header
RH Type
Segments Left
Cisco Confidential
84
What if attacker sends a packet with RH containing A -> B -> A -> B -> A -> B -> A -> B -> A .... Packet will loop multiple time on the link A-B An amplification attack!
Cisco Confidential
85
Apply same policy for IPv6 as for Ipv4: Block Routing Header type 0 Prevent processing at the intermediate nodes no ipv6 source-route (in IOS only) Windows, Linux, Mac OS: default setting At the edge With an ACL blocking routing header, specifically type 0 RFC 5095 (Dec 2007) RH0 is deprecated Default IOS changed in 12.4(15)T to ignore and drop RH0 No need to configure no ipv6 source-route
Cisco Confidential
86
Router Solicitations Are Sent by Booting Nodes to Request Router Advertisements for Stateless Address Auto-Configuring
RA/RS w/o Any Authentication Gives Exactly Same Level of Security as ARP for IPv4 (None)
Attack Tool: fake_router6 Can Make Any IPv6 Address the Default Router
RS
RA
RA
Router Solicitation ICMP Type IPv6 Source IPv6 Destination Query 133 A Link Local (FE80::1) All Routers Multicast (FF02::2) Please send RA
A Link Local (FE80::2) All Nodes Multicast (FF02::1) Options, subnet prefix, lifetime, autoconfig flag
Cisco Confidential
87
No Security Mechanisms Built into Discovery Protocol therefore very similar to ARP Attack Tool: Parasite6 Answer to all NS, Claiming to Be All Systems in the LAN... A
NS NA NA
Neighbour Solicitation ICMP Type IPv6 Source IPv6 Destination Data Query 135 A Unicast B Solicited Node Multicast FE80:: address of A What is B link layer address?
Neighbour Advertisment ICMP Type IPv6 Source IPv6 Destination Data 136 B Unicast A Unicast FE80:: address of B
Cisco Confidential
88
Certification paths Anchored on trusted parties, expected to certify the authority of the routers on some prefixes Cryptographically Generated Addresses (CGA) IPv6 addresses whose the interface identifier is cryptographically generated RSA signature option Protect all messages relating to neighbor and router discovery Timestamp and nonce options Prevent replay attacks
Cisco Confidential
89
Private/public key pair on all devices for CGA Overhead introduced Routers have to do many public/private key calculation (some may be done in advance of use) => Potential DoS target Routers need to keep more state Available: Linux Microsoft: no support Vista, probably in Windows 2008 Future implementation: Cisco IOS
Cisco Confidential
90
IPv6 stacks are new and could be buggy IPv6 enabled application can have bugs Some examples Linux DoS caused by memory leaks in IPv6 tunnels (May 2008) Apple Mac OS X IPv6 Packet Processing Double-Free Memory Corruption (November 2007) Cisco Security Advisory: IPv6 Routing Header (May 2007)
Cisco Confidential
91
Cisco Confidential
92
BGP, ISIS, EIGRP no change: An MD5 authentication of the routing update OSPFv3 has changed and pulled MD5 authentication from the protocol and instead is
Cisco Confidential
93
IPv6 mandates the implementation of IPsec IPv6 does not require the use of IPsec Some organisations believe that IPsec should be used to secure all flows... Interesting scalability issue (n2 issue with IPsec) Need to trust endpoints and end-users because the network cannot secure the traffic: No IPS, no ACL, & no firewall policy points can be used Network telemetry is blinded: NetFlow is of little use Network srvices hindered: what about QoS?
Recommendation: Do not use IPsec end to end within an administrative domain. Suggestion: Reserve IPsec for residential or hostile environment or high profile targets.
94
Cisco Confidential
Scanners
IPv6 security scanner Halfscan6 Nmap Strobe Netcat
DoS Tools
6tunneldos
4to6ddos
Imps6-tools
Sniffer Pro
Packet forgers
Scapy6 SendIP Packit Spak6
Worms
Slapper
Advisories/field notices
http://www.cisco.com/warp/public/707/cisco-sa-20050126ipv6.shtml
http://www.kb.cert.org/vuls/id/658859
2010 Cisco and/or its affiliates. All rights reserved.
Complete tool
http://www.thc.org/thc-ipv6/
Cisco Confidential 95
Enabling IPv6 traffic inside the VPN Client tunnel Use VPN connection Can transfer IPv6 traffic over public IPv4
Cisco Confidential
96
IPv4
IPv6 Network
Cisco Confidential 97
Train your network operators and security managers on IPv6 Selectively filter ICMP (RFC 4890) Block Type 0 Routing Header at the edge Copy the IPv4 Best Common Practices If management plane is only IPv4,block IPv6 to the core devices (else infrastructure ACL for IPv6) Determine what extension headers will be allowed through the access control device Use traditional authentication mechanisms on BGP and IS-IS Use IPsec to secure protocols such as OSPFv3 and RIPng Document procedures for last-hop traceback
Cisco Confidential
98
Questions ?