IPv6 Day @ ITCollege Implementing IPv6 in Cisco Devices Tarmo Mamers IPv6 Day @ ITCollege Implementing IPv6 in Cisco Devices Tarmo Mamers 14.11.2014 Teemad IPv6 häälestamine IOS seadmetes IPv6 häälestamine ASA seadmetes IPv6 tugi IPS seadmetes IPv6 First Hop Security vahendid Ei: IPv6 põhimõtted, aadressiruum Ei: IPv6 tunnelid, turvalisuse aspektid Slaidid: http://lab.ee/ IPv6 @ OSI L3 IPv6 võrk elab IPv4 kõrval täiesti omaette elu IPv4 häälestused (eeldused) ei kandu IPv6-le – IPX, AppleTalk, DECnet, anyone? IPv6 - sõltumatu komplekt võrguseadeid IPv6 - sõltumatu komplekt tulemüüriseadeid IPv6 – sõltumatud ründemehhanismid IPv6 @ OSI L3 L5-7 TCP / UDP / etc IPv6 IPv4 L1-2 IPv6 packet IPv4 packet IPv6 is already in your net! Your host is protected by your favorite personal firewall – that is - IPv4 firewall Your network does not run IPv6 Your assumption - I’m safe Reality - you are not safe – – – – IPv6 is enabled by default Attacker sends Router Advertisements Your host configures silently to IPv6 You are now under IPv6 attack IOS interfaces ip cef distributed ipv6 unicast-routing ipv6 cef distributed interface Vlan2 ipv6 address autoconfig interface GigabitEthernet1/0/1 ipv6 address 2001:DB8:CAFE:2::A111:1010/64 interface GigabitEthernet1/0/2 ipv6 address 2001:DB8:1234:/64 eui-64 IOS interfaces show ipv6 interface GigabitEthernet1/0/1 GigabitEthernet1/0/1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::5A0A:20FF:FEEB:91E4 Global unicast address(es): 2001:DB8:CAFE:2::A111:1010, subnet is 2001:DB8:CAFE:2::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:2 FF02::1:FFEB:91E4 Point-to-point links R1 interface GigabitEthernet4/1 description to R2 ipv6 address 2001:DB8:CAFE:7000::A111:1010/64 ipv6 nd suppress-ra R2 interface GigabitEthernet2/4 description to R1 ipv6 address 2001:DB8:CAFE:7000::C333:3030/64 ipv6 nd suppress-ra 3750 & 3560 switches Set SDM template - otherwise TCAM won't work sdm prefer dual-ipv4-and-ipv6 default ACL No more numbered lists, only named Can match on upper layers, ICMPv6 code and type – TCP flags – traffic class – extension header types Undetermined-transport – keyword can be used to prevent different kinds of extended headers attacks – Check your platform & release as your mileage can vary… ACL Implicit entries exist at the end of each IPv6 ACL to allow neighbor discovery ... permit icmp any any nd-na permit icmp any any nd-ns Protect VTY access ipv6 access-list VTY permit ipv6 2001:db8:0:1::/64 any line vty 0 4 ipv6 access-class VTY in Static IPv6 Routing Directly attached ipv6 route 2001:db8:0:2::/64 S0/0/0 Fully specified ipv6 route 2001:db8:0:2::/64 S0/0/0 2001:db8:0:33::1 Recursive ipv6 route 2001:db8:0:2::/64 2001:db8:0:33::1 Default route (recursive) ipv6 route ::/0 2001:db8:0:33::1 EIGRP ipv6 unicast-routing interface loopback0 ipv6 address 2001:db8:1000::1/128 ipv6 eigrp 11 interface ethernet 0/0 ipv6 address 2001:db8:5000:31::1/64 ipv6 eigrp 11 ipv6 router eigrp 11 passive-interface loopback0 eigrp router-id 10.10.10.1 OSPFv3 New protocol from the ground up – many similarities with OSPFv2 • SPF-calculation, area hierarchy, LSAs, neighbor relationship forming etc... Noteworthy changes – – – – addressing semantics totally different new LSA types link based, a single link can have multiple instances built-in authentication removed OSPFv3 ipv6 unicast-routing interface loopback0 ipv6 address 2001:db8:1000::1/128 ipv6 ospf 3 area 0 interface ethernet 0/0 ipv6 address 2001:db8:5000:31::1/64 ipv6 ospf 3 area 0 ipv6 router ospf 3 router-id 10.10.10.10 passive-interface loopback0 MP-BGPv4 MP-BGP based on address family indicators – – – Routers form peerings with each other AFI negotiation is part of the peering setup process Generally supported • IPv6 Unicast and IPv6 Multicast Otherwise the same as with IPv4 – Prefix-filters, path attributes, etc BGP router bgp 10 bgp router-id 12.12.12.12 no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 2001:DB8:1:FFFF::9999 neighbor 2001:DB8:1:FFFF::9999 neighbor 2001:DB8:1:FFFF::9999 neighbor 2001:DB8:2:FFFF::AAAA neighbor 2001:DB8:2:FFFF::AAAA neighbor 2001:DB8:2:FFFF::AAAA neighbor 2001:DB8:3:FFFF::BBBB neighbor 2001:DB8:3:FFFF::BBBB neighbor 2001:DB8:3:FFFF::BBBB remote-as 65510 description R2 update-source Loopback0 remote-as 65510 description R3 update-source Loopback0 remote-as 65510 description R4 update-source Loopback0 address-family ipv6 neighbor 2001:DB8:1:FFFF::9999 activate neighbor 2001:DB8:2:FFFF::AAAA activate neighbor 2001:DB8:3:FFFF::BBBB activate dns, ntp, syslog, snmp ip name-server 3FFE:C00::250:8BFF:FEE8:F800 ip name-server 2001:0DB8::3 ntp server 2001:db8:ffff::10 source loopback0 version 4 ntp access-group peer ListN ipv6 access-list ListN permit 2001:db8:ffff::10 any deny any any logging host ipv6 2001:db8:abcd::ab logging source-interface loopback0 logging facility local7 snmp-server snmp-server snmp-server snmp-server host 2001:db8:ffff:1::101 version 2c cisco group IPv6-ADMIN v3 auth write writepass user jdoe IPv6-ADMIN v3 auth md5 cisco1234 host 2001:DB8:CAFE:100::60 version 3 auth jdoe General Prefix Feature ipv6 general-prefix pfx-core 2001:0db8:4646:6000::/52 ipv6 general-prefix pfx-acc 2001:0db8:4646:6acc::/56 interface GigabitEthernet1/0/1 description To 6k-core-right ipv6 adress pfx-core ::3:0:0:0:d63/64 interface GigabitEthernet1/0/2 description To 6k-core-left ipv6 address pfx-core 0:0:0:0:c::d63/64 interface GigabitEthernet1/0/3 description To access switches ipv6 address pfx-access ::3c3c:0:0:0:d63/64 ASA interfaces & routing interface gigabitethernet 0/1 speed 1000 duplex full nameif inside security-level 100 ipv6 address 2001:0DB8::BA98:0:3210/48 no shutdown ipv6 address autoconfig ipv6 nd suppress-ra ipv6 route inside 7fff::0/32 3FFE:1100:0:CC00::1 IPv6 in ASA Firewall Since v7.0 (April 2005) IPv6 header security checks (length & order) Management access via IPv6 Routed & transparent mode, fail-over IPv6 App inspection includes: DNS,FTP, HTTP, ICMP, SIP, SMTP, and IPSec pass-through v8.3: IPv6 support for site-to-site VPN tunnels v8.4.2: selective permit/deny of extension headers v9.0: OSPFv3, DHCPv6 relay, stateful NAT64/46/66 2 2 IPv6 in Cisco IPS Cisco IPS is fully IPv6 enabled since 2008 Detection and analysis of native IPv6 Traffic – – Is IPv6 in my network? Which devices send IPv6 packets? RA-Packets? Detection of IPv6 tunnels – Which hosts are trying to tunnel IPv6 over IPv4? Detection of attacks over IPv6 – All Signatures detect attacks on both, IPv4 and IPv6 IPv6 in FIREpower NG IPS FIREsight passive network discovery correlates Events & Host IPv4/6 Decoder for IPv4/6 Packets Very easy to find out the sender / destination in Dual Stacked environments Host Address Assignment Similar to IPv4 New in IPv6 Manual SLAAC EUI64 DHCPv6 SLAAC Privacy Addressing SLAAC EUI64 ipv6 unicast-routing interface Vlan20 description IPv6-SLAAC ipv6 address 2001:DB8:0:20::1/64 C:\>netsh netsh>interface ipv6 netsh interface ipv6>show address Querying active state... Interface 5: Local Area Connection Addr Type DAD State Valid Life Pref. Life Address --------- ---------- ------------ ------------ ----------------------------Public Preferred 29d23h58m25s 6d23h58m25s 2001:0db8:2301:1:202:8a49:41ad:a136 Temporary Preferred 6d21h48m47s 21h46m 2001:0db8:2301:1:bd86:eac2:f5f1:39c1 Link Preferred infinite infinite fe80::202:8a49:41ad:a136 netsh interface ipv6>show route Querying active state... Publish Type Met Prefix ------- -------- ---- -----------------------no Autoconf 8 2001:0db8:2301:1::/64 no Autoconf 256 ::/0 Idx --5 5 Gateway/Interface Name --------------------Local Area Connection fe80::20d:bdff:fe87:f6f9 SLAAC Privacy Addressing Turning off: Windows netsh interface ipv6 set global randomizeidentifiers=disabled netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent netsh interface ipv6 set privacy disabled Max OS X net.inet6.ip6.use_tempaddr=0 DHCPv6 stateful ipv6 dhcp pool STATEFUL address prefix 2001:DB8:1111:1111::/64 dns-server 2001:4860:4860::8888 domain-name example.com interface FastEthernet 0/0 ipv6 address 2001:DB8:1111:1111::1/64 ipv6 dhcp server STATEFUL ipv6 nd managed-config-flag ipv6 nd prefix 2001:DB8:1111:1111::/64 0 0 no-autoconfig DHCPv6 stateless ipv6 dhcp pool STATELESS dns-server 2001:4860:4860::8888 domain-name example.com interface FastEthernet 0/1 ipv6 address 2001:DB8:2222:2222::2/64 ipv6 dhcp server STATELESS ipv6 nd other-config-flag DHCP relay interface Vlan2 description ACCESS-VLAN ipv6 address 2001:DB8:CAFE:2::A111:1010/64 ipv6 nd prefix 2001:DB8:CAFE:2::/64 0 0 no-autoconfig ipv6 nd managed-config-flag ipv6 dhcp relay destination 2001:DB8:CAFE:11::9 Redundancy VRRPv3 HSRPv2 fhrp version vrrp v3 interface FastEthernet0/1 ipv6 address 2001:DB8:66:67::2/64 standby version 2 standby 2 ipv6 autoconfig standby 2 preempt standby 2 preempt delay minimum 180 GLBP interface FastEthernet0/1 ipv6 address 2001:DB8:66:67::2/64 vrrp 3 address-family ipv6 address global FE80::260:3EFF:FE11:6770 address linklocal autoconfigure preempt delay minimum 30 interface fastethernet0/0 ipv6 address 2001:db8::/64 eui-64 glbp 6 ipv6 fe80::1001 glbp 6 priority 110 glbp 6 preempt glbp 6 load-balancing weighted THC IPv6 Attack Suite Tool Actions Alive6 Finds local IPv6 devices. Also checks the liveliness of the existing devices. Parsite6 ICMP ND –spoofing tool. Enables MinM attacks. Redir6 Allows traffic redirections to self in LAN. Fake_Router6 Pretend to be a router. Detect_New_IPv6 Detect new IPv6 devices automatically in LAN (plus invoke a script). DoS_New_IPv6 Do not allow new IPv6 devices in LAN (DAD spoofing). Smurf6 Local Smurf. RSmurf6 Remote Smurf. Toobig6 Reduce the MTU value of the target host. Fake_MLD6 Counterfeit MLD messages. Fake_MIPv6 Reroute MN, if IPSec is not in use. Sendpees6 Send NS messages with CGA (DoS). IPv6 First Hop Security (FHS) RA Guard DHCPv6 Guard Source/Prefix Guard Destination Guard RA Throttler ND Multicast Suppress RA Guard - per device/intf ipv6 nd raguard policy policy-name device-role {host | router} hop-limit {maximum | minimum limit} managed-config-flag {on | off} match ipv6 access-list ipv6-access-list-name match ra prefix-list ipv6-prefix-list-name router-preference maximum {high | low | medium} interface type number ipv6 nd raguard attach-policy [policy-name [vlan {add | except | none | remove | all} vlan [vlan1, vlan2, vlan3...]]] show ipv6 nd raguard policy [policy-name] DHCPv6 Guard - per device ipv6 access-list access-list-name permit host address any ipv6 prefix-list list-name permit ipv6-prefix condition pfx-bits ipv6 dhcp guard policy policy-name device-role {client | server} match server access-list ipv6-access-list-name match reply prefix-list ipv6-prefix-list-name preference min limit preference max limit DHCPv6 Guard - per interface interface type number switchport ipv6 dhcp guard [attach-policy policy-name] [vlan {add | all | except | none |remove} vlan-id][... vlan-id]] vlan vlan-id ipv6 dhcp guard [attach-policy policy-name] show ipv6 dhcp guard policy [policy-name] Src/Pfx Guard - per device/intf ipv6 source-guard policy source-guard-policy validate address validate prefix permit link-local deny global-autoconfig interface type number ipv6 source-guard attach-policy source-guard-policy show ipv6 source-guard policy source-guard-policy Dst Guard - per device/intf ipv6 destination-guard policy policy-name enforcement {always | stressed} interface type number ipv6 destination-guard attach-policy [policy-name] show ipv6 destination-guard policy [policy-name] RA Throttler - per device ipv6 nd ra-throttle policy policy-name allow {at-least {al-value | no-limit }} | {at-most {am-value | no-limit}} | {inherited} interval-option {ignore | inherit | pass-through | throttle} max-through {mt-value | inherit | no-limit} medium-type {access-point | wired} throttle-period {seconds | inherit} RA Throttler - per interface interface type number ipv6 nd ra-throttle attach-policy policy-name vlan configuration vlan-id ipv6 nd ra-throttle attach-policy policy-name show ipv6 nd ra-throttle policy policy-name Reference IPv6 Knowledge Base Portal http://www.cisco.com/web/solutions/netsys/ipv6/knowledgebase/index.html Deploying IPv6 in the Internet Edge http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Internet_ Edge/InternetEdgeIPv6.html Deploying IPv6 in Campus Networks http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/CampIPv6.html Smart Business Architecture – IPv6 Guides http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html Väärt kaasas tassida või padja all hoida Mis edasi? Katseta laboris Pommita oma internetioperaatorit Pommita oma võrgulahenduste pakkujat Ära unusta, et IPv6 vajab samasugust "hoolitsust" nagu IPv4 Tänan! Credits 2014 www.cisco.com www.caida.org Jahwe999 @ panoramio.com Cisco Eesti SMN FI
© Copyright 2024