IPv6 Day @ ITCollege Implementing IPv6 in Cisco Devices Tarmo Mamers

IPv6 Day @ ITCollege
Implementing IPv6 in
Cisco Devices
Tarmo Mamers
IPv6 Day @ ITCollege
Implementing IPv6 in Cisco Devices
Tarmo Mamers
14.11.2014
Teemad
IPv6 häälestamine IOS seadmetes
IPv6 häälestamine ASA seadmetes
IPv6 tugi IPS seadmetes
IPv6 First Hop Security vahendid
Ei: IPv6 põhimõtted, aadressiruum
Ei: IPv6 tunnelid, turvalisuse aspektid
Slaidid: http://lab.ee/
IPv6 @ OSI L3
IPv6 võrk elab IPv4 kõrval täiesti omaette elu
IPv4 häälestused (eeldused) ei kandu IPv6-le
–
IPX, AppleTalk, DECnet, anyone?
IPv6 - sõltumatu komplekt võrguseadeid
IPv6 - sõltumatu komplekt tulemüüriseadeid
IPv6 – sõltumatud ründemehhanismid
IPv6 @ OSI L3
L5-7
TCP / UDP / etc
IPv6
IPv4
L1-2
IPv6 packet
IPv4 packet
IPv6 is already in your net!
Your host is protected by your favorite personal
firewall
–
that is - IPv4 firewall
Your network does not run IPv6
Your assumption - I’m safe
Reality - you are not safe
–
–
–
–
IPv6 is enabled by default
Attacker sends Router Advertisements
Your host configures silently to IPv6
You are now under IPv6 attack
IOS interfaces
ip cef distributed
ipv6 unicast-routing
ipv6 cef distributed
interface Vlan2
ipv6 address autoconfig
interface GigabitEthernet1/0/1
ipv6 address 2001:DB8:CAFE:2::A111:1010/64
interface GigabitEthernet1/0/2
ipv6 address 2001:DB8:1234:/64 eui-64
IOS interfaces
show ipv6 interface GigabitEthernet1/0/1
GigabitEthernet1/0/1 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::5A0A:20FF:FEEB:91E4
Global unicast address(es):
2001:DB8:CAFE:2::A111:1010, subnet is 2001:DB8:CAFE:2::/64
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:2
FF02::1:FFEB:91E4
Point-to-point links
R1
interface GigabitEthernet4/1
description to R2
ipv6 address 2001:DB8:CAFE:7000::A111:1010/64
ipv6 nd suppress-ra
R2
interface GigabitEthernet2/4
description to R1
ipv6 address 2001:DB8:CAFE:7000::C333:3030/64
ipv6 nd suppress-ra
3750 & 3560 switches
Set SDM template - otherwise TCAM won't work
sdm prefer dual-ipv4-and-ipv6 default
ACL
No more numbered lists, only named
Can match on
upper layers, ICMPv6 code and type
– TCP flags
– traffic class
– extension header types
Undetermined-transport
– keyword can be used to prevent different kinds of
extended headers attacks
–
Check your platform & release as your mileage can vary…
ACL
Implicit entries exist at the end of each IPv6 ACL
to allow neighbor discovery
...
permit icmp any any nd-na
permit icmp any any nd-ns
Protect VTY access
ipv6 access-list VTY
permit ipv6 2001:db8:0:1::/64 any
line vty 0 4
ipv6 access-class VTY in
Static IPv6 Routing
Directly attached
ipv6 route 2001:db8:0:2::/64 S0/0/0
Fully specified
ipv6 route 2001:db8:0:2::/64 S0/0/0 2001:db8:0:33::1
Recursive
ipv6 route 2001:db8:0:2::/64 2001:db8:0:33::1
Default route (recursive)
ipv6 route ::/0 2001:db8:0:33::1
EIGRP
ipv6 unicast-routing
interface loopback0
ipv6 address 2001:db8:1000::1/128
ipv6 eigrp 11
interface ethernet 0/0
ipv6 address 2001:db8:5000:31::1/64
ipv6 eigrp 11
ipv6 router eigrp 11
passive-interface loopback0
eigrp router-id 10.10.10.1
OSPFv3
New protocol from the ground up
–
many similarities with OSPFv2
•
SPF-calculation, area hierarchy, LSAs, neighbor relationship
forming etc...
Noteworthy changes
–
–
–
–
addressing semantics totally different
new LSA types
link based, a single link can have multiple instances
built-in authentication removed
OSPFv3
ipv6 unicast-routing
interface loopback0
ipv6 address 2001:db8:1000::1/128
ipv6 ospf 3 area 0
interface ethernet 0/0
ipv6 address 2001:db8:5000:31::1/64
ipv6 ospf 3 area 0
ipv6 router ospf 3
router-id 10.10.10.10
passive-interface loopback0
MP-BGPv4
MP-BGP based on address family indicators
–
–
–
Routers form peerings with each other
AFI negotiation is part of the peering setup process
Generally supported
•
IPv6 Unicast and IPv6 Multicast
Otherwise the same as with IPv4
–
Prefix-filters, path attributes, etc
BGP
router bgp 10
bgp router-id 12.12.12.12
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 2001:DB8:1:FFFF::9999
neighbor 2001:DB8:1:FFFF::9999
neighbor 2001:DB8:1:FFFF::9999
neighbor 2001:DB8:2:FFFF::AAAA
neighbor 2001:DB8:2:FFFF::AAAA
neighbor 2001:DB8:2:FFFF::AAAA
neighbor 2001:DB8:3:FFFF::BBBB
neighbor 2001:DB8:3:FFFF::BBBB
neighbor 2001:DB8:3:FFFF::BBBB
remote-as 65510
description R2
update-source Loopback0
remote-as 65510
description R3
update-source Loopback0
remote-as 65510
description R4
update-source Loopback0
address-family ipv6
neighbor 2001:DB8:1:FFFF::9999 activate
neighbor 2001:DB8:2:FFFF::AAAA activate
neighbor 2001:DB8:3:FFFF::BBBB activate
dns, ntp, syslog, snmp
ip name-server 3FFE:C00::250:8BFF:FEE8:F800
ip name-server 2001:0DB8::3
ntp server 2001:db8:ffff::10 source loopback0 version 4
ntp access-group peer ListN
ipv6 access-list ListN
permit 2001:db8:ffff::10 any
deny any any
logging host ipv6 2001:db8:abcd::ab
logging source-interface loopback0
logging facility local7
snmp-server
snmp-server
snmp-server
snmp-server
host 2001:db8:ffff:1::101 version 2c cisco
group IPv6-ADMIN v3 auth write writepass
user jdoe IPv6-ADMIN v3 auth md5 cisco1234
host 2001:DB8:CAFE:100::60 version 3 auth jdoe
General Prefix Feature
ipv6 general-prefix pfx-core 2001:0db8:4646:6000::/52
ipv6 general-prefix pfx-acc 2001:0db8:4646:6acc::/56
interface GigabitEthernet1/0/1
description To 6k-core-right
ipv6 adress pfx-core ::3:0:0:0:d63/64
interface GigabitEthernet1/0/2
description To 6k-core-left
ipv6 address pfx-core 0:0:0:0:c::d63/64
interface GigabitEthernet1/0/3
description To access switches
ipv6 address pfx-access ::3c3c:0:0:0:d63/64
ASA interfaces & routing
interface gigabitethernet 0/1
speed 1000
duplex full
nameif inside
security-level 100
ipv6 address 2001:0DB8::BA98:0:3210/48
no shutdown
ipv6 address autoconfig
ipv6 nd suppress-ra
ipv6 route inside 7fff::0/32 3FFE:1100:0:CC00::1
IPv6 in ASA Firewall
Since v7.0 (April 2005)
IPv6 header security checks (length & order)
Management access via IPv6
Routed & transparent mode, fail-over
IPv6 App inspection includes: DNS,FTP, HTTP,
ICMP, SIP, SMTP, and IPSec pass-through
v8.3: IPv6 support for site-to-site VPN tunnels
v8.4.2: selective permit/deny of extension headers
v9.0: OSPFv3, DHCPv6 relay, stateful NAT64/46/66
2
2
IPv6 in Cisco IPS
Cisco IPS is fully IPv6 enabled since 2008
Detection and analysis of native IPv6 Traffic
–
–
Is IPv6 in my network?
Which devices send IPv6 packets? RA-Packets?
Detection of IPv6 tunnels
–
Which hosts are trying to tunnel IPv6 over IPv4?
Detection of attacks over IPv6
–
All Signatures detect attacks on both, IPv4 and IPv6
IPv6 in FIREpower NG IPS
FIREsight passive network discovery correlates
Events & Host IPv4/6
Decoder for IPv4/6 Packets
Very easy to find out the sender / destination in
Dual Stacked environments
Host Address Assignment
Similar to IPv4
New in IPv6
Manual
SLAAC
EUI64
DHCPv6
SLAAC
Privacy Addressing
SLAAC EUI64
ipv6 unicast-routing
interface Vlan20
description IPv6-SLAAC
ipv6 address 2001:DB8:0:20::1/64
C:\>netsh
netsh>interface ipv6
netsh interface ipv6>show address
Querying active state...
Interface 5: Local Area Connection
Addr Type DAD State Valid Life
Pref. Life
Address
--------- ---------- ------------ ------------ ----------------------------Public
Preferred 29d23h58m25s 6d23h58m25s 2001:0db8:2301:1:202:8a49:41ad:a136
Temporary Preferred
6d21h48m47s
21h46m 2001:0db8:2301:1:bd86:eac2:f5f1:39c1
Link
Preferred
infinite
infinite fe80::202:8a49:41ad:a136
netsh interface ipv6>show route
Querying active state...
Publish Type
Met Prefix
------- -------- ---- -----------------------no
Autoconf
8 2001:0db8:2301:1::/64
no
Autoconf
256 ::/0
Idx
--5
5
Gateway/Interface Name
--------------------Local Area Connection
fe80::20d:bdff:fe87:f6f9
SLAAC Privacy Addressing
Turning off:
Windows
netsh interface ipv6 set global randomizeidentifiers=disabled
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
netsh interface ipv6 set privacy disabled
Max OS X
net.inet6.ip6.use_tempaddr=0
DHCPv6 stateful
ipv6 dhcp pool STATEFUL
address prefix 2001:DB8:1111:1111::/64
dns-server 2001:4860:4860::8888
domain-name example.com
interface FastEthernet 0/0
ipv6 address 2001:DB8:1111:1111::1/64
ipv6 dhcp server STATEFUL
ipv6 nd managed-config-flag
ipv6 nd prefix 2001:DB8:1111:1111::/64 0 0 no-autoconfig
DHCPv6 stateless
ipv6 dhcp pool STATELESS
dns-server 2001:4860:4860::8888
domain-name example.com
interface FastEthernet 0/1
ipv6 address 2001:DB8:2222:2222::2/64
ipv6 dhcp server STATELESS
ipv6 nd other-config-flag
DHCP relay
interface Vlan2
description ACCESS-VLAN
ipv6 address 2001:DB8:CAFE:2::A111:1010/64
ipv6 nd prefix 2001:DB8:CAFE:2::/64 0 0 no-autoconfig
ipv6 nd managed-config-flag
ipv6 dhcp relay destination 2001:DB8:CAFE:11::9
Redundancy
VRRPv3
HSRPv2
fhrp version vrrp v3
interface FastEthernet0/1
ipv6 address 2001:DB8:66:67::2/64
standby version 2
standby 2 ipv6 autoconfig
standby 2 preempt
standby 2 preempt delay minimum 180
GLBP
interface FastEthernet0/1
ipv6 address 2001:DB8:66:67::2/64
vrrp 3 address-family ipv6
address global FE80::260:3EFF:FE11:6770
address linklocal autoconfigure
preempt delay minimum 30
interface fastethernet0/0
ipv6 address 2001:db8::/64 eui-64
glbp 6 ipv6 fe80::1001
glbp 6 priority 110
glbp 6 preempt
glbp 6 load-balancing weighted
THC IPv6 Attack Suite
Tool
Actions
Alive6
Finds local IPv6 devices. Also checks the liveliness of the existing devices.
Parsite6
ICMP ND –spoofing tool. Enables MinM attacks.
Redir6
Allows traffic redirections to self in LAN.
Fake_Router6
Pretend to be a router.
Detect_New_IPv6
Detect new IPv6 devices automatically in LAN (plus invoke a script).
DoS_New_IPv6
Do not allow new IPv6 devices in LAN (DAD spoofing).
Smurf6
Local Smurf.
RSmurf6
Remote Smurf.
Toobig6
Reduce the MTU value of the target host.
Fake_MLD6
Counterfeit MLD messages.
Fake_MIPv6
Reroute MN, if IPSec is not in use.
Sendpees6
Send NS messages with CGA (DoS).
IPv6 First Hop Security (FHS)
RA Guard
DHCPv6 Guard
Source/Prefix Guard
Destination Guard
RA Throttler
ND Multicast Suppress
RA Guard - per device/intf
ipv6 nd raguard policy policy-name
device-role {host | router}
hop-limit {maximum | minimum limit}
managed-config-flag {on | off}
match ipv6 access-list ipv6-access-list-name
match ra prefix-list ipv6-prefix-list-name
router-preference maximum {high | low | medium}
interface type number
ipv6 nd raguard attach-policy [policy-name [vlan {add | except | none |
remove | all} vlan [vlan1, vlan2, vlan3...]]]
show ipv6 nd raguard policy [policy-name]
DHCPv6 Guard - per device
ipv6 access-list access-list-name
permit host address any
ipv6 prefix-list list-name permit ipv6-prefix condition pfx-bits
ipv6 dhcp guard policy policy-name
device-role {client | server}
match server access-list ipv6-access-list-name
match reply prefix-list ipv6-prefix-list-name
preference min limit
preference max limit
DHCPv6 Guard - per interface
interface type number
switchport
ipv6 dhcp guard [attach-policy policy-name] [vlan {add | all | except | none
|remove} vlan-id][... vlan-id]]
vlan vlan-id
ipv6 dhcp guard [attach-policy policy-name]
show ipv6 dhcp guard policy [policy-name]
Src/Pfx Guard - per device/intf
ipv6 source-guard policy source-guard-policy
validate address
validate prefix
permit link-local
deny global-autoconfig
interface type number
ipv6 source-guard attach-policy source-guard-policy
show ipv6 source-guard policy source-guard-policy
Dst Guard - per device/intf
ipv6 destination-guard policy policy-name
enforcement {always | stressed}
interface type number
ipv6 destination-guard attach-policy [policy-name]
show ipv6 destination-guard policy [policy-name]
RA Throttler - per device
ipv6 nd ra-throttle policy policy-name
allow {at-least {al-value | no-limit }} | {at-most {am-value |
no-limit}} | {inherited}
interval-option {ignore | inherit | pass-through | throttle}
max-through {mt-value | inherit | no-limit}
medium-type {access-point | wired}
throttle-period {seconds | inherit}
RA Throttler - per interface
interface type number
ipv6 nd ra-throttle attach-policy policy-name
vlan configuration vlan-id
ipv6 nd ra-throttle attach-policy policy-name
show ipv6 nd ra-throttle policy policy-name
Reference
IPv6 Knowledge Base Portal
http://www.cisco.com/web/solutions/netsys/ipv6/knowledgebase/index.html
Deploying IPv6 in the Internet Edge
http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Internet_
Edge/InternetEdgeIPv6.html
Deploying IPv6 in Campus Networks
http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/CampIPv6.html
Smart Business Architecture – IPv6 Guides
http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html
Väärt kaasas tassida
või padja all hoida
Mis edasi?
Katseta laboris
Pommita oma internetioperaatorit
Pommita oma võrgulahenduste pakkujat
Ära unusta, et IPv6 vajab samasugust "hoolitsust"
nagu IPv4
Tänan!
Credits
2014
www.cisco.com
www.caida.org
Jahwe999 @ panoramio.com
Cisco Eesti
SMN FI