Professional Documents
Culture Documents
Tecrst 2001
Tecrst 2001
Tecrst 2001
Designing and
Deploying a Secure
IPv6 Network
Timothy Martin - @bckcntryskr
Eric Vyncke - @evyncke
Christopher Werny - @bcp38_
TECRST-2001
#CLUS
Agenda
• IPv6 Design Considerations
• IPv6 Routing Protocols
• IPv6 Translation Technologies
• IPv6 Only, A case study
• Securing the IPv6 Perimeter
• Conclusion
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
IPv6
Design Considerations
Tim Martin
Solutions Specialist
TECRST-2001
@bckcntryskr
#2020
#CLUS
Hardening IPv6 Management Plane
• SSH, SNMPv3, Syslog, NTP, NetFlow v9
• Disable HTTP/HTTPS access if not needed
• RADIUS over IPv6
• IPv6 access-class for SSH VTY access
• Important: Harden the router, before enabling routing
ipv6 access-list V6ACCESS
permit ipv6 2001:db8:10:10::1/128 any
deny ipv6 any any log-input
line vty 0 4
ipv6 access-class V6ACCESS in
transport input ssh
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Routing Protocol Considerations
• Enable IPv6 routing
• ipv6 unicast-routing (ios)
• no switchport (ios-xe)
• IPv6 Next Hop
• Link local addresses
• Global address on interface not required
• Topology & alignment with existing RP’s Management Routing
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Routing Design Considerations
ipv6 route ::/0 gigabitethernet0/1
• Do you need to accept the full table
ipv6 router eigrp 123
• Memory, processing, capital.. eigrp stub
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Point-to-Point Routed Links
• Use a prefix length of /127
• Reserve the /64, configure the /127
• Nodes 1 & 2 are NOT in the same subnet
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Static Routing
• Link Local Next Hop ipv6 unicast-routing
• Redistribution needs GUA or ULA !direct
ipv6 route 2001:db8:1::/48 ethernet1/0
• Direct (interface) !recursive
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
IPv6 Routing
Protocols
OSPFv3
ipv6 unicast-routing
!
• OSPFv3 – IP 89 interface loopback0
• fe80::/64 Source ff02::5, ff02::6 (DR’s) ipv6 address 2001:db8:1000::1/128
• Link-LSA (8) – Local Scope, NH ipv6 ospf 46 area 0
• Intra-Area-LSA (9) – Routers’ Prefixes !
interface ethernet 0/0
• LSA’s Disconnect topology from prefixes
ipv6 address 2001:db8:50:31::1/64
• Can converge quickly to a point of scale ipv6 ospf 46 area 0
• Initial database build takes time !
ipv6 router ospf 46
router-id 4.6.4.6
passive-interface loopback0
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Classic EIGRP or EIGRPv6
ipv6 unicast-routing
• EIGRP – IP 88 !
Interface ethernet 0/0
• fe80::/64 Source ff02::a Destination ipv6 address 2001:db8:1000::1/128
• No shutdown for older versions ipv6 eigrp 46
!
• Apply the route process to interfaces interface ethernet 0/1
• Auto Summary disabled ipv6 address 2001:db8:50:31::1/64
ipv6 eigrp 46
• Transport & peering over IPv6 !
ipv6 router eigrp 46
no shutdown
eigrp router-id 4.6.4.6
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
EIGRP Named Mode
router eigrp IPv6rocks
!
• Name creates a virtual instance address-family ipv6 unicast
• Does not need to be common in domain autonomous-system 46
!
• Address family configures protocol instance af-interface Loopback0
passive-interface
• AS number must common within domain exit-af-interface
!
• Auto Applied to all IPv6 enabled interfaces af-interface Ethernet0/0
exit-af-interface
• No need to configure under the interfaces
eigrp router-id 4.6.4.6
exit-address-family
Large-scale hub
and spoke
environments
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
EIGRP Authentication
• EIGRP supports HMAC-SHA-256
• To generate or validate messages, hash is constructed using:
• Configured shared secret
• Link Local address of sender
• EIGRP packet prior to adding the IP header
!
router eigrp IPv6rocks
address-family ipv6 autonomous-system 46
af-interface ethernet 0/0
authentication mode hmac-sha-256 0 Cisco123
!
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
IS-IS ipv6 unicast-routing
!
interface ethernet 0/0
• Single topology mode ipv6 address 2001:db8:5000:31::1/64
• Single LSDB, single cost ipv6 router isis CISCO
isis circuit-type level-1
• Links must be congruent (dual stacked)
isis ipv6 metric 10000
• Multi topology mode isis authentication mode md5
Ingress
• Equal load distribution
• Advertise more specific /45 & /44
Internet
• Non equal load distribution ISP A ISP B
AS 64499 AS 64497
• Use AS path prepend, if accepted 2001:db8:a1::/32 2001:db8:b1::/32
Egress
neighbor 2001:db8::b1 prefix-list ISPBin seq 5 permit ::/0
neighbor 2001:db8::b1 route-map LOCAL in
! 2001:db8:460::/44
Enterprise Domain
ipv6 prefix-list ISPBin seq 5 permit ::/0
route-map LOCAL permit 10
set local-preference 200
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Layer 2 Adjacent Firewall
• Firewalls are redundant and share state
Internet
• Common VLAN between the firewalls & routers ISP A ISP B
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Layer 3 Adjacent Firewall
• IGP between edge routers & Layer 3 switch
Internet
• EIGRP, OSPF, iBGP, IS-IS
ISP A ISP B
• Edge routers redistribute ::/0 (or Prefixes) into IGP
• Layer 3 Switch has static route for PI address
::/0
• Set to next-hop of the firewall
• Firewall has a default route 2001:db8:46::/44
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Multihomed, Multisite
Internet
• Internet connectivity is split across two data centers ISP A ISP B
• Each firewall is active; state is not shared
AS 64498
• Advertising the /44 out both could cause asymmetry
• NAT solves this problem for the legacy protocol
• More specific routes plus aggregate needed for IPv6
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Multisite Egress Traffic Engineering
Internet
• Create eBGP multihop link to the core routers ISP A ISP B
• Use a route map with set command X,Y,Z <MED A,B,C <MED
A,B,C >MED AS 64498 X,Y,Z >MED
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Enterprise IPv6 Guidance
Access
Si Si Si Si Si Si
Distribution
Core Si Si
Distribution Si Si
Si Si
Si
Si
Access
WAN Data Center Internet
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
IPv6
Host OS Behavior
Christopher Werny
TECRST-2001
@bcp38_ Make the world a safer place
#CLUS
Introduction &
Motivation
Motivation of this Presentation
• We are involved in a project where $COMPANY plans to enable
IPv6 in up to 10K WiFi hotspots in supermarkets in Western Europe
• (with expected 50-100k concurrent users)
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Motivation of this Presentation
• An increasing number of organizations
currently consider implementing IPv6 in
a specific mode often called “v6-only +
NAT64”.
• Some conferences already implement
this in their WiFi networks:
• Troopers ;-)
• FOSDEM
• Cisco Live Europe
https://insinuator.net/2019/02/some-notes-on-the-ipv6-properties-
of-the-wireless-network-cisco-live-europe/
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Why an IPv6-only
Deployment might
make sense
Diffusion of Innovations
• Theory that seeks to explain how
new ideas and technology spread.
https://en.wikipedia.org/wiki/Diffusion_of_innovations
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Operational Implications
• Dual Stack increases the overall complexity of the network significantly
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
IPv4 is getting Expensive
• Prices have gone up steadily in the last couple of years.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Translation Technologies in IPv6-only
Environments – NAT64 & 464xlat
IPv6 Translation Technologies
• Going IPv6-only without a translation mechanism is currently not a
feasible solution.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
NAT64 / DNS64
• Stateful NAT64 is a mechanism to translate IPv6 packets to IPv4
and vice-versa.
• A specific (arbitrary) prefix (/96) from your address space will be used for
translation.
DNS64
2.
IPv6-Only Client 1.
3.
4.
NAT64
6.
5.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
User Experience Tests
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Some Statistics from our ASR @Troopers
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
NAT64 & DNS64
• Works reliable for
• TCP
• UDP
• ICMP
• Does not work for protocols that embed IPv4 literals in the payload of
the packet
• FTP
• SIP
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
464XLAT
Background
• Some Network Elements do not support dual stack.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Mobile Provider Using IPv6 Only
• Legacy applications using embedded literals in their code
Intelligent IPv6
Application
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
3 Use Cases in IPv6 only
• End-to-end IPv6: Facebook, Google, Wikipedia, Yahoo, Youtube …
IPv6IPv6
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Coming back to
the Case Study….
Case Study
• $COMPANY plans to enable IPv6 in up to 3K Wi-Fi hotspots in
supermarkets in Western Europe
• Dual-stack or v6-only?
• Free offering → no SLAs
• But still they’d like to avoid “discussions which could affect their
brand”.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Strategy / Decisions
• Dual-Stack vs. v6-only (+NAT64)
• From “IPv6 perspective” the most important one
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Strategy / Decisions
• Audience
• Expectations ( communication)
• Types of devices (platforms, OSs, versions!)
• Types of applications (e.g. gaming vs. VPN clients)
• Requires
• Definition
• Testing
• Communication & mgmt/sponsor approval
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Stuff That Might Have Issues
• As of 06/2019 (→ issues might b gone 07/2019…)
• Gaming (namely multiplayer)
• VPN clients
• But a lot of things (progress) seem to happen in this space right now.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Types of Connections / Initial Thoughts
Will most certainly work. +
Initial Thoughts Very likely to work, but individual apps might expose problems.
Unclear. Will heavily depend on specific circumstances.
++
?
Problems to be expected. –
Connection Endpoint
IPv6 IPv4
Type of Client Device All Web Fat VPN VPN Other
Client/ Client Client
App (SSL) (IPsec)
Smartphones iOS ++ ++ + ++ – +
Android ++ ++ ++ ++ – +
Other ++ ++ + ++ – +
Laptops Windows,
++ ++ + ++ – +
Pre–10
Windows 10 ++ ++ ++ ++ – +
Other ++ ++ ? ++ – +
Other IoT Devices ++ ++ ? ++ – +
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
From FOSDEM: IPsec VPN Clients & v6-only
• When we look into the legacy dual stack network,
we notice that for the IPv4 traffic distribution we
see outgoing
• ~214M TCP packets and
• ~6M ESP (VPN) packets while incoming was
• ~394M TCP packets with
• ~8M ESP packets
Src: https://blogs.cisco.com/getyourbuildon/fosdem-2019-a-new-view-from-the-noc
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
From FOSDEM: IPsec VPN Clients & v6-only
• This means that at least about 2-3% of all traffic was on an IPSEC VPN.
And this excludes the TCP VPN traffic on ports 443/TCP and 22/TCP. On
the IPv6 network we do not see a similar amount of ESP traffic.
• This strongly suggests that the people remaining on the dual stack
network do so because their VPN solution does not work with an IPv6
only network.
Src: https://blogs.cisco.com/getyourbuildon/fosdem-2019-a-new-view-from-the-noc
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Connections / Expected Trends
Situation/numbers will get better/increase over time
Connection Endpoint
IPv6 IPv4
Type of Client Device All Web Fat VPN VPN Other
Client/ Client Client
App (SSL) (IPsec)
Smartphones iOS ++ ++ + ++ – +
Android ++ ++ ++ ++ – +
Other ++ ++ + ++ – +
Laptops Windows,
++ ++ + ++ – +
Pre-10
Windows 10 ++ ++ ++ ++ – +
Other ++ ++ ? ++ – +
Other IoT Devices ++ ++ ? ++ – +
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Rationale re: Trends
• IPv6-enabled connection endpoints
(e.g. websites/servers) increase over time.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
The Lab – Testing Applications in an IPv6-
only Environment
The Lab Infrastructure – Overview
• Pretty small and basic setup:
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Router
ISR4321 R1
NAT64
The Lab – Overview
WLC
Server
Access DNS64
point
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
The Lab – Methodology
• Group applications in categories.
• e.g. Social Media, Communication etc.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Categories
• Social Media
• Streaming
• Communication
• Games
• Informational
• Other
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Display of Sample Categories / Test cases
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Results
Overview
• OS-wise iOS apps successfully completed all test cases
• Maybe not a surprise given Apple’s strategy
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Applications with Issues / Overview
• In general, we could observe two failure scenarios:
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Spotify – in 2015
Src: https://labs.spotify.com/2015/11/05/
oh-ipv6-where-art-thou/
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Spotify – in 2019
https://community.spotify.com/t5/Live-
Ideas/Other-IPv6-Support/idi-p/4469460
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Streaming - Spotify
• Unfortunately, the Spotify app on Windows 10/7/macOS does not
work.
• The web client and iOS/Android work as intended
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Game(s) Client
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Games - Steam
• Downloading and installing worked
without a problem.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Games – Fortnite
• “Hottest“ Battle Royal game
for a year or two.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Epic Games Launcher – Looks good from IPv6 PoV
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
But.....
• XMPP doesn’t work.....
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Turns out...XMPP client only asks for an A record
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Joining the Game
• You can join the lobby, download content
and contact the matchmaking server.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Early Research
• https://answers.unrealengine.com/questions/583305/bug-dedicated-server-connection-issues-with-ipv6-n.html
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
For future reference
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Interim Conclusion (i)
• We tested around 35 different applications with a total of 120 test
cases
• On (if available) six different operating systems.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Interim Conclusion (ii)
• While we still see some (minor) breakage (that was to be expected)
it is lower than we initially anticipated.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Lab / Next Steps
• Validate / further investigate failure cases
• Vendor communication!
• Probably even easier when the vendor is the only failing one in a
group of similar apps ;-)
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Technical
Considerations in
IPv6-only
Environments
IPv6 in Wi-Fi Networks
• WLANs are shared media
• Ftr: yes, even with 802.11ax ;-)
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
In Practice
• Some tuning is needed
• (WLAN) Controller level
• Which (of the above) to proxy/throttle/block
• Inter-AP communication
• L3 infrastructure
• Properties of RAs
• Properties of ND
• Other (e.g. MLD[?])
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Neighbor Binding Table on Cisco WLC
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
RA Throttling on Cisco WLCs / Sample
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
FHS on WLC Controller
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Gateway Configuration
• To reduce the multicast traffic the following parameters adjusted in Troopers
network:
• The above are some “best practice” values, initially inspired by Andrew
Yourtchenko from the Cisco Live Wi-Fi implementation.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Config Snippet (incl. NAT64)
interface GigabitEthernet0/0/0.30
<output omitted>
description ====TRP-NAT64===
encapsulation dot1Q 30
ipv6 address FE80::1 link-local
ipv6 address 2A02:8071:F00:64::1/64
ipv6 enable
ipv6 mtu 1280
ipv6 nd reachable-time 900000
ipv6 nd other-config-flag
ipv6 nd router-preference High
ipv6 nd ra solicited unicast
ipv6 nd ra lifetime 9000
ipv6 nd ra interval 4
ipv6 nd ra dns server 2A02:8071:F00:64::251
ipv6 dhcp server DHCP-TRP-NAT64-v6-POOL
nat64 enable
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Supporting
Infrastructure
Supporting Infrastructure & Processes
• Infrastructure
• Captive Portal (usually 3rd party provider) IPv6? ;-)
• Management & WLC/AP-communication IPv6? ;-)
• Telemetry
• Processes
• Communication
• Users
• Feedback loop re: stuff not working
• Management / Sponsor
• Vendors (of apps that don’t work)
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Monitoring / Case Study
• We wanted to get a feeling about the NAT64 translations that are
active on our gateway during Troopers at any given time.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
EEM to the Rescue
• One nice person on the c-nsp list send me a clever workaround
• Thank you Nikolay!
• While he had initially created the EEM template for IPv4 NAT
entries, we could adjust it easily to our needs
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
High Level Steps – EEM Template
1. Perform the relevant “show commands”
• Show nat64 translations in this case
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Complete EEM Template
> snmp mib expression owner NAT64 name NAT64TRANSLATIONS
> description Total active translations
> value type integer32
> expression 0
>!
> event manager applet NAT64-Translations
> event timer watchdog time 300 maxrun 60
> action 010 cli command "enable"
> action 030 cli command "configure terminal"
> action 040 cli command "do-exec show nat64 translations"
> action 050 regexp "^.+\s([0-9]+)" "$_cli_result" match total_translations
> action 100 cli command "snmp mib expression owner NAT64 name
NAT64TRANSLATIONS"
> action 110 if $_regexp_result eq "1"
> action 120 cli command "expression $total_translations"
> action 130 else
> action 140 cli command "expression 0"
> action 150 cli command "exit"
> action 160 end
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Telemetry for DNS Queries
• We also wanted to a get a feeling to which degree client systems use either the RA
or (stateless) DHCPv6 provided DNS resolvers.
• To achieve this, we installed two instances of unbound, provided those per RA and
DHCPv6 respectively, and counted the total amount of DNS queries each of them
received.
• In general you should be very cautious re: telemetry (not only DNS-related) in Wi-Fi
hotspot type of networks.
• Evidently some data points might be privacy-invasive.
• Regulations might kick in, even conflicting ones.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Communication et al.
• How to incentivize users to use the v6-only SSID if there’s a
“legacy” (usually: dual-stacked) in parallel?
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Conclusion
Conclusions
• We see an increasing interest in deploying v6-only + NAT64
networks.
• For reasons…
• Testing creates #transparency ;-) & well-informed decision making
• Overall less issues than expected
• Apple’s strategy seems to work.
• Communication strategy will be crucial, with management, users &
vendors.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Summary / Conclusions
• Deploying IPv6-enabled Wi-Fi hotspots requires specific
considerations and tech. adjustments
• Define strategy re: v6-only
• Perform specific configuration on devices
• Monitoring & telemetry
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Just to Make this Clear
• Based on our testing we think that going with v6-only
(+ NAT64) is a reasonable approach now
• Only very few issues (stuff not working) to expect
• Namely on platforms or types of app which might not even be relevant for
your deployment scenario
• At the same time this can save a lot of operational effort.
• Telemetry data & lab results are always a good idea ;-)
• Proper supporting communication can be helpful.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
IPv6-only in the
Datacenter
Feasibility in the Datacenter
• While we have seen that IPv6-only might make sense in the Access
Layer, what about DCs?
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
From one of our IPv6 engagements
• How did the Datacenter look like?
• Backbone/Core Network
• Management Network
• Staging environment
• Internal/Intranet Applications
• Running on the production servers
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
IPv6 Deployment within a Datacenter
• After several discussion rounds, it was decided (wisely) to deploy
IPv6 within the staging environment first.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
How to proceed (High-Level)?
• The most sensible approach (that also a number of other players
do) is:
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
But how should I add IPv6 to these Systems in
general?
• In short: It depends ;-)
• As I laid out in the morning session, from our perspective you have the
following options:
• Fully static configuration -> includes deactivation of RA processing on the
host
• „Hybrid” -> static configuration with default route via RA.
• Stable “dynamic” addresses (RFC 7217) with dynamic DNS updates
• DHCPv6 with reservations
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Application Behaviour
• Some apps work just fine with IPv6 and some don’t work as
expected: Testing is key/crucial!
• What we have observed (and others have made the same
observation):
• DNS works just fine (as it is transport protocol independent)
• Kerberos (to our surprise) works just fine as well
• NTP somewhat works, but there are some intricacies
• Syslog just works (under the assumption the receiver listens on IPv6)
• SSH works just fine as well
• SNMP works just fine (same as DNS)
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Applications where you will Encounter Problems
• Hadoop Cluster
• Getting better, but still not there yet ->
https://issues.apache.org/jira/browse/HADOOP-11890
• Jira/Confluence
• Somewhat limited supported ->
https://confluence.atlassian.com/jirakb/ipv6-in-jira-949755622.html
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Monitor Progress!!
• I cannot stress this enough. It is very important that you track your
progress to have good visibility where you are currently at with the
deployment.
Source: https://www.ipv6.org.uk/wp-content/uploads/2018/11/IPv6-presentation-linkedin-The-Beginning-of-the-End.pdf
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
The Cost of Dual Stack
• As already laid out in the beginning. Dual stack significantly
increases the overall complexity and operational effort.
• While getting IPv6 on the street within your datacenter will not work
without a Dual stack implementation (exceptions are green field
deployments), treat it as an interim step.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Conclusion during the Journey (i)
• It helps to have a plan ;-)
• Measure! your progress! Do it in a controlled manner
• IPv6 still (suprise ;-)) requires people to deal with it:
• Operators (system, network, help desk et. al.)
• Developers -> Get them on board ASAP
• Managers -> They need to understand what and why your are doing it
• Corporate Lawyers -> to deal with external suppliers / contractors etc.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Conclusion during the Journey (ii)
• If you happen to have the chance to do a „clean switch“ -> Do it!
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Case Study – Insurance Company
RFC1918
RFC1918 10.0.0.0/8
10.0.0.0/8
Shared
Datacenter
RFC1918
10.0.0.0/8
RFC1918
10.0.0.0/8
RFC1918
10.0.0.0/8
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Case Study – Issues for the Migration
• Microsoft Directory Services do not work well through NAT
boundaries
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Case Study – Adressing the Issues
• Implement a centralized Authentication Service within the datacenter
• Do this in an IPv6-only fashion.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
IPv6
Security
Eric Vyncke
TECRST-2001
@evyncke
#CLUS
IPv6 Security
Myths…
IPv6 Myths: Better, Faster, More Secure
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
The Absence of Reconnaissance Myth
• Default subnets in IPv6 have 264 addresses
• 10 Mpps = more than 50 000 years
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Reconnaissance in IPv6
Scanning Methods Will Change
• If using EUI-64 addresses, just scan 248
• Or even 224 if vendor OUI is known...
NS: 2001:db8::3
NS: 2001:db8::2
NS: 2001:db8::1
NS: 2001:db8::3
NS: 2001:db8::2
NS: 2001:db8::1
NS: 2001:db8::3
NS: 2001:db8::2
NS: 2001:db8::1
2001:db8::/64
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
For Your
Reference
http://www.insinuator.net/2013/03/ipv6-neighbor-cache-exhaustion-attacks-risk-assessment-mitigation-strategies-part-1
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
The IPsec Myth:
IPsec End-to-End will Save the World
• IPv6 originally mandated the implementation of IPsec (but not its use)
• Now, RFC 6434 “IPsec SHOULD be supported by all IPv6 nodes”
• Some organizations still believe that IPsec should be used to secure all flows...
• Need to trust endpoints and end-users because the network cannot secure the traffic: no IPS, no ACL, no
firewall
• Network telemetry is blinded: NetFlow of little use
• Network services hindered: what about QoS or AVC ?
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Is there NAT for IPv6 ? - “I need it for security”
• Network Prefix Translation, NPTv6, RFC 6296,
• 1:1 stateless prefix translation allowing all inbound/outbound packets.
• Main use case: multi-homing (see first section)
• Else, IETF has not specified any N:1 stateful translation (aka overload NAT or NAPT)
for IPv6
• Do not confuse stateful firewall and NAPT* even if they are often co-located
• Nowadays, NAPT (for IPv4) does not help security
• Host OS are way more resilient than in 2000
• Hosts are mobile and cannot always be behind your ‘controlled NAPT’
• Malware are not injected from ‘outside’ but are fetched from the ‘inside’ by visiting weird sites
or installing any trojanized application
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
“By looking at the IP addresses in the Torpig headers
we are able to determine that 144,236 (78.9%) of the
infected machines were behind a NAT, VPN, proxy, or
firewall. We identified these hosts by using the non-
publicly routable IP addresses listed in RFC 1918:
10/8, 192.168/16, and 172.16-172.31/16”
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
NAT does not Protect IoT
“Early 2017, a multi-stage Windows Trojan containing code to scan
for vulnerable IoT devices and inject them with Mirai bot code was
discovered. The number of IoT devices which were previously safely
hidden inside corporate perimeters, vastly exceeds those directly
accessible from the Internet, allowing for the creation of botnets with
unprecedented reach and scale.”
“The call is coming from inside the house! Are you ready for the next evolution in DDoS attacks?”
Steinthor Bjanarson, Arbor Networks, DEFCON 25
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Shared Issues
ICMPv4 vs. ICMPv6
ICMP Message Type ICMPv4 ICMPv6
• Significant changes Connectivity Checks X X
Informational/Error
• More relied upon Messaging
X X
Fragmentation Needed
X X
Notification
Address Assignment X
Address Resolution X
Router Discovery X
Multicast Group Management X
Mobile IPv6 Support X
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Generic ICMPv4
Border Firewall Policy
Internal Server A
Internet
ICMPv4 ICMPv4
Action Src Dst Name
Type Code
Dst. Unreachable—
Permit Any A 3 0
Net Unreachable
Dst. Unreachable—
Permit Any A 3 4
Frag. Needed
Time Exceeded—
Permit Any A 11 0
TTL Exceeded
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Equivalent ICMPv6
RFC 4890: Border Firewall Transit Policy
Internal Server A
Internet
ICMPv6 ICMPv6
Action Src Dst Name
Type Code
Time Exceeded—
Permit Any A 3 0
HL Exceeded
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Potential Additional ICMPv6
RFC 4890: Border Firewall Transit Policy
Internal Server A
Firewall B
Internet
ICMPv6 ICMPv6
Action Src Dst Name
Type Code
Permit Any B 2 0 Packet too Big
For locally
generated
Permit Any B 4 0 Parameter Problem by the
device
Permit Any B 130–132 0 Multicast Listener
Neighbor Solicitation
Permit Any B 135/136 0
and Advertisement
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
Remote NDP Floods...
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-
20160525-ipv6 (May 2015)
• RFC 4890 is a little too open
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
IPv6 Attacks with Strong IPv4 Similarities
Good news
IPv4 IPS
signatures can
• Sniffing be re-used
• IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4
• Application layer attacks
• The majority of vulnerabilities on the Internet today are at the application layer,
something that IPSec will do nothing to prevent
• Rogue devices
• Rogue devices will be as easy to insert into an IPv6 network as in IPv4
• Man-in-the-Middle Attacks (MITM)
• Without strong mutual authentication, any attacks utilizing MITM will have the same
likelihood in IPv6 as in IPv4
• Flooding
• Flooding attacks are identical between IPv4 and IPv6
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Enforcing a
Security Policy
IOS IPv6 Extended ACL
• Can match on
• Upper layers: TCP, UDP, SCTP port numbers, ICMPv6 code and type
• TCP flags SYN, ACK, FIN, PUSH, URG, RST
• Traffic class (only six bits/8) = DSCP, Flow label (0-0xFFFFF)
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
IPv6 ACL Implicit Rules
RFC 4890
• Implicit entries exist at the end of each IPv6 ACL to allow neighbor
discovery:
...
permit icmp any any nd-na
permit icmp any any nd-ns
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
IPv6 ACL Implicit Rules – Cont.
Adding a deny-log
• The beginner’s mistake is to add a deny log at the end of IPv6 ACL
. . .
! Now log all denied packets
deny ipv6 any any log
! Heu . . . I forget about these implicit lines
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any
Solution, explicitly add the implicit ACE
. . .
! Now log all denied packets
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any log
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
For Your
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
RFC 8200 & DHCP-PD on ASA 9.10
• Allow ASA to process packet with hop interface GigabitEthernet1/1
nameif outside
limit of 0 (Follow RFC 8200) security-level 0
ipv6 address dhcp default
• CSCvi46759 ipv6 enable
ipv6 nd suppress-ra
• Fixing some bugs in the same shot (DHCP ipv6 dhcp client pd hint ::/48
packets sent with HL=0 by some CMTS 😱 ) ipv6 dhcp client pd ISP
interface GigabitEthernet1/2
nameif inside
• Alas, general-prefix cannot be used in security-level 100
ipv6 address ISP ::1/64
ACL... ipv6 address autoconfig
ipv6 enable
!
Check with
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Firepower Management Center: Extension
Header (Flexconfig)
policy-map type inspect ipv6 inspect_ipv6_fc_pmap
parameters
verify-header type
verify-header order
match header esp
log
match header fragment
drop
match header ah
log
match header destination-option
log
match header hop-by-hop
drop log
match header routing-type eq 2
log
match header routing-type eq 3
drop
match header routing-type eq 4
drop log
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Firepower Management Center Mixed Mode
Objects
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
Spam over IPv6
Botnet member or open relay
from Germany
• Spammers are also using IPv6 of course...
• Probably even without knowing it!
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
TalosIntelligence and IPv6: It Works
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Anti-Spam Black Lists also Support IPv6 For Your
Reference
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
BRKSEC-
ISE 2.6 Adding More IPv6 3018
YES
IPv4 IPv4
YES
Cisco AVP: “ip:inacl#1=permit ip any any” Cisco AVP: "#ACSACL#-IP-ACL_NAME-
<SEQ_NUM>”
IPv6
YES IPv6
YES
Cisco AVP: “ipv6:inacl#1=permit ipv6 any Cisco AVP: "#ACSACL#-IPv6-ACL_NAME-
Not Applicable
any” <SEQ_NUM>”
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
Summary of Cisco IPv6 Security Products
• ASA Firewall (Since version 7.0 released 2005) • FirePower Threat Defence (FTD) no
• Extension header filtering and inspection (ASA 8.4.2) IPv6 inspection support on the GUI
• Dual-stack ACL & object grouping (ASA 9.0) (FlexConfig), no management over
IPV6
• Email Security Appliance (ESA) IPv6
support since 7.6.1 (May 2012) • FirePower Device Manager (FDM) no
IPv6 support
• Web Security Appliance (WSA) with explicit
and transparent proxy • Cisco Umbrella, answers AAAA but
cannot manage policy for IPv6
• FirePower NGIPS provides Decoder for network
IPv4 & IPv6 Packets
• Cisco Threat Defense / StealthWatch:
mostly forever including SMC
• ISE 2.2 added IPv6 support, more w/ 2.6
evyncke@host1:~# scapy
Welcome to Scapy (2.1.0)
>>> target="2001:db8:23:0:60de:29ff:fe15:2”
>>> packet=IPv6(dst=target)/ICMPv6EchoRequest(id=0x1234, seq=RandShort(),
data="ERIC")
>>> sr1(packet)
Begin emission:
Finished to send 1 packets.
Received 2 packets, got 1 answers, remaining 0 packets
<IPv6 version=6L tc=0L fl=0L plen=12 nh=ICMPv6 hlim=62
src=2001:db8:23:0:60de:29ff:fe15:2 dst=2001:db8:1:0:60de:29ff:fe15:1
|<ICMPv6EchoReply type=Echo Reply code=0 cksum=0xdb04 id=0x1234 seq=0x956a
data='ERIC' |>>
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
Packet Forgery with SCAPY /2
• Variable can be assigned a value with “=“
• Packets are built with the concatenation operator “/”
• Headers are instantiated with default values (such as source address,
checksum, next header, length, ...) all can be overwritten
• Packet can be displayed in various format: ls(), packet.show()
• Packet can be sent by
• send(): simply send it
• sr1(): send it and wait for one reply
>>> target="2001:db8:23:0:60de:29ff:fe15:2”
>>> packet=IPv6(dst=target)/ICMPv6EchoRequest(id=0x1234, seq=RandShort(),
data="ERIC")
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
“Playing” with
Extension Headers
IPv6 Header Manipulation
• Unlimited size of header chain (spec-wise) can make
filtering difficult
• Potential DoS with poor IPv6 stack implementations
• More boundary conditions to exploit
• Can I overrun buffers with a lot of extension headers?
• Mitigation: a firewall such as ASA/FTD which can filter on headers
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
Parsing the Extension Header Chain
• Finding the layer 4 information is not trivial in IPv6
• Skip all known extension header
• Until either known layer 4 header found => MATCH
• Or unknown extension header/layer 4 header found... => NO MATCH
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 161
Fragment Header: IPv6
Next Header = 44
IPv6 Basic Header
Fragment Header
Fragment Header
Fragment Header
Next Header Reserved Fragment Offset
Identification
Fragment Data
• RFC 5722/8200: overlapping fragments => MUST drop the packet. Most OS implement it since 2012
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
Fragmentation Used in IPv4 by Attackers
... Also applicable to IPv6 of course
• Great evasion techniques
• Some firewalls do not process fragments except for the first one
• Some firewalls cannot detect overlapping fragments with different content
• IPv4 tools like whisker, fragrout, etc.
• Makes firewall and network intrusion detection harder
• Used mostly in DoSing hosts, but can be used for attacks that compromise
the host
• Send a fragment to force states (buffers, timers) in OS
• See also: http://insecure.org/stf/secnet_ids/secnet_ids.html 1998!
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
Parsing the Extension Header Chain
Fragments and Stateless Filters
• Layer 4 information could be in 2nd fragment
• But, stateless firewalls could not find it if a previous extension header is fragmented
IPv6 hdr HopByHop Routing Fragment1 Destination …
• RFC 6980: “nodes MUST silently ignore NDP … if packets include a fragmentation header”
• RFC 7112: “A host that receives a First Fragment that does not satisfy… SHOULD discard the
packet”
• RFC 8200: “If the first fragment does not include all headers through an Upper-Layer header, then
that fragment should be discarded”
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
Fragment Obfuscation with Scapy & Tcpdump
>>> packet=IPv6(dst=dst)/IPv6ExtHdrDestOpt(options=PadN(optdata='A'*20))
/TCP(sport=sport,dport=22,flags="S", seq=100)
>>> frag1=IPv6(dst=dst)/IPv6ExtHdrFragment(nh=60, id=0xabbababe, m=1,
offset=0)/str(packet)[40:48]
>>> frag2=IPv6(dst=dst)/IPv6ExtHdrFragment(nh=60, id=0xabbababe, m=0,
offset=1)/str(packet)[48:84]
>>> send(frag1)
>>> send(frag2)
IP6 (hlim 64, next-header Fragment (44) payload length: 16) 2001:...:1 > 2001:...:2: frag (0xabbababe:0|8) [|DSTOPT]
0x0000: 6000 0000 0010 2c40 2001 0db8 0001 0000 `.....,@........
0x0010: 60de 29ff fe15 0001 2001 0db8 0023 0000 `.)..........#..
0x0020: 60de 29ff fe15 0002 3c00 0001 abba babe `.).....<.......
IP6 (hlim 64, next-header Fragment (44) payload length: 44) 2001:...:1 > 2001:...:2: frag (0xabbababe:8|36)
0x0000: 6000 0000 002c 2c40 2001 0db8 0001 0000 `....,,@........
0x0010: 60de 29ff fe15 0001 2001 0db8 0023 0000 `.)..........#..
0x0020: 60de 29ff fe15 0002 3c00 0008 abba babe `.).....<.......
0x0030: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0040: 47b3 0016 0000 0064 0000 0000 5002 2000 G......d....P...
0x0050: da35 0000
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
Let’s Try the Naive ACL...
ipv6 access-list NO_SSH
deny tcp any any eq 22 log
permit ipv6 any any
IP6 (hlim 62, next-header Fragment (44) payload length: 16) 2001:..:1 > 2001:..:2: frag
(0xabbababe:0|8) [|DSTOPT]
IP6 (hlim 62, next-header Fragment (44) payload length: 44) 2001:..:1 > 2001:..:2: frag
(0xabbababe:8|36)
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 166
IPv6 Fragmentation & IOS ACL
• Matching against the first fragment non-deterministic:
• layer 4 header might not be there but in a later fragment
Need for stateful inspection
IP6 (hlim 62, next-header Fragment (44) payload length: 44) 2001:..:1 > 2001:..:2: frag
(0xabbababe:8|36)
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 168
Is it the End of the World?
• The lack of fast wirespeed stateless ACL is a bad news of course
• IETF made 1st IPv6 fragment without layer-4 invalid and it SHOULD be dropped by
receiving host and MAY be dropped by routers
• RFC 7112 (born as draft-ietf-6man-oversized-header-chain)
• RFC 8200 (the new IPv6 standard)
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
Extension Header Security Policy
• White list approach for your traffic
• Only allow the REQUIRED extension headers (and types), for example:
• Fragmentation header
• Routing header type 2 & destination option (when using mobile IPv6)
• IPsec AH and ESP
• And layer 4: ICMPv6, UDP, TCP, GRE, ...
• If your firewall is capable:
• Drop 1st fragment without layer-4 header
• Drop routing header type 0
• Drop/ignore hop-by-hop
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 170
More on dual-
stack networks
Enabling IPv6 in the IPv4 Data Center
The Fool’s Way
Internet
2) Sending RA with
1) I want IPv6, prefix for auto-
send RA configuration
3) 3)
3) 3) Yahoo!
Yahoo! Yahoo!
Yahoo! IPv6
IPv6 IPv6
IPv6
Internet
2) Sending RA with
1) I want IPv6, “no auto-config”
send RA
3) Yahoo! 3) No 3) No 3) No
Static IPv6 IPv6 IPv6
IPv6 SLAAC SLAAC SLAAC
address
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
Vulnerability Scanning in a Dual-Stack World
• Finding all hosts:
• Address enumeration does not work for IPv6
• Need to rely on DNS or NDP caches or NetFlow
• Vulnerability scanning
• IPv4 global address, IPv6 global address(es) (if any), IPv6 link-local address
• Some services are single stack only (currently mostly IPv4 but who knows...)
• Personal firewall rules could be different between IPv4/IPv6
• IPv6 vulnerability scanning MUST be done for IPv4 & IPv6 even in an
IPv4-only network
• IPv6 link-local addresses are active by default
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 175
More on tunnels
L3-L4 Spoofing in IPv6
• Most IPv4/IPv6 transition mechanisms have no authentication built in
• => an IPv4 attacker can inject IPv6 traffic if spoofing on IPv4 and
IPv6 addresses
IPv6 ACLs Are Ineffective since IPv4 & IPv6 are spoofed
Tunnel termination forwards the Inner IPv6 Packet
IPv4
IPv6
Public IPv4
Internet
IPv6 Network IPv6 Network
IPv6 in IPv4
Tunnel Tunnel
Server B
Server A Termination Termination
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 177
Looping Attack Between 2 ISATAP Routers
(RFC 6324)
ISATAP router 1 ISATAP router 2
1. Spoofed IPv6 packet
S: 2001:db8:2::200:5efe:c000:201 Prefix 2001:db8:1::/64 Prefix 2001:db8:2::/64
D: 2001:db8:1::200:5efe: c000:202
192.0.2.1 192.0.2.2
2. IPv4 ISATAP packet to 192.0.2.2 containing
S: 2001:db8:2::200:5efe:c000:201
D: 2001:db8:1::200:5efe:c000:202
3 IPv6 packet
S: 2001:db8:2::200:5efe:c000:201
D: 2001:db8:1::200:5efe:c000:202
• Root cause
Repeat until Hop Limit == 0
• ISATAP routers ignore each other
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 178
Telemetry
Available Tools
• Similar to IPv4 telemetry
• SNMP MIB
• Not always available yet on Cisco gears
• Flexible Netflow for IPv6
• Available in : 12.4(20)T, 12.2(33)SRE
• Public domain tools: nfsen, nfdump, nfcpad…
• Cisco Threat Defense
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 180
For Your
IP FWD
IP ICMP TCP UDP
(ROUTES)
Original IPv4 only 2096 2011 2012 2013
Protocol Version rfc2096-update rfc2011-update
Independent (PVI)
= =
4292 4293 = IP-MIB
rfc2012- rfc2013-
update update
= =
4022 4113
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 181
Using SNMP to Read IPv4/IPv6 Neighbors Cache
evyncke@charly:~$ snmpwalk -c secret -v 1 udp6:[2001:db8::1] -m IP-MIB
ipNetToPhysicalPhysAddress
IP-MIB::ipNetToPhysicalPhysAddress.1.ipv4."192.168.0.2" = STRING: 0:13:c4:43:cf:e
IP-MIB::ipNetToPhysicalPhysAddress.1.ipv4."192.168.0.3" = STRING: 0:23:48:2f:93:24
IP-MIB::ipNetToPhysicalPhysAddress.1.ipv4."192.168.0.4" = STRING: 0:80:c8:e0:d4:be
...
IP-MIB::ipNetToPhysicalPhysAddress.2.ipv6."2a:02:05:78:85:00:01:01:02:07:e9:ff:fe:f2:a0:c6"
= STRING: 0:7:e9:f2:a0:c6
IP-MIB::ipNetToPhysicalPhysAddress.2.ipv6."2a:02:05:78:85:00:01:01:02:20:4a:ff:fe:bf:ff:5f"
= STRING: 0:20:4a:bf:ff:5f
IP-MIB::ipNetToPhysicalPhysAddress.2.ipv6."2a:02:05:78:85:00:01:01:30:56:da:9d:23:91:5e:ea"
= STRING: 78:ca:39:e2:43:3
...
evyncke@charly:~$ snmptable -c secret -v 1 udp6:[2001:db8::1] -Ci -m IP-MIB
ipNetToPhysicalTable
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 182
For Your
Reference
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 183
Flexible Flow Record: IPv6 Extension Header Map
Bits 11-31 Bit 10 Bit 9 Bit 8 Bit 7 Bit 6 Bit 5 Bit 4 Bit 3 Bit 2 Bit 1 Bit 0
Res ESP AH PAY DST HOP Res UNK FRA0 RH FRA1 Res
FRA1: Fragment header – not first fragment
RH: Routing header
FRA0: Fragment header – First fragment
UNK: Unknown Layer 4 header (compressed, encrypted, not supported)
HOP: Hop-by-hop extension header
DST: Destination Options extension header
PAY: Payload compression header
AH: Authentication header
ESP: Encapsulating Security Payload header
Res: Reserved
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 184
For Y
Refer
interface GigEthernet0/15
ipv6 flow monitor FLOW-MONITOR output
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 185
Netflow Reverse Usage
• Scanning an IPv6 network is impossible (address space too large)
• How can we run a security audit?
• Easy
• Get all IPv6 addresses from Netflow
• Note: scanning link-local addresses requires layer-2 adjacency, i.e.
• ping6 ff02::1
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 186
Forensic
Multiple Facets to IPv6 Addresses
• Every host can have multiple IPv6 addresses simultaneously
• Need to do correlation!
• Ensure that your Security Information and Event Management (SIEM) supports IPv6
• Usually, a customer is identified by its /48
• Every IPv6 address can be written in multiple ways
• 2001:0DB8:0BAD::0DAD
• 2001:DB8:BAD:0:0:0:0:DAD
• 2001:db8:bad::dad (this is the canonical RFC 5952 format)
• => Grep cannot be used anymore to sieve log files…
• See also RFC 7721 “Security and Privacy Considerations for IPv6 Address Generation Mechanisms”
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 188
How to Find the MAC Address of an IPv6
Address?
• Easy if EUI-64 format as MAC is embedded
• 2001:db8::0226:bbff:fe4e:9434
• (need to toggle bit 0x20 in the first MAC byte = U/L)
• Is 00:26:bb:4e:94:34
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 189
How to Find the MAC Address of an IPv6
Address?
• DHCPv6 address or prefix… the client DHCP Unique ID (DUID) can be
• MAC address: trivial
• Time + MAC address: simply take the last 6 bytes
• Vendor number + any number: no luck… next slide can help
• No guarantee of course that DUID includes the real MAC address.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 190
DHCPv6 in Real Live…
• Not so attractive
• Only supported in Windows Vista, and Windows 7, Max OS/X Lion
• Not in Linux (default installation), …
• Windows Vista does not place the used MAC address in DUID but any MAC address of
the PC
• See also: https://knowledge.zomers.eu/misc/Pages/How-to-reset-the-IPv6-DUID-in-
Windows.aspx
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 192
How to Find the MAC Address of an IPv6
Address?
• Last resort… look in the live NDP cache (CLI, SNMP, MDT telemetry)
• If no more in cache, then you should have scanned and saved the cache…
• EEM can be your friend
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 193
IPv6 VPN
Secure IPv6 over IPv4/6 Public Internet
• No traffic sniffing
• No traffic injection
• No service theft
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 195
For Your
Hub Spoke
interface Tunnel0 interface Tunnel0
ipv6 address 2001:db8:100::1/64 ipv6 address 2001:db8:100::11/64
ipv6 eigrp 1 ipv6 eigrp 1
no ipv6 split-horizon eigrp 1 ipv6 nhrp map multicast 172.17.0.1
no ipv6 next-hop-self eigrp 1 ipv6 nhrp map 2001:db8:100::1/128 172.17.0.1
ipv6 nhrp map multicast dynamic ipv6 nhrp network-id 100006
ipv6 nhrp network-id 100006 ipv6 nhrp holdtime 300
ipv6 nhrp holdtime 300 ipv6 nhrp nhs 2001:db8:100::1
tunnel source Serial2/0 tunnel source Serial1/0
tunnel mode gre multipoint tunnel mode gre multipoint
tunnel protection ipsec profile vpnprof tunnel protection ipsec profile vpnprof
! !
interface Ethernet0/0 interface Ethernet0/0
ipv6 address 2001:db8:0::1/64 ipv6 address 2001:db8:1::1/64
ipv6 eigrp 1 ipv6 eigrp 1
! !
interface Serial2/0 interface Serial1/0
ip address 172.17.0.1 255.255.255.252 ip address 172.16.1.1 255.255.255.252
! !
ipv6 router eigrp 1 ipv6 router eigrp 1
no shutdown no shutdown
• IPv4/IPv6 FlexVPN over IPv4 or IPv6 are allowed (IPv6 over IPv4 shown)
2001:db8:beef::/64
2001:db8:cafe::/64
172.16.1.1 172.16.2.1
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 197
Global Addressing and VPN
• All inside hosts have a globally unique IPv6 address
• Routing-wise, remote sites could communicate over the Internet
• Even OUTSIDE of VPN tunnels
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 198
Secure RA IPv* over IPv* Public Network:
AnyConnect SSL VPN Client & ASA
IPv6/IPv4 Intranet
AnyConnect supports native
IPv4/6 connectivity
IPv4/6
• Connecting via IPv4/6 Internet to ASA
Transport
• SSL Tunneling IPv6 in IPv6 , IPv4 in IPv4, IPv6 Network
in IPv4, IPv4 in IPv6
• No support for DHCPv6 yet
• Mobile does not support IPv6 transport
See also:
http://blog.webernetz.net/2014/01/18/cisco-anyconnect-ipv6-access-through-ipv4-vpn-tunnel/
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 199
AnyConnect on CL-NAT64
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 200
Use Case: BC-Hydro IPv6 + IPsec for Smart
Meters
http://www.rmv6tf.org/wp-content/uploads/2015/10/2-Bavarian-Mauro_Success-and-
future-of-IPv6-from-an-Electrical-Utility-Perspective-rev5.compressed.pdf
On ciscolive.com:
BRKARC-2008 - Smart Grid: Field Area Network Multi-Service Architecture and BC
Hydro Case Study
http://www.cisco.com/c/dam/en_us/solutions/industries/retail/downloads/bc-hydro-cisco.pdf
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 201
Recommended Reading
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 202
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 203
Continue your education
Demos in the
Walk-in labs
Cisco campus
#CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 204
More IPv6 Sessions
When Session Title
9 June 2019 / 9:00 TECRST-1991 Introduction to IPv6: Connecting nodes to the IPv6 access network
9 June 2019 / 14:00 TECRST-2001 Designing and deploying a security IPv6 network
10 June 2019/ 8:00 BRKRST-2619 IPv6 Deployment: Developing an IPv6 Addressing Plan and Developing IPv6
10 June 2019 / 13:00 BRKSPG-2602 IPv4 Exhaustion: IPv6 Transition and NAT Architectures
11 June 2019 / 8:00 BRKSEC-3018 IPv6 AAA, Port-Based auth and Security Implementation
11 June 2019/ 13:00 LTRRST-2016 IPv6 in the Enterprise for Fun and (fake) Profit: A Hands-On Lab
#CLUS
#CLUS