Cisco TechAdvantage Webinars    Preparing for IPv6 and BYOD with a    Single Security Policy       This webinar will provi...
Register for a Technical Seminar with our Cisco Software SMEs:http://www.ciscolive.com/london/registration-packages/   Ses...
Speakers                                           Panelists           Andrew Yourtchenko                                 ...
•  Submit questions in Q&A panel and send to “All Panelists”       Avoid CHAT window for better access to panelists    •  ...
•  Introduction to BYOD, IPv6 and L2 Domain Security•  IPv6 vs IPv4, what is new?•  Threats on the link layer•  Mitigation...
http://www.forbes.com/sites/sap/2012/03/05/cisco-the-biggest-mobile-byod-deployment-around/© 2012 Cisco and/or its affilia...
Top two perceived benefits of BYOD:      •  Improved employee productivity (more opportunities to collaborate)      •  Gre...
•  2+ BYOD per employee.             •  1 BYOD per employee.             •  0 BYOD per employee.© 2012 Cisco and/or its af...
More Devices                            Faster Broadband Speeds          Nearly 19 Billion Connections                    ...
Launch activated                                3000+ Websites                                50 Network (ISPs)           ...
Outside – In•         Internet Evolution•         Business Continuity•         B2C, B2B                                   ...
•  No plans             •  24 months             •  12 months             •  6 months             •  Done© 2012 Cisco and/...
“When are you planning to deploy IPv6 in production”                                        July 2010                     ...
AD/LDAP                                                                         NCS                                       ...
Operations contained within the link boundaries, necessary for a node to              communicate with its neighbors, incl...
Example of Inside Attacks exploiting IPv6 Link Operations                                                                 ...
•  Catalyst Integrated Security Features (CISF)                                                                           ...
Intelligent Perimeter at the edge                                                                                     Pre-...
Securing IPv6 Networks – Quick Intro                                                                                  IPv6...
Prevent Rogue Router Advertisements from taking down the network                                   Before RA Guard        ...
Prevent Rogue DHCP responses from misleading the clientBefore DHCP Guard                                                  ...
Instrumental link-operation security feature that analyzes control/data switch  traffic, detect IP address, and store/upda...
Securing IPv6 Networks – Quick Intro                                                                                  IPv6...
•  Very important.             •  Important.             •  Neutral.             •  Not important.© 2012 Cisco and/or its ...
Risk and Exposure                                                           •  Exposed to end users, the access layer is i...
Threats are very much topology dependent: what is specific to IPv6 from topology standpoint?    •  More addresses!        ...
Router                                                                                       –  Assign addresses          ...
–  Announces default router  –  Assign addresses                                        –  Announces link parameters–  Ass...
attacker                                                             DHCP server/relay   •  Distributed: security         ...
•  Defined in RFC 4861, Neighbor Discovery for IP Version 6 (IPv6)                and RFC 4862 ( IPv6 Stateless Address Au...
  Find default/first-hop routers  Discover on-link prefixes => which destinations are neighbors             Messages: R...
•  Attacker tricks victim into accepting him as default router         •  Based on rogue Router Advertisements         •  ...
•  Stateless, based on prefix information delivered in Router Advertisements            Messages: Router Advertisements ,...
•      Attacker spoofs Router Advertisement with false on-link prefix            •      Victim generates IP address with t...
•  Resolves IP address into MAC address     •  Creates neighbor cache entry                  Messages: Neighbor Solicitat...
•  Attacker can claim victims IP address                                                                                  ...
•  Verify address uniqueness             •  Probe neighbors to verify nobody claims the address                          ...
•  Attacker hacks any victims DAD attempts       •  Victim cant configure IP address and cant communicate                 ...
SEND: SEcure Neighbor DiscoveryDistributed L2 Security Model       © 2010 Cisco and/or its affiliates. All rights reserved...
Internet•        Advantages                                                                L2/link                        ...
WHAT SEND PROVIDES                   •  Each node on the link takes care of its own security                   •  Verifies...
•  SeND is NOT a new protocol               •  SeND is just an extension to NDP with new messages (CPS/CPA) and           ...
Computes Address                            Prefix                   Interface-id =                                       ...
Certificate Authority                                                                                                     ...
ADMINISTRATIVE BOUNDARY                                                                    CA                             ...
Due to transition realities and lack of                                                           pervasive support for Se...
Trustee                                                           Move to a different deployment model ?© 2012 Cisco and/o...
Centralized L2 security model        © 2010 Cisco and/or its affiliates. All rights reserved.   Cisco Public   48
Internet                                                                                             L2/link     •        ...
WHAT IS IT?                   •  Takes care of all nodes security, primarily from a link-operations standpoint            ...
First Hop Security (FHS)                                                           FHS                                    ...
Centralized L2 security technology        © 2010 Cisco and/or its affiliates. All rights reserved.   Cisco Public   52
Goal: to mitigate against rogue RA           host                                                                         ...
ipv6 access-list ACCESS_PORT                           remark Block all traffic DHCP server -> client                     ...
•  Extension headers chain can be so large than it is fragmented!             •  Finding the layer 4 information is not tr...
Goal: to enforce address ownership and mitigates against address DoS                                                      ...
Goal: to track active addresses (devices) on the link                                                                     ...
Goal: to monitor address allocation and store bindings                                                                    ...
Goal: to validate source address of IPv6 traffic sourced from the link                                                    ...
Goal: to validate destination address of IPv6 traffic reaching the link                                                   ...
•  ~8660 MAC addresses seen             •  ~90% MAC addresses dualstack - capable             •  More info: http://blogs.c...
  BYOD brings new security and scalability challenges to L2 domain.    Modern devices support and prefer IPv6 connectivi...
  First Hop Security white paper  http://www.cisco.com/en/US/partner/prod/collateral/iosswrel/ps6537/ps6553/     whitepap...
•  Thank you!                                •  Please complete the post-event survey                                •  Jo...
Upcoming SlideShare
Loading in …5
×

Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

3,017
-1

Published on

An hour technical discussion on becoming BYOD-ready (Bring Your Own Device) first hop with two protocols and a single security policy.

As BYOD becomes more and more prevalent, it is important to keep in mind that most of the devices support both IPv4 and IPv6 - thus, even if you do not provide yet IPv6 connectivity, you still need to maintain the same protection as with IPv4. In this webinar you will briefly refresh available first hop security measures for IPv4, and focus on the new features that provide the matching functionality for IPv6.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,017
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
82
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

  1. 1. Cisco TechAdvantage Webinars Preparing for IPv6 and BYOD with a Single Security Policy This webinar will provide an overview on how BYOD is challenging L2 domain security, and how in this scenario IPv6 requires others capabilities no present in IPv4 to face it. Andrew and Rafael Andrew Yourtchenko Rafael Maranon-Abreu will highlight what is new, what are the threats on the link layer and what solutions are available today at Cisco to mitigate them.© 2012 Cisco and/or its affiliates. All rights reserved. Follow us @GetYourBuildOn 1
  2. 2. Register for a Technical Seminar with our Cisco Software SMEs:http://www.ciscolive.com/london/registration-packages/ Session Title Session Number Advanced LISP Techtorial TECIPM-3191 Advanced Network Automation TECNMS-3601 Application Awareness in the network; the Route to Application Visibility and Control TECRST-2672 Converged Access: Wired/Wireless System Architecture, Design and Operations TECCRS-2678 Enterprise QoS Design Strategy TECRST-2501 IP Mobility Deep Dive TECSPG-3668 IPv6 for Dummies: An Introduction to IPv6 TECMPL-2192 IPv6 Security TECRST-2680 Scaling the IP NGN with Unified MPLS TECNMS-3601 Software Defined Networking and Use Cases TECSPG-2667 Understanding and Deploying IP Multicast Networks TECIMP-1008© 2012 Cisco and/or its affiliates. All rights reserved. 2
  3. 3. Speakers Panelists Andrew Yourtchenko Rafael Maranon-Abreu Ralph Schmieder David Lapier Technical Leader Product Manager Technical Engineer Product Manager ayourtch@cisco.com rmaranon@cisco.com rschmied@cisco.com dlapier@cisco.com© 2012 Cisco and/or its affiliates. All rights reserved. 3
  4. 4. •  Submit questions in Q&A panel and send to “All Panelists” Avoid CHAT window for better access to panelists •  For WebEx audio, select COMMUNICATE > Join Audio Broadcast •  For WebEx call back, click ALLOW phone button at the bottom of participants side panel •  Where can I get the presentation? Or send email to: ask_techadvantage@cisco.com •  Please complete the post-event survey •  Join us January 9th for our next TechAdvantage Webinar: Enhancing Application Performance with PfR www.cisco.com/go/techadvantage© 2012 Cisco and/or its affiliates. All rights reserved. 4
  5. 5. •  Introduction to BYOD, IPv6 and L2 Domain Security•  IPv6 vs IPv4, what is new?•  Threats on the link layer•  Mitigations© 2012 Cisco and/or its affiliates. All rights reserved. 5
  6. 6. http://www.forbes.com/sites/sap/2012/03/05/cisco-the-biggest-mobile-byod-deployment-around/© 2012 Cisco and/or its affiliates. All rights reserved. 6
  7. 7. Top two perceived benefits of BYOD: •  Improved employee productivity (more opportunities to collaborate) •  Greater job satisfaction (flexibility and work-life balance) •  Two of five college students and young employees said they would accept a lower-paying job that had more flexibility with regard to device choice, social media access, and mobility than a higher-paying job with less flexibility. •  Regarding security-related issues in the workplace, three of five employees believe they are not responsible for protecting corporate information and devices. The Cisco Connected World Technology Report 2011© 2012 Cisco and/or its affiliates. All rights reserved. 7
  8. 8. •  2+ BYOD per employee. •  1 BYOD per employee. •  0 BYOD per employee.© 2012 Cisco and/or its affiliates. All rights reserved. 8
  9. 9. More Devices Faster Broadband Speeds Nearly 19 Billion Connections 4-Fold Speed Increase Growth More Internet Users Catalysts More Rich Media Content 3.4 Billion Internet Users 1.2 M Video Minutes per Second Source: Cisco VNI Global Forecast, 2011–2016© 2012 Cisco and/or its affiliates. All rights reserved. 9
  10. 10. Launch activated 3000+ Websites 50 Network (ISPs) 4 Home Router VendorsPublic Sector in 1st 100 sign ups (3006 total) *National Library of MedicineNASADepartment of StateDepartment of EducationREMSDoingwhatworksUSGSU Penn, UNC, U Wisconsin, NCSU, U UtahUSDAVANational Park ServiceUS Census BureauSource : http://www.worldipv6launch.org/participants/?q=1
  11. 11. Outside – In•  Internet Evolution•  Business Continuity•  B2C, B2B IPv4 Enterprise IPv6 Internet Inside – Out •  Globalization •  Technology Leadership •  Industry mandate •  BYOD-Security-Visibility •  Flatten management plane Dual-Stack Enterprise IPv4 Internet http://www.cisco.com/en/US/netsol/ns817/networking_solutions_program_home.html © 2012 Cisco and/or its affiliates. All rights reserved. 11
  12. 12. •  No plans •  24 months •  12 months •  6 months •  Done© 2012 Cisco and/or its affiliates. All rights reserved. 12
  13. 13. “When are you planning to deploy IPv6 in production” July 2010 March 2012 No plans 40% No plans 15% 24 months 24 months 12 months 12 months 6 months 32% 6 months 65% In Progress Done 0 10 20 30 40 50 60 0 10 20 30 40 50 60© 2012 Cisco and/or its affiliates. All rights reserved. 13
  14. 14. AD/LDAP NCS Prime ISE MDM Mgr Cisco Catalyst Cisco WLAN Switches Controller ASA Firewall User X User Y CSM / ASDM iOS or Android Devices© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
  15. 15. Operations contained within the link boundaries, necessary for a node to communicate with its neighbors, including the link exit points. •  It encompasses: •  Address configuration parameters •  Address initialization •  Address resolution •  Default gateway discovery •  Local network configuration •  Neighbor reachability tracking© 2012 Cisco and/or its affiliates. All rights reserved. 15
  16. 16. Example of Inside Attacks exploiting IPv6 Link Operations Data Security at Edge Si SiAuthenticated Device Si Si The Challenge Attacks Inside the network IPv6 Link Operations can The attacker can spoof a user The attacker can become The attacker can disable be easily attacked address by snooping Neighbor the local default gateway the local IPv6 network by inside the local network Solicitation and poisoning by sending rogue Router poisoning Duplicate Neighbor Advertisement Advertisements Address Detection© 2012 Cisco and/or its affiliates. All rights reserved. 16
  17. 17. •  Catalyst Integrated Security Features (CISF) 17© 2012 Cisco and/or its affiliates. All rights reserved. For more info: http://www.cisco.com/web/strategy/docs/gov/turniton_cisf.pdf
  18. 18. Intelligent Perimeter at the edge Pre-configure port roles and Data Security at Edge Track IPv6 devices by snooping neighbor and dynamically learn a trusted router solicitations, DHCP requests and query domain of routers/DHCP their status when they become inactive servers Si Si Intf IPv6 MAC VLAN StateAuthenticated Device g1/0/10 ::001A 001A 110 Active Si Si g1/0/11 ::001B 001B 110 Active NS DAD NS ND DHCP g1/0/11 ::001C 001C 110 Stale RS RA g1/0/15 ::001D 001D 110 Active g1/0/16 ::001E 001E 200 Verifying g1/0/17 ::0020 0020 200 Active g1/0/21 ::0021 0021 200 Active … … … … … The Solution IPv6 Snooping and Guard IPv6 First Hop Block rogue advertisements Monitor device Maintain a trustworthy Security in the from illegitimate routers and address assignment database of IPv6 devices and access switch DHCP servers with RA Guard with Binding Integrity block illegitimate IPv6 data and DHCPV6 Guard Guard traffic with Source Guard© 2012 Cisco and/or its affiliates. All rights reserved. 18
  19. 19. Securing IPv6 Networks – Quick Intro IPv6 FHS RA DHCPv6 Source/Prefix Destination RA ND Multicast Guard Guard Guard Guard Throttler Suppress Protection: Protection: Protection: Protection: Facilitates: Reduces: •  Rouge or •  Invalid DHCP •  Invalid source •  DoS attacks •  Scale •  Control traffic malicious RA Offers address •  Scanning converting necessary for •  MiM attacks •  DoS attacks •  Invalid prefix •  Invalid multicast traffic proper link •  MiM attacks •  Source address destination to unicast operations to spoofing address improve performance Core Features Advance Features Scalability & Performance * IPv6 Snooping Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table© 2012 Cisco and/or its affiliates. All rights reserved. 19 * Previously referred to as ND Inspection/Binding Table Recovery/Address Glean/Device tracking
  20. 20. Prevent Rogue Router Advertisements from taking down the network Before RA Guard After RA GuardHost A Host A First Hop Switch First Hop Switch RA RA I am a Yea! I am a Not according router Thanks router to me© 2012 Cisco and/or its affiliates. All rights reserved. 20
  21. 21. Prevent Rogue DHCP responses from misleading the clientBefore DHCP Guard After DHCP Guard DHCP Server I am a DHCP DHCP Server I am a DHCP Server ServerHost First Hop Switch Host First Hop Switch DHCP Request DHCP Request I am a DHCP I am a DHCP Server Server© 2012 Cisco and/or its affiliates. All rights reserved. 21
  22. 22. Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table to ensure rogue users cannot spoof or steal addresses. •  Deep control packet Inspection IPv6 Binding Table •  Address Glean (ND , DHCP, data) Intf IPv6 MAC VLAN State •  Address watch g1/0/10 ::001A 001A 110 Active •  Binding Guard g1/0/11 ::001C 001C 110 Stale g1/0/16 ::001E 001E 200 Verifying IPv6 IPv6 Source Destination Device Tracking Guard Guard© 2012 Cisco and/or its affiliates. All rights reserved. 22
  23. 23. Securing IPv6 Networks – Quick Intro IPv6 FHS RA DHCPv6 Source/Prefix Destination RA ND Multicast Guard Guard Guard Guard Throttler Suppress Protection: Protection: Protection: Protection: Facilitates: Reduces: •  Rouge or •  Invalid DHCP •  Invalid source •  DoS attacks •  Scale •  Control traffic malicious RA Offers address •  Scanning converting necessary for •  MiM attacks •  DoS attacks •  Invalid prefix •  Invalid multicast traffic proper link •  MiM attacks •  Source address destination to unicast operations to spoofing address improve performance Core Features Advance Features Scalability & Performance * IPv6 Snooping Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table© 2012 Cisco and/or its affiliates. All rights reserved. 23 * Previously referred to as ND Inspection/Binding Table Recovery/Address Glean/Device tracking
  24. 24. •  Very important. •  Important. •  Neutral. •  Not important.© 2012 Cisco and/or its affiliates. All rights reserved. 24
  25. 25. Risk and Exposure •  Exposed to end users, the access layer is inherently vulnerable Infrastructure Protection •  Security at the network edge protects the network infrastructure Network Intelligence •  Key data can only be gathered at the access layer© 2012 Cisco and/or its affiliates. All rights reserved. 25
  26. 26. Threats are very much topology dependent: what is specific to IPv6 from topology standpoint? •  More addresses! •  More end-nodes allowed on the link (up to 264 !) •  Bigger neighbor cache on end-nodes and on default-router •  May lead to some dramatic topology evolution •  Creates new opportunities for DoS attacksThreats are also dependent on the protocols in use: what is different? •  More distributed and more autonomous operations •  Nodes discover automatically their default router •  Nodes auto-configure their addresses •  Nodes defend themselves (SeND) •  Distributed address assignment creates more challenges for address security© 2012 Cisco and/or its affiliates. All rights reserved. 26
  27. 27. Router –  Assign addresses DHCP-server –  Announces default router –  Announces link parameters Old IPv4 link model is very much DHCP-centric© 2012 Cisco and/or its affiliates. All rights reserved. 27
  28. 28. –  Announces default router –  Assign addresses –  Announces link parameters–  Assign addresses DHCP-server –  Assign addresses –  Assign addresses IPv6 link model is essentially distributed, with DHCP playing a minor role © 2012 Cisco and/or its affiliates. All rights reserved. 28
  29. 29. attacker DHCP server/relay •  Distributed: security verified between any pair of nodes web server •  Centralized: security verified between each time server node and the central switch host un-trusted end-nodes router Trusted end-nodes© 2012 Cisco and/or its affiliates. All rights reserved. 29
  30. 30. •  Defined in RFC 4861, Neighbor Discovery for IP Version 6 (IPv6) and RFC 4862 ( IPv6 Stateless Address Autoconfiguration ) •  Used for: Router discovery IPv6 Stateless Address Auto Configuration (SLAAC) IPv6 address resolution (replaces ARP) Neighbor Unreachability Detection (NUD) Duplicate Address Detection (DAD) Redirection •  Operates above ICMPv6 Relies heavily on multicast (including L2-multicast) •  Works with ICMP messages and messages options© 2012 Cisco and/or its affiliates. All rights reserved. 30
  31. 31.   Find default/first-hop routers  Discover on-link prefixes => which destinations are neighbors  Messages: Router Advertisements (RA), Router Solicitations (RS) A BICMP Type = 133 (Router Solicitation) RSSrc = UNSPEC (or Host link-local address)Dst = All-routers multicast address (FF02::2)Query = please send RA ICMP Type = 134 (Router Advertisement) RA Src = Router link-local address Dst = All-nodes multicast address (FF02::1) Data = router lifetime, retranstime, autoconfig flag Option = Prefix, lifetime Use B as default gateway© 2012 Cisco and/or its affiliates. All rights reserved. 31
  32. 32. •  Attacker tricks victim into accepting him as default router •  Based on rogue Router Advertisements •  The most frequent threat by non-malicious user  B A C RA Src = C s link-local address Dst = All-nodes Data = router lifetime, autoconfig flag Options = subnet prefix, slla RA Src = B s link-local address Dst = All-nodes Data = router lifetime=0 Node A sending off-link traffic to C© 2012 Cisco and/or its affiliates. All rights reserved. 32
  33. 33. •  Stateless, based on prefix information delivered in Router Advertisements  Messages: Router Advertisements , Router Solicitations ICMP Type = 133 (Router Solicitation) Src = UNSPEC (or Host link-local address) RS Dst = All-routers multicast address (FF02::2) Query = please send RA ICMP Type = 134 (Router Advertisement) Src = Router link-local address RA Dst = All-nodes multicast address (FF02::1) Data = router lifetime, retranstime, autoconfig flag Computes X::x, Y::y, Z::z Options = Prefix X,Y,Z, lifetime and DAD them NS Source traffic with X::x, Y::y, Z::z© 2012 Cisco and/or its affiliates. All rights reserved. 33
  34. 34. •  Attacker spoofs Router Advertisement with false on-link prefix •  Victim generates IP address with this prefix •  Access router drops outgoing packets from victim (ingress filtering) •  Incoming packets cant reach victim  A C B Src = B s link-local address Deprecates X::A RA Dst = All-nodes Options = prefix X Preferred lifetime = 0 Computes BAD::A Src = B s link-local address and DAD it RA Dst = All-nodes Options = prefix BAD, Preferred lifetime Node A sourcing off-link traffic to B with BAD::A B filters out BAD::A© 2012 Cisco and/or its affiliates. All rights reserved. 34
  35. 35. •  Resolves IP address into MAC address •  Creates neighbor cache entry  Messages: Neighbor Solicitation, Neighbor Advertisement A B CICMP type = 135 (Neighbor Solicitation)Src = ADst = Solicited-node multicast address of B NSData = BOption = link-layer address of A ICMP type = 136 (Neighbor Advertisement)Query = what is B s link-layer address? Src = one B s IF address Dst = A NA Data = B Option = link-layer address of B A and B can now exchange packets on this link © 2012 Cisco and/or its affiliates. All rights reserved. 35
  36. 36. •  Attacker can claim victims IP address  A B C NSDst = Solicited-node multicast address of BQuery = what is B s link-layer address? Src = B or any C s IF address NA Dst = A Data = B Option = link-layer address of C© 2012 Cisco and/or its affiliates. All rights reserved. 36
  37. 37. •  Verify address uniqueness •  Probe neighbors to verify nobody claims the address  Messages: Neighbor Solicitation, Neighbor Advertisement A B CICMP type = 135 (Neighbor Solicitation)Src = UNSPEC = 0::0 NSDst = Solicited-node multicast address of AData = AQuery = Does anybody use A already? Node A can start using address A© 2012 Cisco and/or its affiliates. All rights reserved. 37
  38. 38. •  Attacker hacks any victims DAD attempts •  Victim cant configure IP address and cant communicate  A C Src = UNSPEC Dst = Solicited-node multicast address of A Data = A Query = Does anybody use A already? NS Src = any C s IF address NA it s mine ! Dst = A Data = A Option = link-layer address of C© 2012 Cisco and/or its affiliates. All rights reserved. 38
  39. 39. SEND: SEcure Neighbor DiscoveryDistributed L2 Security Model © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
  40. 40. Internet•  Advantages L2/link Infrastructure –  No central administration, no central operation Certificate –  No bottleneck, no single-point of failure Server –  Intrinsic part of the link-operations –  No tying up to the L2 infra Time Server –  Load distribution DHCP Server•  Disadvantages –  Heavy provisioning of end-nodes Configuration Server –  Only provisioned end-nodes are protected –  Tied up to nodes capability –  Bootstrapping issue Provisioning Hosts –  Complexity spread all over the domain Infrastructure© 2012 Cisco and/or its affiliates. All rights reserved. 40
  41. 41. WHAT SEND PROVIDES •  Each node on the link takes care of its own security •  Verifies router legitimacy •  Verifies address ownership WHAT SEND DOES NOT PROVIDE •  It does not verify other key role legitimacy (DHCP server, NTP, etc.) •  It only applies to link operations •  It does not provide end-to-end security •  It does not guarantee authorization (≠ 802.1X)© 2012 Cisco and/or its affiliates. All rights reserved. 41
  42. 42. •  SeND is NOT a new protocol •  SeND is just an extension to NDP with new messages (CPS/CPA) and more options (Signature, etc.) •  Therefore ND+SeND remains a protocol operating on the link •  SeND is a distributed mitigation mechanism •  SeND does not provide any end-to-end security •  SeND specified in RFC3971 and RFC3972© 2012 Cisco and/or its affiliates. All rights reserved. 42
  43. 43. Computes Address Prefix Interface-id = ND-message Src = Address My address! VERIFY SIGN© 2012 Cisco and/or its affiliates. All rights reserved. 43
  44. 44. Certificate Authority Certificate Authority CA0 Certificate C0 1 Router certificate CR Router certificate 3 request 2 host Router R Router Advertisement 4 Certificate Path Solicit (CPS): I trust CA0, who are you ? 5 Certificate Path Advertize (CPA): I am R, this is my certificate CR 6 Verify CR against CA0 7 Start using R as default gateway© 2012 Cisco and/or its affiliates. All rights reserved. 44
  45. 45. ADMINISTRATIVE BOUNDARY CA CA CA Router Router Host Host   A chain of trust is easy to establish within the administrative boundaries, but very hard outside  To benefit fully from SeND, nodes must be:   Provisioned with CA certificate(s)   Time synchronized/have access to the NTP server   Have access to a CRL or OCSP server© 2012 Cisco and/or its affiliates. All rights reserved. 45
  46. 46. Due to transition realities and lack of pervasive support for SeND:   At best there will be a mix of CGA , Router Auth. and old ND support   More likely, a small number of SeND capable nodes lost in the middle of many non-capable. This has almost no value because it s a 2 player games: nodes with no SeND/CGA support can t verify SeND/CGA credentials!© 2012 Cisco and/or its affiliates. All rights reserved. 46
  47. 47. Trustee Move to a different deployment model ?© 2012 Cisco and/or its affiliates. All rights reserved. 47
  48. 48. Centralized L2 security model © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
  49. 49. Internet L2/link •  Advantages Infrastructure Certificate –  central administration, central operation Server –  Complexity and provisioning limited to first hop Time –  All nodes protected Server –  Transitioning much easier DHCP Server Configuration •  Disadvantages Server –  Applicable only to certain topologies –  Requires first-hop to learn about end-nodes Provisioning Hosts Infrastructure –  First-hop can be a bottleneck and single-point of failure© 2012 Cisco and/or its affiliates. All rights reserved. 49
  50. 50. WHAT IS IT? •  Takes care of all nodes security, primarily from a link-operations standpoint •  Leverages information gleaned by snooping link-operations •  Arbitrates between different address assignment methods, different protocols, different nodes, different ports, etc. REQUIREMENTS •  Must be “in the centre” or part of the security perimeter •  Requires some provisioning •  Must be versatile (NDP, SeND, DHCP, MLD, etc.)© 2012 Cisco and/or its affiliates. All rights reserved. 50
  51. 51. First Hop Security (FHS) FHS FHS FHS© 2012 Cisco and/or its affiliates. All rights reserved. 51
  52. 52. Centralized L2 security technology © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
  53. 53. Goal: to mitigate against rogue RA host ? I am the default gateway Router Advertisement Option: prefix(s) •  Configuration- based •  Learning-based •  Challenge-based Verification succeeded ? Bridge RA •  Switch selectively accepts or rejects RAs based on various criteria •  Can be ACL based, learning based or challenge (SeND) based •  Hosts see only allowed RAs, and RAs with allowed content© 2012 Cisco and/or its affiliates. All rights reserved. 53
  54. 54. ipv6 access-list ACCESS_PORT remark Block all traffic DHCP server -> client deny udp any eq 547 any eq 546 remark Block Router Advertisements deny icmp any any router-advertisement permit any any Interface gigabitethernet 1/0/1 switchport ipv6 traffic-filter ACCESS_PORT in© 2012 Cisco and/or its affiliates. All rights reserved. 54
  55. 55. •  Extension headers chain can be so large than it is fragmented! •  Finding the layer 4 information is not trivial in IPv6 Skip all known extension headers Until either known layer 4 header found => SUCCESS Or unknown extension header/layer 4 header found... => FAILURE Or end of extension headers => FAILURE IPv6 hdr HopByHop Routing Destination Destination Fragment1 IPv6 hdr HopByHop Fragment2 ICMP Data Layer 4 header is in 2nd fragment© 2012 Cisco and/or its affiliates. All rights reserved. 55
  56. 56. Goal: to enforce address ownership and mitigates against address DoS Binding table host Address glean –  Arbitrate collisions, check ownership –  Check against max allowed per box/vlan/port –  Record & report changes Valid? bridge© 2012 Cisco and/or its affiliates. All rights reserved. 56
  57. 57. Goal: to track active addresses (devices) on the link IPv6 MAC VLAN IF IF STATE A1 1 MACH1 H1 100 P1 P1 REACH STALE H1 H2 H3 A21 21 MACH2 H2 100 P2 P2 REACH A22 22 MACH2 H2 100 P2 P2 REACH Address glean A3 MACH3 100 P3 STALE Binding table –  Keep track of device state –  Probe devices when becoming stale –  Remove inactive devices from the binding table –  Record binding creation/deletion/changes DAD NS [IP source=UNSPEC, target = A1] NA [target = A1LLA=MACH1] DAD NS [IP source=UNSPEC, target = A3]© 2012 Cisco and/or its affiliates. All rights reserved. 57
  58. 58. Goal: to monitor address allocation and store bindings Binding table IPv6 MAC VLAN IF DHCP- serverH1 H2 H3 A1 MACH1 100 P1 A21 MACH2 100 P2 A22 MACH2 100 P2 NS [IP source=A1, LLA=MACH1] A3 MACH3 100 P3 REQUEST [XID, SMAC = MACH2] REPLY[XID, IPA21, IPA22] data [IP source=A3, SMAC=MACH3] DAD NS [IP source=UNSPEC, target = A3] DHCP LEASEQUERY NA [IP source=A1, LLA=MACH3] DHCP LEASEQUERY_REPLY© 2012 Cisco and/or its affiliates. All rights reserved. 58
  59. 59. Goal: to validate source address of IPv6 traffic sourced from the link IPv6 MAC VLAN IF Binding table A1 MACA1 100 P1 A21 MACA21 100 P2 H1 H2 H3 A22 MACA22 100 P2 A3 MACA3 100 P3 Address glean DAD NS [IP source=UNSPEC, target = A3] DHCP LEASEQUERY NA [target = A1LLA=MACA3] DHCP LEASEQUERY_REPLY P3 ::A3, MACA3 P1:: data, src= A1, SMAC = MACA1 P2:: data src= A21, SMAC = MACA21 –  Allow traffic sourced with P3:: data src= A3, SMAC = MACA3 known IP/SMAC –  Deny traffic sources with unknown IP/SMAC© 2012 Cisco and/or its affiliates. All rights reserved. 59
  60. 60. Goal: to validate destination address of IPv6 traffic reaching the link L3 switch  host Internet B Binding table Neighbor cache Address glean Scanning {P/ 64} Src=D1 Src=Dn Lookup D1 NO found Forward packet•  Mitigate prefix-scanning attacks and Protect ND cache•  Useful at last-hop router and L3 distribution switch•  Drops packets for destinations without a binding entry 60© 2012 Cisco and/or its affiliates. All rights reserved.
  61. 61. •  ~8660 MAC addresses seen •  ~90% MAC addresses dualstack - capable •  More info: http://blogs.cisco.com/borderless/ipv6-at-ciscolive-san-diego/© 2012 Cisco and/or its affiliates. All rights reserved. 61
  62. 62.   BYOD brings new security and scalability challenges to L2 domain.   Modern devices support and prefer IPv6 connectivity.   Securing the access layer with a single policy mitigate vulnerabilities in L2 Mobility environments.   IPv6 FHS Cisco solution provides solid protections from rogue or mis-configured users in IPv6 or dual-stack networks, and efficiently handle wireless scalability.© 2012 Cisco and/or its affiliates. All rights reserved. 62
  63. 63.   First Hop Security white paper http://www.cisco.com/en/US/partner/prod/collateral/iosswrel/ps6537/ps6553/ whitepaper_c11-602135.html   First Hop Security documentation http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html   Cisco Support IPv6 Community: https://supportforums.cisco.com/community/netpro/network-infrastructure/ipv6-transition   Product Manager: Rafael Maranon-Abreu rmaranon@cisco.com   Technical Leader Engineering: Andrew Yourtchenko ayourtch@cisco.com© 2012 Cisco and/or its affiliates. All rights reserved. 63
  64. 64. •  Thank you! •  Please complete the post-event survey •  Join us January 9th for our next webinar: Enhancing Application Performance with PfR Register: www.cisco.com/go/techadvantage Follow us @GetYourBuildOn© 2012 Cisco and/or its affiliates. All rights reserved. 64

×