SlideShare a Scribd company logo

Eric Vyncke - Layer-2 security, ipv6 norway

IKT-Norge
IKT-Norge

The document discusses IPv6 first hop security features like DHCP snooping and dynamic ARP inspection for IPv6. It provides an overview of the security issues with IPv6 neighbor discovery such as router advertisements being sent without authentication, allowing for man-in-the-middle attacks and denial of service. It then describes various IPv6 first hop security features that can help mitigate these issues, such as RA guard, DHCP guard, and IPv6 neighbor discovery inspection.

Technology
1 of 36
IPv6 First Hop Security: the IPv6 version of DHCP snooping and dynamic ARP inspection Eric Vyncke Cisco, CTO/Consulting Engineering Distinguished Engineer evyncke@cisco.com © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
Layer-7 Data and Attacker services Layer-2 Firewall Courtesy of Curt Smith © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
RA w/o Any Authentication Router Advertisements contains: Gives Exactly Same -Prefix to be used by hosts Level of Security as -Data-link layer address of the router DHCPv4 (None) -Miscellaneous options: MTU, DHCPv6 use, … MITM DoS 1. RS 2. RA 2. RA 1. RS: 2. RA: Data = Query: please send RA Data= options, prefix, lifetime, A+M+O flags © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
• Devastating: Denial of service: all traffic sent to a black hole Man in the Middle attack: attacker can intercept, listen, modify unprotected data • Also affects legacy IPv4-only network with IPv6-enabled hosts • Most of the time from non-malicious users • Requires layer-2 adjacency (some relief…) • The major blocking factor for enterprise IPv6 deployment © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Where What Routers Increase “legal” router preference Hosts Disabling Stateless Address Autoconfiguration Routers & Hosts SeND “Router Authorization” Switch (First Hop) Host isolation Switch (First Hop) Port Access List (PACL) Switch (First Hop) RA Guard © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
• RFC 3972 Cryptographically Generated Addresses (CGA) IPv6 addresses whose interface identifiers are cryptographically generated from node public key • SeND adds a signature option to Neighbor Discovery Protocol Using node private key Node public key is sent in the clear (and linked to CGA) • Very powerful If MAC spoofing is prevented But, not a lot of implementations: Cisco IOS, Linux, some H3C, third party for Windows © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
• Each devices has a RSA key pair (no need for cert) • Ultra light check for validity • Prevent spoofing a valid CGA address RSA Keys Priv Pub Modifier Public Key SHA-1 Subnet Prefix Signature CGA Params Subnet Interface Prefix Identifier SeNDMessages Crypto. Generated Address © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
• Adding a X.509 certificate to RA • Subject Name contains the list of authorized IPv6 prefixes Trust Anchor X.509 cert X.509 Router Advertisement cert SourceAddr = CGA CGAparam block (incl pub key) Signed © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
• Prevent Node-Node Layer-2 communication by using: 1 VLAN per host (SP access network with Broadband Network Gateway) Private VLANs (PVLAN) where node can only contact the official router • Link-local scope multicast (RA, DHCP request, etc) sent only to the local official router: no harm • Can also be used on Wireless in „AP Isolation Mode’ CPE PC (publicV6 ) PVLAN RA BNG CPE PVLAN PC (publicV6 ) © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
• Port ACL blocks all ICMPv6 Router Advertisements from hosts interface FastEthernet3/13 RA switchport mode access ipv6 traffic-filter ACCESS_PORT in RA access-group mode prefer port RA RA RA © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
host ? “I am the default gateway” Router Advertisement Option: prefix(s) • Configuration- based • Learning-based • Challenge-based Verification succeeded ? Bridge RA • Switch selectively accepts or rejects RAs based on various criteria‟s • Can be ACL based, learning based or challenge (SeND) based. • Hosts see only allowed RAs, and RAs with allowed content © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
• Extension headers chain can be so large than it is fragmented! • RFC 3128 is not applicable to IPv6 • Layer 4 information could be in 2nd fragment IPv6 hdr HopByHop Routing Fragment1 Destination IPv6 hdr HopByHop Routing Fragment2 TCP Data Layer 4 header is in 2nd fragment © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
• RFC 3128 is not applicable to IPv6, extension header can be fragmented • ICMP header could be in 2nd fragment after a fragmented extension header • RA Guard works like a stateless ACL filtering ICMP type 134 • THC fake_router6 –FD implements this attack which bypasses RA Guard • Partial work-around: block all fragments sent to ff02::1 ‘undetermined-transport’ is even better Does not work in a SeND environment (larger packets) but then no need for RA-guard  IPv6 hdr HopByHop Routing Fragment1 Destination … IPv6 hdr HopByHop Routing Fragment2 … Destination ICMP type=134 ICMP header is in 2ndfragment, RA Guard has no clue where to find it! © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
For Your Reference • Each FH feature provides a configuration mode to create and populate policies (+ one implicit “default” policy) ipv6 ndraguard policy MYHOST device-role host • Each FH feature provides commands to attach policies to targets: box, vlan, port vlan configuration 100 ipv6 ndraguard attach-policy MYHOST ipv6 snooping interface e 0/0 ipv6 ndraguard attach-policy MYROUTER • Packets are processed by the lowest-level matching policy for each feature − Packets received on e0/0 are processed by policy ra-guard “MYROUTER” AND policy snooping “default” − Packets received on any other port of vlan 100 are processed by policy ra-guard “MYHOST” AND policy snooping “default” © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
For Your Reference Step1: Step2: Configures policies Attach policies to target Vlan Port ipv6 ndraguard policy HOST vlan configuration 100-200 device-role host ipv6 ndraguard attach-policy HOST ipv6 ndraguard policy ROUTER interface Ethernet0/0 device-role router ipv6 ndraguard attach-policy ROUTER ipv6 snooping policy NODE vlan configuration 100,101 tracking enable ipv6 snooping attach-policy NODE limit address-count 10 security-level guard ipv6 snooping policy SERVER interface Ethernet1/0 trusted-port ipv6 snooping attach-policy tracking disable SERVER security-level glean © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
vlan 100 HOST ROUTER PEER SWITCH VILLAIN CAT DUMB © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Internet 2) Sending RA 1) I with prefix for want auto- IPv6, s configuration end RA 3) 3) 3) 3) Yah Yaho Yah Yah oo! o! oo! oo! IPv6 IPv6 IPv6 IPv6     IPv4 protection: IPv4 protection: IPv4 Protection: iptables ipfw Security center IPv6 Protection: IPv6 Protection: IPv6 Protection: 4) Default protection… No ip6tables ✗ No ip6fw ✗ Security center ✔ © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Internet 1) I 2) Sending RA want with “no auto- IPv6, s config” end RA 3) Yahoo! 3) No 3) No 3) No Static IPv6 IPv6 IPv6 IPv6 SLAA SLA SLA addres C AC AC s IPv4 protection: IPv4 protection: IPv4 Protection: iptables ipfw Security center © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
• Pretty much like RA: no authentication Any node can „steal‟ the IP address of any other node Impersonation leading to denial of service or MITM • Requires layer-2 adjacency • IETF SAVI Source Address Validation Improvements (work in progress) © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Where What Routers & Hosts configure static neighbor cache entries Routers & Hosts Use CryptoGraphic Addresses (SeND CGA) Switch (First Hop) Host isolation Switch (First Hop) Address watch • Glean addresses in NDP and DHCP • Establish and enforce rules for address ownership © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
• Objectives for Address ownership: Enable the ND message sender to provide proof of ownership of address and for the receiver to validate the proof Verify that the address is either the source of the ND message or the “target” for DAD messages (when source is UNSPEC) This is a SeND feature • Protocol overview Hosts (and routers) generate a pair of RSA keys The public key is hashed to create a Cryptographic address (CGA) The CGA address is signed by the private key Both the public key and signature are provided in ND messages Receivers must verify the signature and address/key consistency (address = hash(key)) No key distribution required! © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
• If a switch wants to enforce the mappings < IP address, MAC address> how to learn them? • Multiple source of information SeND: verify signature in NDP messages, then add the mapping DHCP: snoop all messages from DHCP server to learn mapping (same as in IPv4) NDP: more challenging, but „first come, first served‟ The first node claiming to have an address will have it © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Binding table DHCP- ADR MAC VLAN IF server H1 H2 H3 A1 MACH1 100 P1 A21 MACH2 100 P2 A22 MACH2 100 P2 NS [IP source=A1, LLA=MACH1] A3 MACH3 100 P3 REQUEST [XID, SMAC = MACH2] REPLY[XID, IP=A21, IP=A22] data [IP source=A3, SMAC=MACH3] DAD NS [IP source=UNSPEC, target = A3] DHCP LEASEQUERY NA [IP source=A3, LLA=MACH3] DHCP LEASEQUERY_REPLY © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Binding table host Address glean –Arbitrate collisions, check ownership – Check against max allowed per box/vlan/port – Record & report changes Valid? bridge • Preference is a function of: configuration, learning method, credential provided • Upon collision, choose highest preference (for instance static, trusted, CGA, DHCP preferred over dynamic, not_trusted, not_CGA, SLACC) • For collision with same preference, choose First Come, First Serve © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
• IPv6 VLAN ACL & RA Guard: 12.2(54)SG, 3.2.0SG, 15.0(2)SG, 12.2(33)SXI4 • NDP inspection: 12.2(50)SY and 15.0(1)SY For more Information: http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6- roadmap.html http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/15- 2mt/ip6-first-hop-security.html © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
• DHCP Guard • Destination Guard • Source Guard • Prefix Guard • Multi Switch operation • DAD Proxy • RA Throttler • Binding Table Recovery • NDP Multicast Suppress • SVI support Several of those features are already in WLC 7.2 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Remote • Remote router CPU/memory DoS attack if aggressive scanning Router will do Neighbor Discovery... And waste CPU and memory • Local router DoS with NS/RS/… NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 2001:db8::/64 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
• Mainly an implementation issue Rate limiter on a global and per interface Prioritize renewal (PROBE) rather than new resolution Maximum Neighbor cache entries per interface and per MAC address • Internet edge/presence: a target of choice Ingress ACL permitting traffic to specific statically configured (virtual) IPv6 addresses only Allocate and configure a /64 but uses addresses fitting in a /120 in order to have a simple ingress ACL • Using a /64 on point-to-point links => a lot of addresses to scan! Using /127 could help (RFC 6164) • Using infrastructure ACL prevents this scanning iACL: edge ACL denying packets addressed to your routers Easy with IPv6 because new addressing scheme can be done  © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
• Built-in rate limiter but no option to tune it Since 15.1(3)T: ipv6 nd cache interface-limit Or IOS-XE 2.6: ipv6 nd resolution data limit Destination-guard is coming with First Hop Security phase 3 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
• Without a secure layer-2, there is no upper layer security • Rogue Router Advisement is the most common threat • Mitigation techniques Host isolation Secure Neighbor Discovery: but not a lot of implementations SAVI-based techniques: discovery the „right‟ information and dropping RA/NA with wrong information Last remaining issue: (overlapped) fragments => drop all fragments… • Neighbor cache exhaustion Use good implementation Expose only a small part of the addresses and block the rest via ACL • Products are now available implementing the techniques ;-) © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Thank you.

Recommended

Eric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalEric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalIKT-Norge
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
Jan Zorz - IPv6 and mobile emergency response teams
Jan Zorz - IPv6 and mobile emergency response teamsJan Zorz - IPv6 and mobile emergency response teams
Jan Zorz - IPv6 and mobile emergency response teamsIKT-Norge
 
Gabriel Paues - IPv6 address planning + making the case for WHY
Gabriel Paues - IPv6 address planning + making the case for WHYGabriel Paues - IPv6 address planning + making the case for WHY
Gabriel Paues - IPv6 address planning + making the case for WHYIKT-Norge
 
Martin J Levy - Hurricane Electric - The IPv6 global view - norway ipv6 - apr...
Martin J Levy - Hurricane Electric - The IPv6 global view - norway ipv6 - apr...Martin J Levy - Hurricane Electric - The IPv6 global view - norway ipv6 - apr...
Martin J Levy - Hurricane Electric - The IPv6 global view - norway ipv6 - apr...IKT-Norge
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6Private
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?Mark Smith
 
pps Matters
pps Matterspps Matters
pps MattersBangladesh Network Operators Group
 

Recommended

Eric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalEric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalIKT-Norge
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
Jan Zorz - IPv6 and mobile emergency response teams
Jan Zorz - IPv6 and mobile emergency response teamsJan Zorz - IPv6 and mobile emergency response teams
Jan Zorz - IPv6 and mobile emergency response teamsIKT-Norge
 
Gabriel Paues - IPv6 address planning + making the case for WHY
Gabriel Paues - IPv6 address planning + making the case for WHYGabriel Paues - IPv6 address planning + making the case for WHY
Gabriel Paues - IPv6 address planning + making the case for WHYIKT-Norge
 
Martin J Levy - Hurricane Electric - The IPv6 global view - norway ipv6 - apr...
Martin J Levy - Hurricane Electric - The IPv6 global view - norway ipv6 - apr...Martin J Levy - Hurricane Electric - The IPv6 global view - norway ipv6 - apr...
Martin J Levy - Hurricane Electric - The IPv6 global view - norway ipv6 - apr...IKT-Norge
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6Private
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?Mark Smith
 
pps Matters
pps Matterspps Matters
pps MattersBangladesh Network Operators Group
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhsTim Martin
 
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsAusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsMark Smith
 
Fedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friendsFedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friendsTim Martin
 
Tech f42
Tech f42Tech f42
Tech f42SelectedPresentations
 
IPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoIPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoDigicomp Academy AG
 
Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0Fred Bovy
 
Transitioning IPv4 to IPv6
Transitioning IPv4 to IPv6Transitioning IPv4 to IPv6
Transitioning IPv4 to IPv6Jhoni Guerrero
 
Ipv6
Ipv6Ipv6
Ipv6maha5960
 
IPv6 address-planning
IPv6 address-planningIPv6 address-planning
IPv6 address-planningTim Martin
 
Introduction of ipv6
Introduction of ipv6Introduction of ipv6
Introduction of ipv6KaushikMajumder22
 
IPv6-strategic-planning-framework
IPv6-strategic-planning-frameworkIPv6-strategic-planning-framework
IPv6-strategic-planning-frameworkTim Martin
 
IPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 LanIPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 LanJumping Bean
 
DASH7 Webinar: Working With Open Tag For Mode 2
DASH7 Webinar: Working With Open Tag For Mode 2DASH7 Webinar: Working With Open Tag For Mode 2
DASH7 Webinar: Working With Open Tag For Mode 2Haystack Technologies
 
Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedFaelix Ltd
 
Understanding i pv6 2
Understanding i pv6 2Understanding i pv6 2
Understanding i pv6 2srmanjuskp
 
IPv6 Autoconfig
IPv6 AutoconfigIPv6 Autoconfig
IPv6 AutoconfigFred Bovy
 
Cameron - TMO IPv6 Norway Meeting
Cameron - TMO IPv6 Norway MeetingCameron - TMO IPv6 Norway Meeting
Cameron - TMO IPv6 Norway MeetingIPv6no
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
NAT Traversal
NAT TraversalNAT Traversal
NAT TraversalDavide Carboni
 
ipv6 mpls by Patrick Grossetete
ipv6 mpls by Patrick Grosseteteipv6 mpls by Patrick Grossetete
ipv6 mpls by Patrick GrosseteteFebrian ‎
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and RealitySwiss IPv6 Council
 
NZNOG 2020 - The Trouble With NAT
NZNOG 2020 - The Trouble With NATNZNOG 2020 - The Trouble With NAT
NZNOG 2020 - The Trouble With NATMark Smith
 

More Related Content

What's hot

AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsAusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsMark Smith
 
Fedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friendsFedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friendsTim Martin
 
IPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoIPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoDigicomp Academy AG
 
Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0Fred Bovy
 
Transitioning IPv4 to IPv6
Transitioning IPv4 to IPv6Transitioning IPv4 to IPv6
Transitioning IPv4 to IPv6Jhoni Guerrero
 
IPv6 address-planning
IPv6 address-planningIPv6 address-planning
IPv6 address-planningTim Martin
 
IPv6-strategic-planning-framework
IPv6-strategic-planning-frameworkIPv6-strategic-planning-framework
IPv6-strategic-planning-frameworkTim Martin
 
IPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 LanIPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 LanJumping Bean
 
DASH7 Webinar: Working With Open Tag For Mode 2
DASH7 Webinar: Working With Open Tag For Mode 2DASH7 Webinar: Working With Open Tag For Mode 2
DASH7 Webinar: Working With Open Tag For Mode 2Haystack Technologies
 
Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedFaelix Ltd
 
Understanding i pv6 2
Understanding i pv6 2Understanding i pv6 2
Understanding i pv6 2srmanjuskp
 
IPv6 Autoconfig
IPv6 AutoconfigIPv6 Autoconfig
IPv6 AutoconfigFred Bovy
 
Cameron - TMO IPv6 Norway Meeting
Cameron - TMO IPv6 Norway MeetingCameron - TMO IPv6 Norway Meeting
Cameron - TMO IPv6 Norway MeetingIPv6no
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
ipv6 mpls by Patrick Grossetete
ipv6 mpls by Patrick Grosseteteipv6 mpls by Patrick Grossetete
ipv6 mpls by Patrick GrosseteteFebrian ‎
 

What's hot (20)

Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhs
 
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsAusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
 
Fedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friendsFedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friends
 
Tech f42
Tech f42Tech f42
Tech f42
 
IPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoIPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live Demo
 
Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0
 
Transitioning IPv4 to IPv6
Transitioning IPv4 to IPv6Transitioning IPv4 to IPv6
Transitioning IPv4 to IPv6
 
Ipv6
Ipv6Ipv6
Ipv6
 
IPv6 address-planning
IPv6 address-planningIPv6 address-planning
IPv6 address-planning
 
Introduction of ipv6
Introduction of ipv6Introduction of ipv6
Introduction of ipv6
 
IPv6-strategic-planning-framework
IPv6-strategic-planning-frameworkIPv6-strategic-planning-framework
IPv6-strategic-planning-framework
 
IPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 LanIPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 Lan
 
DASH7 Webinar: Working With Open Tag For Mode 2
DASH7 Webinar: Working With Open Tag For Mode 2DASH7 Webinar: Working With Open Tag For Mode 2
DASH7 Webinar: Working With Open Tag For Mode 2
 
Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I started
 
Understanding i pv6 2
Understanding i pv6 2Understanding i pv6 2
Understanding i pv6 2
 
IPv6 Autoconfig
IPv6 AutoconfigIPv6 Autoconfig
IPv6 Autoconfig
 
Cameron - TMO IPv6 Norway Meeting
Cameron - TMO IPv6 Norway MeetingCameron - TMO IPv6 Norway Meeting
Cameron - TMO IPv6 Norway Meeting
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
 
NAT Traversal
NAT TraversalNAT Traversal
NAT Traversal
 
ipv6 mpls by Patrick Grossetete
ipv6 mpls by Patrick Grosseteteipv6 mpls by Patrick Grossetete
ipv6 mpls by Patrick Grossetete
 

Similar to Eric Vyncke - Layer-2 security, ipv6 norway

IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and RealitySwiss IPv6 Council
 
NZNOG 2020 - The Trouble With NAT
NZNOG 2020 - The Trouble With NATNZNOG 2020 - The Trouble With NAT
NZNOG 2020 - The Trouble With NATMark Smith
 
Eric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of ViewEric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of ViewIPv6 Conference
 
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...Yury Chemerkin
 
AusNOG 2016 - The Trouble with NAT
AusNOG 2016 - The Trouble with NATAusNOG 2016 - The Trouble with NAT
AusNOG 2016 - The Trouble with NATMark Smith
 
The Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on SecurityThe Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on SecurityBrent Salisbury
 
Software Defined Data Centers - June 2012
Software Defined Data Centers - June 2012Software Defined Data Centers - June 2012
Software Defined Data Centers - June 2012Brent Salisbury
 
Acme Packet Presentation Materials for VUC June 18th 2010
Acme Packet Presentation Materials for VUC June 18th 2010Acme Packet Presentation Materials for VUC June 18th 2010
Acme Packet Presentation Materials for VUC June 18th 2010Michael Graves
 
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...gogo6
 
Outside The Wire
Outside The WireOutside The Wire
Outside The WireSalo Shp
 
OpenStack Havana over IPv6
OpenStack Havana over IPv6OpenStack Havana over IPv6
OpenStack Havana over IPv6Shixiong Shang
 
Oracle Database Appliance RAC in a box Some Strings Attached
Oracle Database Appliance RAC in a box Some Strings AttachedOracle Database Appliance RAC in a box Some Strings Attached
Oracle Database Appliance RAC in a box Some Strings AttachedFuad Arshad
 
OpenStack and OpenFlow Demos
OpenStack and OpenFlow DemosOpenStack and OpenFlow Demos
OpenStack and OpenFlow DemosBrent Salisbury
 
PLNOG 5: Rafał Szarecki - EXPERIENCE FROM L2TP IMPLEMENTATION FOR BITSTREAM
PLNOG 5: Rafał Szarecki - EXPERIENCE FROM L2TP IMPLEMENTATION FOR BITSTREAMPLNOG 5: Rafał Szarecki - EXPERIENCE FROM L2TP IMPLEMENTATION FOR BITSTREAM
PLNOG 5: Rafał Szarecki - EXPERIENCE FROM L2TP IMPLEMENTATION FOR BITSTREAMPROIDEA
 
Openstack@ebay: Practical SDN deployment with Quantum
Openstack@ebay: Practical SDN deployment with QuantumOpenstack@ebay: Practical SDN deployment with Quantum
Openstack@ebay: Practical SDN deployment with QuantumJean-Christophe "JC" Martin
 
PLNOG15: Practical deployments of Kea, a high performance scalable DHCP - Tom...
PLNOG15: Practical deployments of Kea, a high performance scalable DHCP - Tom...PLNOG15: Practical deployments of Kea, a high performance scalable DHCP - Tom...
PLNOG15: Practical deployments of Kea, a high performance scalable DHCP - Tom...PROIDEA
 
IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?Steve Simlo
 
DPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationDPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationMichelle Holley
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminskyDan Kaminsky
 

Similar to Eric Vyncke - Layer-2 security, ipv6 norway (20)

IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
NZNOG 2020 - The Trouble With NAT
NZNOG 2020 - The Trouble With NATNZNOG 2020 - The Trouble With NAT
NZNOG 2020 - The Trouble With NAT
 
Eric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of ViewEric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of View
 
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...
 
AusNOG 2016 - The Trouble with NAT
AusNOG 2016 - The Trouble with NATAusNOG 2016 - The Trouble with NAT
AusNOG 2016 - The Trouble with NAT
 
The Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on SecurityThe Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on Security
 
Software Defined Data Centers - June 2012
Software Defined Data Centers - June 2012Software Defined Data Centers - June 2012
Software Defined Data Centers - June 2012
 
Acme Packet Presentation Materials for VUC June 18th 2010
Acme Packet Presentation Materials for VUC June 18th 2010Acme Packet Presentation Materials for VUC June 18th 2010
Acme Packet Presentation Materials for VUC June 18th 2010
 
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
 
Outside The Wire
Outside The WireOutside The Wire
Outside The Wire
 
OpenStack Havana over IPv6
OpenStack Havana over IPv6OpenStack Havana over IPv6
OpenStack Havana over IPv6
 
Oracle Database Appliance RAC in a box Some Strings Attached
Oracle Database Appliance RAC in a box Some Strings AttachedOracle Database Appliance RAC in a box Some Strings Attached
Oracle Database Appliance RAC in a box Some Strings Attached
 
OpenStack and OpenFlow Demos
OpenStack and OpenFlow DemosOpenStack and OpenFlow Demos
OpenStack and OpenFlow Demos
 
PLNOG 5: Rafał Szarecki - EXPERIENCE FROM L2TP IMPLEMENTATION FOR BITSTREAM
PLNOG 5: Rafał Szarecki - EXPERIENCE FROM L2TP IMPLEMENTATION FOR BITSTREAMPLNOG 5: Rafał Szarecki - EXPERIENCE FROM L2TP IMPLEMENTATION FOR BITSTREAM
PLNOG 5: Rafał Szarecki - EXPERIENCE FROM L2TP IMPLEMENTATION FOR BITSTREAM
 
Openstack@ebay: Practical SDN deployment with Quantum
Openstack@ebay: Practical SDN deployment with QuantumOpenstack@ebay: Practical SDN deployment with Quantum
Openstack@ebay: Practical SDN deployment with Quantum
 
PLNOG15: Practical deployments of Kea, a high performance scalable DHCP - Tom...
PLNOG15: Practical deployments of Kea, a high performance scalable DHCP - Tom...PLNOG15: Practical deployments of Kea, a high performance scalable DHCP - Tom...
PLNOG15: Practical deployments of Kea, a high performance scalable DHCP - Tom...
 
Advanced Topics in IP Multicast Deployment
Advanced Topics in IP Multicast DeploymentAdvanced Topics in IP Multicast Deployment
Advanced Topics in IP Multicast Deployment
 
IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?
 
DPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationDPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway Application
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
 

More from IKT-Norge

Lars Johan Bjørkevoll, Xeneta
Lars Johan Bjørkevoll, XenetaLars Johan Bjørkevoll, Xeneta
Lars Johan Bjørkevoll, XenetaIKT-Norge
 
Erik Stokkeland
Erik Stokkeland Erik Stokkeland
Erik Stokkeland IKT-Norge
 
Ketil Widerberg
Ketil WiderbergKetil Widerberg
Ketil WiderbergIKT-Norge
 
Randi Marjamaa
Randi MarjamaaRandi Marjamaa
Randi MarjamaaIKT-Norge
 
Eirik Norman Hansen
Eirik Norman Hansen Eirik Norman Hansen
Eirik Norman Hansen IKT-Norge
 
Roger Schjervas innlegg for produktivitetskommisjonen 19.05.2015
Roger Schjervas innlegg for produktivitetskommisjonen 19.05.2015Roger Schjervas innlegg for produktivitetskommisjonen 19.05.2015
Roger Schjervas innlegg for produktivitetskommisjonen 19.05.2015IKT-Norge
 
Læringsanalyse – Arne Krokan
Læringsanalyse – Arne KrokanLæringsanalyse – Arne Krokan
Læringsanalyse – Arne KrokanIKT-Norge
 
Læringsanalyse – Yngve Lindvig
Læringsanalyse – Yngve LindvigLæringsanalyse – Yngve Lindvig
Læringsanalyse – Yngve LindvigIKT-Norge
 
Multi Smart Øving – skjermbilder
Multi Smart Øving – skjermbilderMulti Smart Øving – skjermbilder
Multi Smart Øving – skjermbilderIKT-Norge
 
NEO2015: Zwipe
NEO2015: ZwipeNEO2015: Zwipe
NEO2015: ZwipeIKT-Norge
 
NEO2015: Crypho
NEO2015: CryphoNEO2015: Crypho
NEO2015: CryphoIKT-Norge
 
NEO2015: Bartec Pixavi
NEO2015: Bartec PixaviNEO2015: Bartec Pixavi
NEO2015: Bartec PixaviIKT-Norge
 
Verdiskaping i en digital verden: Næringsminister Monica Mæland på NEO2015
Verdiskaping i en digital verden: Næringsminister Monica Mæland på NEO2015Verdiskaping i en digital verden: Næringsminister Monica Mæland på NEO2015
Verdiskaping i en digital verden: Næringsminister Monica Mæland på NEO2015IKT-Norge
 
NEO2015: Filmgrail
NEO2015: FilmgrailNEO2015: Filmgrail
NEO2015: FilmgrailIKT-Norge
 
NEO2015: Home Control
NEO2015: Home ControlNEO2015: Home Control
NEO2015: Home ControlIKT-Norge
 
Et digitalt #drømmeløft for Norge: Innovasjon Norge-keynote på NEO2015
Et digitalt #drømmeløft for Norge: Innovasjon Norge-keynote på NEO2015Et digitalt #drømmeløft for Norge: Innovasjon Norge-keynote på NEO2015
Et digitalt #drømmeløft for Norge: Innovasjon Norge-keynote på NEO2015IKT-Norge
 
NEO2015: The Trampery keynote. Creating a global innovation cluster: Lessons ...
NEO2015: The Trampery keynote. Creating a global innovation cluster: Lessons ...NEO2015: The Trampery keynote. Creating a global innovation cluster: Lessons ...
NEO2015: The Trampery keynote. Creating a global innovation cluster: Lessons ...IKT-Norge
 
NEO2015: Xeneta
NEO2015: XenetaNEO2015: Xeneta
NEO2015: XenetaIKT-Norge
 
NEO2015: Hatteland
NEO2015: HattelandNEO2015: Hatteland
NEO2015: HattelandIKT-Norge
 

More from IKT-Norge (20)

Lars Johan Bjørkevoll, Xeneta
Lars Johan Bjørkevoll, XenetaLars Johan Bjørkevoll, Xeneta
Lars Johan Bjørkevoll, Xeneta
 
Erik Stokkeland
Erik Stokkeland Erik Stokkeland
Erik Stokkeland
 
Ketil Widerberg
Ketil WiderbergKetil Widerberg
Ketil Widerberg
 
Randi Marjamaa
Randi MarjamaaRandi Marjamaa
Randi Marjamaa
 
Roar Olsen
Roar Olsen Roar Olsen
Roar Olsen
 
Eirik Norman Hansen
Eirik Norman Hansen Eirik Norman Hansen
Eirik Norman Hansen
 
Roger Schjervas innlegg for produktivitetskommisjonen 19.05.2015
Roger Schjervas innlegg for produktivitetskommisjonen 19.05.2015Roger Schjervas innlegg for produktivitetskommisjonen 19.05.2015
Roger Schjervas innlegg for produktivitetskommisjonen 19.05.2015
 
Læringsanalyse – Arne Krokan
Læringsanalyse – Arne KrokanLæringsanalyse – Arne Krokan
Læringsanalyse – Arne Krokan
 
Læringsanalyse – Yngve Lindvig
Læringsanalyse – Yngve LindvigLæringsanalyse – Yngve Lindvig
Læringsanalyse – Yngve Lindvig
 
Multi Smart Øving – skjermbilder
Multi Smart Øving – skjermbilderMulti Smart Øving – skjermbilder
Multi Smart Øving – skjermbilder
 
NEO2015: Zwipe
NEO2015: ZwipeNEO2015: Zwipe
NEO2015: Zwipe
 
NEO2015: Crypho
NEO2015: CryphoNEO2015: Crypho
NEO2015: Crypho
 
NEO2015: Bartec Pixavi
NEO2015: Bartec PixaviNEO2015: Bartec Pixavi
NEO2015: Bartec Pixavi
 
Verdiskaping i en digital verden: Næringsminister Monica Mæland på NEO2015
Verdiskaping i en digital verden: Næringsminister Monica Mæland på NEO2015Verdiskaping i en digital verden: Næringsminister Monica Mæland på NEO2015
Verdiskaping i en digital verden: Næringsminister Monica Mæland på NEO2015
 
NEO2015: Filmgrail
NEO2015: FilmgrailNEO2015: Filmgrail
NEO2015: Filmgrail
 
NEO2015: Home Control
NEO2015: Home ControlNEO2015: Home Control
NEO2015: Home Control
 
Et digitalt #drømmeløft for Norge: Innovasjon Norge-keynote på NEO2015
Et digitalt #drømmeløft for Norge: Innovasjon Norge-keynote på NEO2015Et digitalt #drømmeløft for Norge: Innovasjon Norge-keynote på NEO2015
Et digitalt #drømmeløft for Norge: Innovasjon Norge-keynote på NEO2015
 
NEO2015: The Trampery keynote. Creating a global innovation cluster: Lessons ...
NEO2015: The Trampery keynote. Creating a global innovation cluster: Lessons ...NEO2015: The Trampery keynote. Creating a global innovation cluster: Lessons ...
NEO2015: The Trampery keynote. Creating a global innovation cluster: Lessons ...
 
NEO2015: Xeneta
NEO2015: XenetaNEO2015: Xeneta
NEO2015: Xeneta
 
NEO2015: Hatteland
NEO2015: HattelandNEO2015: Hatteland
NEO2015: Hatteland
 

Recently uploaded

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

Eric Vyncke - Layer-2 security, ipv6 norway

  • 1. IPv6 First Hop Security: the IPv6 version of DHCP snooping and dynamic ARP inspection Eric Vyncke Cisco, CTO/Consulting Engineering Distinguished Engineer evyncke@cisco.com © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
  • 2. Layer-7 Data and Attacker services Layer-2 Firewall Courtesy of Curt Smith © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
  • 3. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
  • 4. RA w/o Any Authentication Router Advertisements contains: Gives Exactly Same -Prefix to be used by hosts Level of Security as -Data-link layer address of the router DHCPv4 (None) -Miscellaneous options: MTU, DHCPv6 use, … MITM DoS 1. RS 2. RA 2. RA 1. RS: 2. RA: Data = Query: please send RA Data= options, prefix, lifetime, A+M+O flags © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
  • 5. • Devastating: Denial of service: all traffic sent to a black hole Man in the Middle attack: attacker can intercept, listen, modify unprotected data • Also affects legacy IPv4-only network with IPv6-enabled hosts • Most of the time from non-malicious users • Requires layer-2 adjacency (some relief…) • The major blocking factor for enterprise IPv6 deployment © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
  • 6. Where What Routers Increase “legal” router preference Hosts Disabling Stateless Address Autoconfiguration Routers & Hosts SeND “Router Authorization” Switch (First Hop) Host isolation Switch (First Hop) Port Access List (PACL) Switch (First Hop) RA Guard © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
  • 7. • RFC 3972 Cryptographically Generated Addresses (CGA) IPv6 addresses whose interface identifiers are cryptographically generated from node public key • SeND adds a signature option to Neighbor Discovery Protocol Using node private key Node public key is sent in the clear (and linked to CGA) • Very powerful If MAC spoofing is prevented But, not a lot of implementations: Cisco IOS, Linux, some H3C, third party for Windows © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
  • 8. • Each devices has a RSA key pair (no need for cert) • Ultra light check for validity • Prevent spoofing a valid CGA address RSA Keys Priv Pub Modifier Public Key SHA-1 Subnet Prefix Signature CGA Params Subnet Interface Prefix Identifier SeNDMessages Crypto. Generated Address © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
  • 9. • Adding a X.509 certificate to RA • Subject Name contains the list of authorized IPv6 prefixes Trust Anchor X.509 cert X.509 Router Advertisement cert SourceAddr = CGA CGAparam block (incl pub key) Signed © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
  • 10. • Prevent Node-Node Layer-2 communication by using: 1 VLAN per host (SP access network with Broadband Network Gateway) Private VLANs (PVLAN) where node can only contact the official router • Link-local scope multicast (RA, DHCP request, etc) sent only to the local official router: no harm • Can also be used on Wireless in „AP Isolation Mode’ CPE PC (publicV6 ) PVLAN RA BNG CPE PVLAN PC (publicV6 ) © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
  • 11. • Port ACL blocks all ICMPv6 Router Advertisements from hosts interface FastEthernet3/13 RA switchport mode access ipv6 traffic-filter ACCESS_PORT in RA access-group mode prefer port RA RA RA © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
  • 12. host ? “I am the default gateway” Router Advertisement Option: prefix(s) • Configuration- based • Learning-based • Challenge-based Verification succeeded ? Bridge RA • Switch selectively accepts or rejects RAs based on various criteria‟s • Can be ACL based, learning based or challenge (SeND) based. • Hosts see only allowed RAs, and RAs with allowed content © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
  • 13. • Extension headers chain can be so large than it is fragmented! • RFC 3128 is not applicable to IPv6 • Layer 4 information could be in 2nd fragment IPv6 hdr HopByHop Routing Fragment1 Destination IPv6 hdr HopByHop Routing Fragment2 TCP Data Layer 4 header is in 2nd fragment © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
  • 14. RFC 3128 is not applicable to IPv6, extension header can be fragmented • ICMP header could be in 2nd fragment after a fragmented extension header • RA Guard works like a stateless ACL filtering ICMP type 134 • THC fake_router6 –FD implements this attack which bypasses RA Guard • Partial work-around: block all fragments sent to ff02::1 ‘undetermined-transport’ is even better Does not work in a SeND environment (larger packets) but then no need for RA-guard  IPv6 hdr HopByHop Routing Fragment1 Destination … IPv6 hdr HopByHop Routing Fragment2 … Destination ICMP type=134 ICMP header is in 2ndfragment, RA Guard has no clue where to find it! © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
  • 15. For Your Reference • Each FH feature provides a configuration mode to create and populate policies (+ one implicit “default” policy) ipv6 ndraguard policy MYHOST device-role host • Each FH feature provides commands to attach policies to targets: box, vlan, port vlan configuration 100 ipv6 ndraguard attach-policy MYHOST ipv6 snooping interface e 0/0 ipv6 ndraguard attach-policy MYROUTER • Packets are processed by the lowest-level matching policy for each feature − Packets received on e0/0 are processed by policy ra-guard “MYROUTER” AND policy snooping “default” − Packets received on any other port of vlan 100 are processed by policy ra-guard “MYHOST” AND policy snooping “default” © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
  • 16. For Your Reference Step1: Step2: Configures policies Attach policies to target Vlan Port ipv6 ndraguard policy HOST vlan configuration 100-200 device-role host ipv6 ndraguard attach-policy HOST ipv6 ndraguard policy ROUTER interface Ethernet0/0 device-role router ipv6 ndraguard attach-policy ROUTER ipv6 snooping policy NODE vlan configuration 100,101 tracking enable ipv6 snooping attach-policy NODE limit address-count 10 security-level guard ipv6 snooping policy SERVER interface Ethernet1/0 trusted-port ipv6 snooping attach-policy tracking disable SERVER security-level glean © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
  • 17. vlan 100 HOST ROUTER PEER SWITCH VILLAIN CAT DUMB © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
  • 18. Internet 2) Sending RA 1) I with prefix for want auto- IPv6, s configuration end RA 3) 3) 3) 3) Yah Yaho Yah Yah oo! o! oo! oo! IPv6 IPv6 IPv6 IPv6     IPv4 protection: IPv4 protection: IPv4 Protection: iptables ipfw Security center IPv6 Protection: IPv6 Protection: IPv6 Protection: 4) Default protection… No ip6tables ✗ No ip6fw ✗ Security center ✔ © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
  • 19. Internet 1) I 2) Sending RA want with “no auto- IPv6, s config” end RA 3) Yahoo! 3) No 3) No 3) No Static IPv6 IPv6 IPv6 IPv6 SLAA SLA SLA addres C AC AC s IPv4 protection: IPv4 protection: IPv4 Protection: iptables ipfw Security center © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
  • 20. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
  • 21. • Pretty much like RA: no authentication Any node can „steal‟ the IP address of any other node Impersonation leading to denial of service or MITM • Requires layer-2 adjacency • IETF SAVI Source Address Validation Improvements (work in progress) © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
  • 22. Where What Routers & Hosts configure static neighbor cache entries Routers & Hosts Use CryptoGraphic Addresses (SeND CGA) Switch (First Hop) Host isolation Switch (First Hop) Address watch • Glean addresses in NDP and DHCP • Establish and enforce rules for address ownership © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
  • 23. • Objectives for Address ownership: Enable the ND message sender to provide proof of ownership of address and for the receiver to validate the proof Verify that the address is either the source of the ND message or the “target” for DAD messages (when source is UNSPEC) This is a SeND feature • Protocol overview Hosts (and routers) generate a pair of RSA keys The public key is hashed to create a Cryptographic address (CGA) The CGA address is signed by the private key Both the public key and signature are provided in ND messages Receivers must verify the signature and address/key consistency (address = hash(key)) No key distribution required! © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
  • 24. • If a switch wants to enforce the mappings < IP address, MAC address> how to learn them? • Multiple source of information SeND: verify signature in NDP messages, then add the mapping DHCP: snoop all messages from DHCP server to learn mapping (same as in IPv4) NDP: more challenging, but „first come, first served‟ The first node claiming to have an address will have it © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
  • 25. Binding table DHCP- ADR MAC VLAN IF server H1 H2 H3 A1 MACH1 100 P1 A21 MACH2 100 P2 A22 MACH2 100 P2 NS [IP source=A1, LLA=MACH1] A3 MACH3 100 P3 REQUEST [XID, SMAC = MACH2] REPLY[XID, IP=A21, IP=A22] data [IP source=A3, SMAC=MACH3] DAD NS [IP source=UNSPEC, target = A3] DHCP LEASEQUERY NA [IP source=A3, LLA=MACH3] DHCP LEASEQUERY_REPLY © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
  • 26. Binding table host Address glean –Arbitrate collisions, check ownership – Check against max allowed per box/vlan/port – Record & report changes Valid? bridge • Preference is a function of: configuration, learning method, credential provided • Upon collision, choose highest preference (for instance static, trusted, CGA, DHCP preferred over dynamic, not_trusted, not_CGA, SLACC) • For collision with same preference, choose First Come, First Serve © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
  • 27. • IPv6 VLAN ACL & RA Guard: 12.2(54)SG, 3.2.0SG, 15.0(2)SG, 12.2(33)SXI4 • NDP inspection: 12.2(50)SY and 15.0(1)SY For more Information: http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6- roadmap.html http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/15- 2mt/ip6-first-hop-security.html © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
  • 28. • DHCP Guard • Destination Guard • Source Guard • Prefix Guard • Multi Switch operation • DAD Proxy • RA Throttler • Binding Table Recovery • NDP Multicast Suppress • SVI support Several of those features are already in WLC 7.2 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
  • 29. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
  • 30. Remote • Remote router CPU/memory DoS attack if aggressive scanning Router will do Neighbor Discovery... And waste CPU and memory • Local router DoS with NS/RS/… NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 2001:db8::/64 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
  • 31. • Mainly an implementation issue Rate limiter on a global and per interface Prioritize renewal (PROBE) rather than new resolution Maximum Neighbor cache entries per interface and per MAC address • Internet edge/presence: a target of choice Ingress ACL permitting traffic to specific statically configured (virtual) IPv6 addresses only Allocate and configure a /64 but uses addresses fitting in a /120 in order to have a simple ingress ACL • Using a /64 on point-to-point links => a lot of addresses to scan! Using /127 could help (RFC 6164) • Using infrastructure ACL prevents this scanning iACL: edge ACL denying packets addressed to your routers Easy with IPv6 because new addressing scheme can be done  © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
  • 32. • Built-in rate limiter but no option to tune it Since 15.1(3)T: ipv6 nd cache interface-limit Or IOS-XE 2.6: ipv6 nd resolution data limit Destination-guard is coming with First Hop Security phase 3 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
  • 33. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
  • 34. • Without a secure layer-2, there is no upper layer security • Rogue Router Advisement is the most common threat • Mitigation techniques Host isolation Secure Neighbor Discovery: but not a lot of implementations SAVI-based techniques: discovery the „right‟ information and dropping RA/NA with wrong information Last remaining issue: (overlapped) fragments => drop all fragments… • Neighbor cache exhaustion Use good implementation Expose only a small part of the addresses and block the rest via ACL • Products are now available implementing the techniques ;-) © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
  • 35. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35