SlideShare a Scribd company logo

Fedv6tf-fhs

Tim Martin
Tim Martin

IPv6 access security provides three main methods for securing first hop connections: IPv6 first hop security, secure neighbor discovery, and 802.1x authentication. These methods help protect against spoofing, man-in-the-middle attacks, and denial of service attacks on IPv6 networks.

1 of 41
Download to read offline
IPv6 Access SecurityTim Martin CCIE #2020 Solutions Architect 4 Nov. 2015
Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved. Agenda •  Why IPv6, Why Now •  IPv6 Host Asignments •  IPv6 First Hop Security •  SeND •  802.1x •  Alternatives •  Summary
Market Factors Driving IPv6 Adoption IPv6 IPv4 Address Depletion 2011 National IPv6 Strategies STEM Mandate Infrastructure Evolution 4G, DOCSIS 3.0, CGN IPv6 OS, Content & Applications Preferred by App’s & Content RF Mesh (IEEE 802.15.4), PLC (IEEE 1901.2), LTE, Bluetooth LE, 6LoWPAN, RPL
IPv6 for the Enterprise in 2015 http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/whitepaper_c11-586154.pdf
Framing the Attack Surface •  Layer 2 tyipcally involves Ethernet (switches) or WiFi (controllers) links •  Security is only as strong as your weakest link •  When it comes to networking, layer 2 can be a relativley weak link Physical Links MAC Addresses IP Addresses Protocols/Ports Application Stream Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical Initial Compromise Compromised
IPv6 Host Address Assingments
IPv6 Host Portion Address Assignment Similar to IPv4 New in IPv6 Manually configured StateLess Address AutoConfiguration SLAAC EUI64 SLAAC Privacy Extensions Assigned via DHCPv6
00 90 27 ff fe 17 fc 0f OUI Device Identifier 00 90 27 17 fc 0f 02 90 27 ff fe 17 fc 0f 0000 00U0 U= 1 = Universel/unique 0 = Local/not unique U bit must be flipped ff fe 00 90 27 17 fc 0f
IPv6 Privacy Extensions (RFC 4941) •  Generated on unique 802 using MD5, then stored for next iteration •  Enabled by default in Windows, Android, iOS, Mac OS/X, Linux •  Temporary or Ephemeral addresses for client application (web browser) Recommendation: Good for the mobile user, but not for your organization/corporate networks (Troubleshooting and accountability) 2001 DB8 /32 /48 /64 Random Generated Interface ID 0000 1234
Stable Interface ID Generation (RFC 7217) •  RID = hash (Prefix, Net_Iface, DAD_Counter, secret_key) •  Generate IID’s that are Stable/Constant for Each Network Interface •  IID’s Change As Hosts Move From One Network to Another 10 Implementation of the RID is left to the OS Vendor and MAY differ between Client and Server 2001 DB8 /32 /48 /64 Random ID 0000 1234
DHCPv6 DHCPv6 Server 2001:db8::feed:1 DHCPv6 Solicit •  Source – fe80::1234, Destination - ff02::1:2 •  Client UDP 546, Server UDP 547 •  Original Multicast Encapsulated in Unicast (Relay) •  DUID – Different from v4, used to identify clients •  ipv6 dhcp relay destination 2001:db8::feed:1 DHCPv6 Relay DHCPv6 Relay SOLICIT (any servers) ADVERTISE (want this address) REQUEST (I want that address) REPLY (It’s yours)
Disabling Ephemeral Addressing •  Enable DHCPv6 via the M flag •  Disable auto configuration via the A bit in option 3 •  Enable Router preference to high •  Enable DHCPv6 relay interface fastEthernet 0/0 ipv6 address 2001:db8:1122:acc1::1/64 ipv6 nd managed-config-flag ipv6 nd prefix default no-autoconfig ipv6 nd router-preference high ipv6 dhcp relay destination 2001:db8:add:café::1
IPv6 First Hop Security
•  Catalyst Integrated Security Features (CISF) •  Dsniff - Dug Song •  Ettercap – source forge IPv4 vulnerabilities & Countermeasures Port Security
IPv6 Hacking Tool’s •  ARP is replaced by Neighbor Discovery Protocol •  Nothing authenticated •  Static entries overwritten by dynamic ones •  Stateless Address Autoconfiguration •  rogue RA (malicious or not) •  Attack tools are real! •  Parasit6 •  Fakerouter6 •  Alive6 •  Scapy6 •  …
IPv6 Snooping IPv6 First Hop Security (FHS) IPv6 FHS RA Guard DHCPv6 Guard Source/Prefix Guard Destination Guard Protection: •  Rogue or malicious RA •  MiM attacks Protection: •  Invalid DHCP Offers •  DoS attacks •  MiM attacks Protection: •  Invalid source address •  Invalid prefix •  Source address spoofing Protection: •  DoS attacks •  Scanning •  Invalid destination address RA Throttler ND Multicast Suppress Reduces: •  Control traffic necessary for proper link operations to improve performance Core Features Advance Features Scalability & Performance Facilitates: •  Scale converting multicast traffic to unicast
Address Exhaustion – Parasite6 •  Attacker hacks any victim's DAD attempts •  Victim will need manual intervention to configure IP address Src = UNSPEC Dst = Solicited-node multicast A Data = A Query = Does anybody use A? Src = any C’s IF address Dst = A Option = link-layer address of C A B NS NA C
Misconfiguration •  Admin/Intern sends RA’s with false prefix •  Enthusiast who has a tunnel broker account •  The most frequent threat by non-malicious user B Src = C link-local address Dst = All-nodes Options = prefix BAD RA A C
Malicious Attack – Floodrouter6 •  Flooding RA’s overwhelms the system, OSX, MSFT, ipad/phone, Android B RA, prefix BAD1 A 2 3 5 RA, prefix BAD2 RA, prefix BAD3 RA, prefix BAD4 RA, prefix BAD5 RA, prefix BAD6 C Update: MSFT Addresses Vulnerability in IPv6 Could Allow Denial of Service (2904659) Published: February 11, 2014
Malicious Attack – Fakerouter6 •  Attacker spoofs Router Advertisement with false on-link prefix •  MITM, Splash Screen, Capture B Src = B’s link-local address Dst = All-nodes Options = prefix BAD RA A C
•  Port ACL •  interface FastEthernet0/2 •  ipv6 traffic-filter ACCESS_PORT in deny icmp any any router-advertisement •  Feature Based •  interface FastEthernet0/2 •  ipv6 nd raguard •  Policy Based ipv6 snooping policy HOST! security-level guard! ! ! ! ! limit address-count 2 ! device-role node! interface GigabitEthernet1/0/2! ipv6 snooping attach-policy HOST! HOST Device-role RA RA RA RA RA ROUTER Device-role
IPv6 FHS – DHCPv6 Guard Prevent Rogue DHCP responses from misleading the client DHCP Server DHCP Req. I am a DHCP Server DHCP Client
•  Deep control packet Inspection •  Address Glean (ND , DHCP, data) •  Address watch •  Binding Guard IPv6 FHS – Snooping Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table to ensure rogue users cannot spoof or steal addresses. Intf IPv6 MAC VLAN State g1/0/10 ::000A 001A 110 Active g1/0/11 ::001C 001C 110 Stale g1/0/16 ::001E 001E 200 Verifying IPv6 Binding Table (RFC6620) IPv6 Source Guard IPv6 Destination Guard Device Tracking
IPv6 FHS – IPv6 Source Guard Mitigates Address High Jacking, Ensures Proper Prefix Intf IPv6 MAC VLAN State g1/0/10 ::000A 001A 110 Active g1/0/11 ::001C 001C 110 Stale g1/0/16 ::001E 001E 200 Verifying g1/0/21 ::0021 0021 200 Active ~Host A NDP or DHCPv6 Host A
IPv6 Destination Guard • Mitigate prefix-scanning attacks and Protect ND cache • Drops packets for destinations without a binding entry Intf IPv6 MAC VLAN State g1/0/10 ::0001 001A 110 Active g1/0/11 ::001C 001C 110 Stale g1/0/16 ::001E 001E 200 Verifying Forward packet Lookup Table found No Ye s NS 2001:db8::1 Ping 2001:db8::1 Ping 2001:db8::4 Ping 2001:db8::3 Ping 2001:db8::2
SeND
Secure Neighbor Discovery – SeND (RFC 3756) •  Each device has a RSA key pair •  Ultra light check for validity SHA-1 RSA Keys Priv Pub Subnet Prefix Interface Identifier Crypto. Generated Address Signature SeND Messages Modifier Public Key Subnet Prefix CGA Params
SeND Operation Router R host Certificate Authority CA0 Certificate Authority Certificate C0 Router certificate request Router certificate CR Certificate Path Solicit (CPS): I trust CA0, who are you ? Certificate Path Advertize (CPA): I am R, this is my certificate CR 1 2 3 4 5 6 Verify CR against CA0 7 Start using R as default gateway Router Advertisement
SeND OS Support •  Microsoft Windows 7 or Server 2008 •  No native Supplicant •  TrustRouter application (not NA/NS) •  WinSEND application works with all NDP traffic •  Apple Mac •  No native Supplicant •  TrustRouter application (not NA/NS) •  Linux and/or Unix •  Easy-SEND •  ND-Protector •  IPv6-Send-CGA
802.1x
Fundamentals of 802.1X RADIUS802.1X Ethernet / WLAN IP / Layer 3 Windows Native Apple OSX Native Cisco Anyconnect Open 1X Ethernet Switch Router Wireless Controller Access Point Identity Services Engine Network Policy Server Free RADIUS Access Control Server Active Directory Token Server Open LDAP Supplicant Authenticator Authentication Server Identity Store
RADIUS802.1X Ethernet / WLAN IP / Layer 3 Supplicant Authenticator Authentication Server Identity Store Fundamentals of 802.1X RADIUS: ACCESS-REQUEST RADIUS SERVICE-TYPE: FRAMED EAP: EAP-RESPONSE-IDENTITY Credentials (Certificate / Password / Token) 802.1X EAP EAP RADIUS EAP EAP EAP: Extensible Authentication Protocol
RADIUS802.1X IP / Layer 3 Supplicant Authenticator Authentication Server Identity Store Fundamentals of 802.1X EAP: EAP-SUCCESS RADIUS: ACCESS-ACCEPT [+Authorization Attributes ] 802.1X RADIUS EAP Port-Authorized 802.1X EAP Port-Unauthorized (If authentication fails) EAP: Extensible Authentication Protocol
Three proven deployment scenarios Authentication without Access control Minimal impact to users and the network Highly Secure, Good for logical isolation
Alternatives
MAC Authentication Bypass MAB 802.1X Timeout EAPoL: EAP Request Identity EAPoL: EAP Request Identity EAPoL: EAP Request Identity Any Packet RADIUS: ACCESS-REQUEST RADIUS Service-Type: Call-Check AVP: 00-10-23-AA-1F-38 RADIUS: ACCESS-ACCEPT MAC Authentication Bypass (MAB) requires a MAC database | MAB may cause delayed network access due to EAP timeout Bypassing “Known” MAC Addresses 00-10-23-AA-1F-38 Authenticator Authentication Server LAN 802.1X No 802.1X Endpoints without supplicant will fail 802.1X authentication! Authentication ServerAuthenticator
LAN RADIUS Server Cisco ISE Web Server Web Pages: Login, Login Expiry, Auth-Success, Auth-Failure, etc. Settings: Max Sessions, Timeout, Max Fail Attempts, TCP-Port, etc. HTTP(S) LAN RADIUS Server HTTP(S) RADIUS Authenticator Web Pages: Login, Login Expiry, Auth-Success, Auth-Failure Settings: Max Sessions, Timeout, Max Fail Attempts, Banner, etc. Web Authentication Secure alternative to 802.1X Typically meant for Guest user authentication Doesn’t require a supplicant.1X Local Web Authentication (LWA) Central Web Authentication (CWA) IP address prior to authentication Authenticator hosts web pages Separate method like .1X & MAB RADIUS Service-Type: Outbound IP address prior to authentication Central Server hosts web pages .1X / MAB is authorized w URL Centralized administration
Private VLAN’s 38 •  Prevent Node-Node Layer-2 communication •  Promiscuous (router port) talks to all other port types •  Isolated port can only contact a promiscuous port/s •  Community ports can contact their group and promiscuous port/s •  DAD ND Proxy •  Prevents address conflicts •  Internet Edge, Data Center •  Reducing attack surface, malware propagation •  Service Provider •  Client/customer isolation Community Ports Community Ports Isolated Port Promiscuous Port R
Summary
§  Gain Operational Experience now §  Security enforcement is possible §  Control IPv6 traffic as you would IPv4 §  “Poke” your Provider’s §  Lead your OT/LOB’s into the Internet Key Take Away
Fedv6tf-fhs

Recommended

Eigrp
EigrpEigrp
Eigrpfirey
 
CCNA4 Verson6 Chapter1
CCNA4 Verson6 Chapter1CCNA4 Verson6 Chapter1
CCNA4 Verson6 Chapter1
Chaing Ravuth
 
CCNA Exploration 2 - Chapter 1
CCNA Exploration 2 - Chapter 1CCNA Exploration 2 - Chapter 1
CCNA Exploration 2 - Chapter 1Irsandi Hasan
 
Nxll26 bgp ii
Nxll26 bgp iiNxll26 bgp ii
Nxll26 bgp ii
Netwax Lab
 
IPv6 Transition & Deployment, including IPv6-only in cellular and broadband
IPv6 Transition & Deployment, including IPv6-only in cellular and broadbandIPv6 Transition & Deployment, including IPv6-only in cellular and broadband
IPv6 Transition & Deployment, including IPv6-only in cellular and broadband
APNIC
 
EtherChannel Configuration
EtherChannel ConfigurationEtherChannel Configuration
EtherChannel Configuration
NetProtocol Xpert
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
NetProtocol Xpert
 
VRF Configuration
VRF ConfigurationVRF Configuration
VRF Configuration
Netwax Lab
 

Recommended

Eigrp
EigrpEigrp
Eigrpfirey
 
CCNA4 Verson6 Chapter1
CCNA4 Verson6 Chapter1CCNA4 Verson6 Chapter1
CCNA4 Verson6 Chapter1
Chaing Ravuth
 
CCNA Exploration 2 - Chapter 1
CCNA Exploration 2 - Chapter 1CCNA Exploration 2 - Chapter 1
CCNA Exploration 2 - Chapter 1Irsandi Hasan
 
Nxll26 bgp ii
Nxll26 bgp iiNxll26 bgp ii
Nxll26 bgp ii
Netwax Lab
 
IPv6 Transition & Deployment, including IPv6-only in cellular and broadband
IPv6 Transition & Deployment, including IPv6-only in cellular and broadbandIPv6 Transition & Deployment, including IPv6-only in cellular and broadband
IPv6 Transition & Deployment, including IPv6-only in cellular and broadband
APNIC
 
EtherChannel Configuration
EtherChannel ConfigurationEtherChannel Configuration
EtherChannel Configuration
NetProtocol Xpert
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
NetProtocol Xpert
 
VRF Configuration
VRF ConfigurationVRF Configuration
VRF Configuration
Netwax Lab
 
Bidirectional Forwarding Detection (BFD)
Bidirectional Forwarding Detection (BFD) Bidirectional Forwarding Detection (BFD)
Bidirectional Forwarding Detection (BFD)
KHNOG
 
MPLS Concepts and Fundamentals
MPLS Concepts and FundamentalsMPLS Concepts and Fundamentals
MPLS Concepts and Fundamentals
Shawn Zandi
 
MPLS - Multiprotocol Label Switching
MPLS - Multiprotocol Label SwitchingMPLS - Multiprotocol Label Switching
MPLS - Multiprotocol Label Switching
Peter R. Egli
 
HSRP ccna
HSRP ccna HSRP ccna
HSRP ccna
MohamedJafar5
 
DHCP Snooping
DHCP SnoopingDHCP Snooping
DHCP Snooping
NetProtocol Xpert
 
Ether channel fundamentals
Ether channel fundamentalsEther channel fundamentals
Ether channel fundamentalsEdgardo Scrimaglia
 
CCNP Switching Chapter 5
CCNP Switching Chapter 5CCNP Switching Chapter 5
CCNP Switching Chapter 5
Chaing Ravuth
 
ccna project on topic company infrastructure
ccna project on topic company infrastructureccna project on topic company infrastructure
ccna project on topic company infrastructure
Prince Gautam
 
MPLS Deployment Chapter 1 - Basic
MPLS Deployment Chapter 1 - BasicMPLS Deployment Chapter 1 - Basic
MPLS Deployment Chapter 1 - Basic
Ericsson
 
Cisco nexus series
Cisco nexus seriesCisco nexus series
Cisco nexus series
Anwesh Dixit
 
CCNA - Routing & Switching Commands
CCNA - Routing & Switching CommandsCCNA - Routing & Switching Commands
CCNA - Routing & Switching Commands
Eng. Emad Al-Atoum
 
VPC PPT @NETWORKERSHOME
VPC PPT @NETWORKERSHOMEVPC PPT @NETWORKERSHOME
VPC PPT @NETWORKERSHOME
networkershome
 
EVPN Introduction
EVPN IntroductionEVPN Introduction
EVPN Introduction
Bangladesh Network Operators Group
 
Vpc notes
Vpc notesVpc notes
Vpc notes
Krunal Shah
 
Spanning-Tree
Spanning-TreeSpanning-Tree
Spanning-Tree
Thomas Moegli
 
NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)
Netwax Lab
 
A comparison of segment routing data-plane encodings
A comparison of segment routing data-plane encodingsA comparison of segment routing data-plane encodings
A comparison of segment routing data-plane encodings
Gunter Van de Velde
 
MPLS Presentation
MPLS PresentationMPLS Presentation
MPLS Presentation
Unni Kannan VijayaKumar
 
Technical Overview of Cisco Catalyst 9200 Series Switches
Technical Overview of Cisco Catalyst 9200 Series SwitchesTechnical Overview of Cisco Catalyst 9200 Series Switches
Technical Overview of Cisco Catalyst 9200 Series Switches
Robb Boyd
 
Cisco Connect Halifax 2018 Understanding Cisco's next generation sd-wan sol...
Cisco Connect Halifax 2018 Understanding Cisco's next generation sd-wan sol...Cisco Connect Halifax 2018 Understanding Cisco's next generation sd-wan sol...
Cisco Connect Halifax 2018 Understanding Cisco's next generation sd-wan sol...
Cisco Canada
 
Tech f42
Tech f42Tech f42
Tech f42SelectedPresentations
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
Swiss IPv6 Council
 

More Related Content

What's hot

Bidirectional Forwarding Detection (BFD)
Bidirectional Forwarding Detection (BFD) Bidirectional Forwarding Detection (BFD)
Bidirectional Forwarding Detection (BFD)
KHNOG
 
MPLS Concepts and Fundamentals
MPLS Concepts and FundamentalsMPLS Concepts and Fundamentals
MPLS Concepts and Fundamentals
Shawn Zandi
 
MPLS - Multiprotocol Label Switching
MPLS - Multiprotocol Label SwitchingMPLS - Multiprotocol Label Switching
MPLS - Multiprotocol Label Switching
Peter R. Egli
 
HSRP ccna
HSRP ccna HSRP ccna
HSRP ccna
MohamedJafar5
 
DHCP Snooping
DHCP SnoopingDHCP Snooping
DHCP Snooping
NetProtocol Xpert
 
CCNP Switching Chapter 5
CCNP Switching Chapter 5CCNP Switching Chapter 5
CCNP Switching Chapter 5
Chaing Ravuth
 
ccna project on topic company infrastructure
ccna project on topic company infrastructureccna project on topic company infrastructure
ccna project on topic company infrastructure
Prince Gautam
 
MPLS Deployment Chapter 1 - Basic
MPLS Deployment Chapter 1 - BasicMPLS Deployment Chapter 1 - Basic
MPLS Deployment Chapter 1 - Basic
Ericsson
 
Cisco nexus series
Cisco nexus seriesCisco nexus series
Cisco nexus series
Anwesh Dixit
 
CCNA - Routing & Switching Commands
CCNA - Routing & Switching CommandsCCNA - Routing & Switching Commands
CCNA - Routing & Switching Commands
Eng. Emad Al-Atoum
 
VPC PPT @NETWORKERSHOME
VPC PPT @NETWORKERSHOMEVPC PPT @NETWORKERSHOME
VPC PPT @NETWORKERSHOME
networkershome
 
EVPN Introduction
EVPN IntroductionEVPN Introduction
EVPN Introduction
Bangladesh Network Operators Group
 
Vpc notes
Vpc notesVpc notes
Vpc notes
Krunal Shah
 
Spanning-Tree
Spanning-TreeSpanning-Tree
Spanning-Tree
Thomas Moegli
 
NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)
Netwax Lab
 
A comparison of segment routing data-plane encodings
A comparison of segment routing data-plane encodingsA comparison of segment routing data-plane encodings
A comparison of segment routing data-plane encodings
Gunter Van de Velde
 
MPLS Presentation
MPLS PresentationMPLS Presentation
MPLS Presentation
Unni Kannan VijayaKumar
 
Technical Overview of Cisco Catalyst 9200 Series Switches
Technical Overview of Cisco Catalyst 9200 Series SwitchesTechnical Overview of Cisco Catalyst 9200 Series Switches
Technical Overview of Cisco Catalyst 9200 Series Switches
Robb Boyd
 
Cisco Connect Halifax 2018 Understanding Cisco's next generation sd-wan sol...
Cisco Connect Halifax 2018 Understanding Cisco's next generation sd-wan sol...Cisco Connect Halifax 2018 Understanding Cisco's next generation sd-wan sol...
Cisco Connect Halifax 2018 Understanding Cisco's next generation sd-wan sol...
Cisco Canada
 

What's hot (20)

Bidirectional Forwarding Detection (BFD)
Bidirectional Forwarding Detection (BFD) Bidirectional Forwarding Detection (BFD)
Bidirectional Forwarding Detection (BFD)
 
MPLS Concepts and Fundamentals
MPLS Concepts and FundamentalsMPLS Concepts and Fundamentals
MPLS Concepts and Fundamentals
 
MPLS - Multiprotocol Label Switching
MPLS - Multiprotocol Label SwitchingMPLS - Multiprotocol Label Switching
MPLS - Multiprotocol Label Switching
 
HSRP ccna
HSRP ccna HSRP ccna
HSRP ccna
 
DHCP Snooping
DHCP SnoopingDHCP Snooping
DHCP Snooping
 
Ether channel fundamentals
Ether channel fundamentalsEther channel fundamentals
Ether channel fundamentals
 
CCNP Switching Chapter 5
CCNP Switching Chapter 5CCNP Switching Chapter 5
CCNP Switching Chapter 5
 
ccna project on topic company infrastructure
ccna project on topic company infrastructureccna project on topic company infrastructure
ccna project on topic company infrastructure
 
MPLS Deployment Chapter 1 - Basic
MPLS Deployment Chapter 1 - BasicMPLS Deployment Chapter 1 - Basic
MPLS Deployment Chapter 1 - Basic
 
Cisco nexus series
Cisco nexus seriesCisco nexus series
Cisco nexus series
 
CCNA - Routing & Switching Commands
CCNA - Routing & Switching CommandsCCNA - Routing & Switching Commands
CCNA - Routing & Switching Commands
 
VPC PPT @NETWORKERSHOME
VPC PPT @NETWORKERSHOMEVPC PPT @NETWORKERSHOME
VPC PPT @NETWORKERSHOME
 
EVPN Introduction
EVPN IntroductionEVPN Introduction
EVPN Introduction
 
Vpc notes
Vpc notesVpc notes
Vpc notes
 
Spanning-Tree
Spanning-TreeSpanning-Tree
Spanning-Tree
 
NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)
 
A comparison of segment routing data-plane encodings
A comparison of segment routing data-plane encodingsA comparison of segment routing data-plane encodings
A comparison of segment routing data-plane encodings
 
MPLS Presentation
MPLS PresentationMPLS Presentation
MPLS Presentation
 
Technical Overview of Cisco Catalyst 9200 Series Switches
Technical Overview of Cisco Catalyst 9200 Series SwitchesTechnical Overview of Cisco Catalyst 9200 Series Switches
Technical Overview of Cisco Catalyst 9200 Series Switches
 
Cisco Connect Halifax 2018 Understanding Cisco's next generation sd-wan sol...
Cisco Connect Halifax 2018 Understanding Cisco's next generation sd-wan sol...Cisco Connect Halifax 2018 Understanding Cisco's next generation sd-wan sol...
Cisco Connect Halifax 2018 Understanding Cisco's next generation sd-wan sol...
 

Similar to Fedv6tf-fhs

IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
Swiss IPv6 Council
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
APNIC
 
7 slaac-rick graziani
7 slaac-rick graziani7 slaac-rick graziani
7 slaac-rick graziani
Alejandro Reyes
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
Bangladesh Network Operators Group
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Digicomp Academy AG
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
Private
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013
Zivaro Inc
 
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
gogo6
 
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
Louis Göhl
 
Lync 2010 deep dive edge
Lync 2010 deep dive edgeLync 2010 deep dive edge
Lync 2010 deep dive edge
Harold Wong
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
APNIC
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Cisco Russia
 
18-20180514_SRv6_RIPE.pdf
18-20180514_SRv6_RIPE.pdf18-20180514_SRv6_RIPE.pdf
18-20180514_SRv6_RIPE.pdf
YunLiu75
 
IPv6 SenD
IPv6 SenDIPv6 SenD
IPv6 SenD
rabdoul
 
Fedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friendsFedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friends
Tim Martin
 
Chapter14ccna
Chapter14ccnaChapter14ccna
Chapter14ccna
ernestlithur
 
Chapter14ccna
Chapter14ccnaChapter14ccna
Chapter14ccnarobertoxe
 

Similar to Fedv6tf-fhs (20)

Tech f42
Tech f42Tech f42
Tech f42
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
 
7 slaac-rick graziani
7 slaac-rick graziani7 slaac-rick graziani
7 slaac-rick graziani
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
Chapter14ccna
Chapter14ccnaChapter14ccna
Chapter14ccna
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013
 
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
 
IPv6 DHCP
IPv6 DHCPIPv6 DHCP
IPv6 DHCP
 
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
 
Lync 2010 deep dive edge
Lync 2010 deep dive edgeLync 2010 deep dive edge
Lync 2010 deep dive edge
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
 
18-20180514_SRv6_RIPE.pdf
18-20180514_SRv6_RIPE.pdf18-20180514_SRv6_RIPE.pdf
18-20180514_SRv6_RIPE.pdf
 
IPv6 SenD
IPv6 SenDIPv6 SenD
IPv6 SenD
 
Fedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friendsFedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friends
 
Chapter14ccna
Chapter14ccnaChapter14ccna
Chapter14ccna
 
Chapter14ccna
Chapter14ccnaChapter14ccna
Chapter14ccna
 

Recently uploaded

BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
natyesu
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
Himani415946
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptxLiving-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
TristanJasperRamos
 
Output determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CCOutput determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CC
ShahulHameed54211
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 

Recently uploaded (16)

BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptxLiving-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
 
Output determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CCOutput determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CC
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 

Fedv6tf-fhs

  • 1. IPv6 Access SecurityTim Martin CCIE #2020 Solutions Architect 4 Nov. 2015
  • 2. Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved. Agenda •  Why IPv6, Why Now •  IPv6 Host Asignments •  IPv6 First Hop Security •  SeND •  802.1x •  Alternatives •  Summary
  • 3. Market Factors Driving IPv6 Adoption IPv6 IPv4 Address Depletion 2011 National IPv6 Strategies STEM Mandate Infrastructure Evolution 4G, DOCSIS 3.0, CGN IPv6 OS, Content & Applications Preferred by App’s & Content RF Mesh (IEEE 802.15.4), PLC (IEEE 1901.2), LTE, Bluetooth LE, 6LoWPAN, RPL
  • 4. IPv6 for the Enterprise in 2015 http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/whitepaper_c11-586154.pdf
  • 5. Framing the Attack Surface •  Layer 2 tyipcally involves Ethernet (switches) or WiFi (controllers) links •  Security is only as strong as your weakest link •  When it comes to networking, layer 2 can be a relativley weak link Physical Links MAC Addresses IP Addresses Protocols/Ports Application Stream Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical Initial Compromise Compromised
  • 6. IPv6 Host Address Assingments
  • 7. IPv6 Host Portion Address Assignment Similar to IPv4 New in IPv6 Manually configured StateLess Address AutoConfiguration SLAAC EUI64 SLAAC Privacy Extensions Assigned via DHCPv6
  • 8. 00 90 27 ff fe 17 fc 0f OUI Device Identifier 00 90 27 17 fc 0f 02 90 27 ff fe 17 fc 0f 0000 00U0 U= 1 = Universel/unique 0 = Local/not unique U bit must be flipped ff fe 00 90 27 17 fc 0f
  • 9. IPv6 Privacy Extensions (RFC 4941) •  Generated on unique 802 using MD5, then stored for next iteration •  Enabled by default in Windows, Android, iOS, Mac OS/X, Linux •  Temporary or Ephemeral addresses for client application (web browser) Recommendation: Good for the mobile user, but not for your organization/corporate networks (Troubleshooting and accountability) 2001 DB8 /32 /48 /64 Random Generated Interface ID 0000 1234
  • 10. Stable Interface ID Generation (RFC 7217) •  RID = hash (Prefix, Net_Iface, DAD_Counter, secret_key) •  Generate IID’s that are Stable/Constant for Each Network Interface •  IID’s Change As Hosts Move From One Network to Another 10 Implementation of the RID is left to the OS Vendor and MAY differ between Client and Server 2001 DB8 /32 /48 /64 Random ID 0000 1234
  • 11. DHCPv6 DHCPv6 Server 2001:db8::feed:1 DHCPv6 Solicit •  Source – fe80::1234, Destination - ff02::1:2 •  Client UDP 546, Server UDP 547 •  Original Multicast Encapsulated in Unicast (Relay) •  DUID – Different from v4, used to identify clients •  ipv6 dhcp relay destination 2001:db8::feed:1 DHCPv6 Relay DHCPv6 Relay SOLICIT (any servers) ADVERTISE (want this address) REQUEST (I want that address) REPLY (It’s yours)
  • 12. Disabling Ephemeral Addressing •  Enable DHCPv6 via the M flag •  Disable auto configuration via the A bit in option 3 •  Enable Router preference to high •  Enable DHCPv6 relay interface fastEthernet 0/0 ipv6 address 2001:db8:1122:acc1::1/64 ipv6 nd managed-config-flag ipv6 nd prefix default no-autoconfig ipv6 nd router-preference high ipv6 dhcp relay destination 2001:db8:add:café::1
  • 14. •  Catalyst Integrated Security Features (CISF) •  Dsniff - Dug Song •  Ettercap – source forge IPv4 vulnerabilities & Countermeasures Port Security
  • 15. IPv6 Hacking Tool’s •  ARP is replaced by Neighbor Discovery Protocol •  Nothing authenticated •  Static entries overwritten by dynamic ones •  Stateless Address Autoconfiguration •  rogue RA (malicious or not) •  Attack tools are real! •  Parasit6 •  Fakerouter6 •  Alive6 •  Scapy6 •  …
  • 16. IPv6 Snooping IPv6 First Hop Security (FHS) IPv6 FHS RA Guard DHCPv6 Guard Source/Prefix Guard Destination Guard Protection: •  Rogue or malicious RA •  MiM attacks Protection: •  Invalid DHCP Offers •  DoS attacks •  MiM attacks Protection: •  Invalid source address •  Invalid prefix •  Source address spoofing Protection: •  DoS attacks •  Scanning •  Invalid destination address RA Throttler ND Multicast Suppress Reduces: •  Control traffic necessary for proper link operations to improve performance Core Features Advance Features Scalability & Performance Facilitates: •  Scale converting multicast traffic to unicast
  • 17. Address Exhaustion – Parasite6 •  Attacker hacks any victim's DAD attempts •  Victim will need manual intervention to configure IP address Src = UNSPEC Dst = Solicited-node multicast A Data = A Query = Does anybody use A? Src = any C’s IF address Dst = A Option = link-layer address of C A B NS NA C
  • 18. Misconfiguration •  Admin/Intern sends RA’s with false prefix •  Enthusiast who has a tunnel broker account •  The most frequent threat by non-malicious user B Src = C link-local address Dst = All-nodes Options = prefix BAD RA A C
  • 19. Malicious Attack – Floodrouter6 •  Flooding RA’s overwhelms the system, OSX, MSFT, ipad/phone, Android B RA, prefix BAD1 A 2 3 5 RA, prefix BAD2 RA, prefix BAD3 RA, prefix BAD4 RA, prefix BAD5 RA, prefix BAD6 C Update: MSFT Addresses Vulnerability in IPv6 Could Allow Denial of Service (2904659) Published: February 11, 2014
  • 20. Malicious Attack – Fakerouter6 •  Attacker spoofs Router Advertisement with false on-link prefix •  MITM, Splash Screen, Capture B Src = B’s link-local address Dst = All-nodes Options = prefix BAD RA A C
  • 21. •  Port ACL •  interface FastEthernet0/2 •  ipv6 traffic-filter ACCESS_PORT in deny icmp any any router-advertisement •  Feature Based •  interface FastEthernet0/2 •  ipv6 nd raguard •  Policy Based ipv6 snooping policy HOST! security-level guard! ! ! ! ! limit address-count 2 ! device-role node! interface GigabitEthernet1/0/2! ipv6 snooping attach-policy HOST! HOST Device-role RA RA RA RA RA ROUTER Device-role
  • 22. IPv6 FHS – DHCPv6 Guard Prevent Rogue DHCP responses from misleading the client DHCP Server DHCP Req. I am a DHCP Server DHCP Client
  • 23. •  Deep control packet Inspection •  Address Glean (ND , DHCP, data) •  Address watch •  Binding Guard IPv6 FHS – Snooping Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table to ensure rogue users cannot spoof or steal addresses. Intf IPv6 MAC VLAN State g1/0/10 ::000A 001A 110 Active g1/0/11 ::001C 001C 110 Stale g1/0/16 ::001E 001E 200 Verifying IPv6 Binding Table (RFC6620) IPv6 Source Guard IPv6 Destination Guard Device Tracking
  • 24. IPv6 FHS – IPv6 Source Guard Mitigates Address High Jacking, Ensures Proper Prefix Intf IPv6 MAC VLAN State g1/0/10 ::000A 001A 110 Active g1/0/11 ::001C 001C 110 Stale g1/0/16 ::001E 001E 200 Verifying g1/0/21 ::0021 0021 200 Active ~Host A NDP or DHCPv6 Host A
  • 25. IPv6 Destination Guard • Mitigate prefix-scanning attacks and Protect ND cache • Drops packets for destinations without a binding entry Intf IPv6 MAC VLAN State g1/0/10 ::0001 001A 110 Active g1/0/11 ::001C 001C 110 Stale g1/0/16 ::001E 001E 200 Verifying Forward packet Lookup Table found No Ye s NS 2001:db8::1 Ping 2001:db8::1 Ping 2001:db8::4 Ping 2001:db8::3 Ping 2001:db8::2
  • 26. SeND
  • 27. Secure Neighbor Discovery – SeND (RFC 3756) •  Each device has a RSA key pair •  Ultra light check for validity SHA-1 RSA Keys Priv Pub Subnet Prefix Interface Identifier Crypto. Generated Address Signature SeND Messages Modifier Public Key Subnet Prefix CGA Params
  • 28. SeND Operation Router R host Certificate Authority CA0 Certificate Authority Certificate C0 Router certificate request Router certificate CR Certificate Path Solicit (CPS): I trust CA0, who are you ? Certificate Path Advertize (CPA): I am R, this is my certificate CR 1 2 3 4 5 6 Verify CR against CA0 7 Start using R as default gateway Router Advertisement
  • 29. SeND OS Support •  Microsoft Windows 7 or Server 2008 •  No native Supplicant •  TrustRouter application (not NA/NS) •  WinSEND application works with all NDP traffic •  Apple Mac •  No native Supplicant •  TrustRouter application (not NA/NS) •  Linux and/or Unix •  Easy-SEND •  ND-Protector •  IPv6-Send-CGA
  • 31. Fundamentals of 802.1X RADIUS802.1X Ethernet / WLAN IP / Layer 3 Windows Native Apple OSX Native Cisco Anyconnect Open 1X Ethernet Switch Router Wireless Controller Access Point Identity Services Engine Network Policy Server Free RADIUS Access Control Server Active Directory Token Server Open LDAP Supplicant Authenticator Authentication Server Identity Store
  • 32. RADIUS802.1X Ethernet / WLAN IP / Layer 3 Supplicant Authenticator Authentication Server Identity Store Fundamentals of 802.1X RADIUS: ACCESS-REQUEST RADIUS SERVICE-TYPE: FRAMED EAP: EAP-RESPONSE-IDENTITY Credentials (Certificate / Password / Token) 802.1X EAP EAP RADIUS EAP EAP EAP: Extensible Authentication Protocol
  • 33. RADIUS802.1X IP / Layer 3 Supplicant Authenticator Authentication Server Identity Store Fundamentals of 802.1X EAP: EAP-SUCCESS RADIUS: ACCESS-ACCEPT [+Authorization Attributes ] 802.1X RADIUS EAP Port-Authorized 802.1X EAP Port-Unauthorized (If authentication fails) EAP: Extensible Authentication Protocol
  • 34. Three proven deployment scenarios Authentication without Access control Minimal impact to users and the network Highly Secure, Good for logical isolation
  • 36. MAC Authentication Bypass MAB 802.1X Timeout EAPoL: EAP Request Identity EAPoL: EAP Request Identity EAPoL: EAP Request Identity Any Packet RADIUS: ACCESS-REQUEST RADIUS Service-Type: Call-Check AVP: 00-10-23-AA-1F-38 RADIUS: ACCESS-ACCEPT MAC Authentication Bypass (MAB) requires a MAC database | MAB may cause delayed network access due to EAP timeout Bypassing “Known” MAC Addresses 00-10-23-AA-1F-38 Authenticator Authentication Server LAN 802.1X No 802.1X Endpoints without supplicant will fail 802.1X authentication! Authentication ServerAuthenticator
  • 37. LAN RADIUS Server Cisco ISE Web Server Web Pages: Login, Login Expiry, Auth-Success, Auth-Failure, etc. Settings: Max Sessions, Timeout, Max Fail Attempts, TCP-Port, etc. HTTP(S) LAN RADIUS Server HTTP(S) RADIUS Authenticator Web Pages: Login, Login Expiry, Auth-Success, Auth-Failure Settings: Max Sessions, Timeout, Max Fail Attempts, Banner, etc. Web Authentication Secure alternative to 802.1X Typically meant for Guest user authentication Doesn’t require a supplicant.1X Local Web Authentication (LWA) Central Web Authentication (CWA) IP address prior to authentication Authenticator hosts web pages Separate method like .1X & MAB RADIUS Service-Type: Outbound IP address prior to authentication Central Server hosts web pages .1X / MAB is authorized w URL Centralized administration
  • 38. Private VLAN’s 38 •  Prevent Node-Node Layer-2 communication •  Promiscuous (router port) talks to all other port types •  Isolated port can only contact a promiscuous port/s •  Community ports can contact their group and promiscuous port/s •  DAD ND Proxy •  Prevents address conflicts •  Internet Edge, Data Center •  Reducing attack surface, malware propagation •  Service Provider •  Client/customer isolation Community Ports Community Ports Isolated Port Promiscuous Port R
  • 40. §  Gain Operational Experience now §  Security enforcement is possible §  Control IPv6 traffic as you would IPv4 §  “Poke” your Provider’s §  Lead your OT/LOB’s into the Internet Key Take Away