IPv6 access security provides three main methods for securing first hop connections: IPv6 first hop security, secure neighbor discovery, and 802.1x authentication. These methods help protect against spoofing, man-in-the-middle attacks, and denial of service attacks on IPv6 networks.
For some very basic VRF configuration follow the steps:
1. Enters VRF configuration mode and assigns a VRF name.
Router(config)#ip vrf vrf-name
2. Creates a VPN route distinguisher (RD) following one of the 16bit-ASN:32bit-number or 32bitIP:16bit-number explained above
Router(config-vrf)#rd route-distinguisher
3. Creates a list of import and/or export route target communities for the specified VRF.
Router(config-vrf)# route-target {import | export | both} route-distinguisher
4. (Optional step) Associates the specified route map with the VRF.
Router(config-vrf)# import map route-map
For some very basic VRF configuration follow the steps:
1. Enters VRF configuration mode and assigns a VRF name.
Router(config)#ip vrf vrf-name
2. Creates a VPN route distinguisher (RD) following one of the 16bit-ASN:32bit-number or 32bitIP:16bit-number explained above
Router(config-vrf)#rd route-distinguisher
3. Creates a list of import and/or export route target communities for the specified VRF.
Router(config-vrf)# route-target {import | export | both} route-distinguisher
4. (Optional step) Associates the specified route map with the VRF.
Router(config-vrf)# import map route-map
Overview of the MPLS backbone transmission technology.
MPLS (MultiProtocol Layer Switching) is a layer 2.5 technology that combines the virtues of IP routing and fast layer 2 packet switching.
IP packet forwarding is not suited for high-speed forwarding due to the need to evaluate multiple routes for each IP packet in order to find the optimal route, i.e. the route with the longest prefix match.
However, Internet Protocol routing provides global reachability through the IP address and through IP routing protocols like BGP or OSPF.
Layer 2 packet switching has complementary characteristics in that it does not provide global reachability through globally unique addresses but allows fast packet forwarding in hardware through the use of small and direct layer 2 lookup addresses.
MPLS combines IP routing and layer 2 switching by establishing layer 2 forwarding paths based on routes received through IP routing protocols like BGP or OSPF.
Thus the control plane of an MPLS capable device establishes layer 2 forwarding paths while the data plane then performs packet forwarding, often in hardware.
MPLS is not a layer 2 technology itself, i.e. it does not define a layer 2 protocol but rather makes use of existing layer 2 technologies like Ethernet, ATM or Frame Relay.
Tutorial about MPLS Implementation with Cisco Router, this first of two chapter discuss about What is MPLS, Network Design, P, PE, and CE Router Description, Case Study of IP MPLS Implementation, IP and OSPF Routing Configuration
Highly Focussed on CCIE Learning .11 Full CCIE DC Racks for your CCIE Needs .Demo available for our Online Classes and Online CCIE DC Racks .Take Demo and Decide yourself .World Class Racks based in New Jersey ,USA and Bangalore India
NAT (network address translation) & PAT (port address translation)Netwax Lab
Network Address Translation (NAT) is designed for IP address conservation. It enables private IP
networks that use unregistered IP addresses to connect to the Internet. NAT operates on a router,
usually connecting two networks together, and translates the private (not globally unique) addresses in
the internal network into legal addresses, before packets are forwarded to another network.
Many network operators still struggle with which type of data-plane encoding they should use for segment routing. The world is hyper-connected and we can’t afford to be late to deliver 5G. Using IPv4, IPv6 and MPLS data-plane encoding keeps us moving forward.
Technical Overview of Cisco Catalyst 9200 Series SwitchesRobb Boyd
TechWiseTV's Cisco Container Platform live workshop took place on July 18th.
For the first time in the industry, a single family of fixed, stackable, and modular switches are running on the same IOS-XE operating system along with a common ASIC.
Cisco’s Catalyst 9200 rounds out the lower end of its incredible Catalyst 9000 family of switches. The 9200 is designed for small, medium, and branch deployments, providing greater modularity, redundancy, and stackability than the Catalyst 2960 it replaces.
Register now.
Overview of the MPLS backbone transmission technology.
MPLS (MultiProtocol Layer Switching) is a layer 2.5 technology that combines the virtues of IP routing and fast layer 2 packet switching.
IP packet forwarding is not suited for high-speed forwarding due to the need to evaluate multiple routes for each IP packet in order to find the optimal route, i.e. the route with the longest prefix match.
However, Internet Protocol routing provides global reachability through the IP address and through IP routing protocols like BGP or OSPF.
Layer 2 packet switching has complementary characteristics in that it does not provide global reachability through globally unique addresses but allows fast packet forwarding in hardware through the use of small and direct layer 2 lookup addresses.
MPLS combines IP routing and layer 2 switching by establishing layer 2 forwarding paths based on routes received through IP routing protocols like BGP or OSPF.
Thus the control plane of an MPLS capable device establishes layer 2 forwarding paths while the data plane then performs packet forwarding, often in hardware.
MPLS is not a layer 2 technology itself, i.e. it does not define a layer 2 protocol but rather makes use of existing layer 2 technologies like Ethernet, ATM or Frame Relay.
Tutorial about MPLS Implementation with Cisco Router, this first of two chapter discuss about What is MPLS, Network Design, P, PE, and CE Router Description, Case Study of IP MPLS Implementation, IP and OSPF Routing Configuration
Highly Focussed on CCIE Learning .11 Full CCIE DC Racks for your CCIE Needs .Demo available for our Online Classes and Online CCIE DC Racks .Take Demo and Decide yourself .World Class Racks based in New Jersey ,USA and Bangalore India
NAT (network address translation) & PAT (port address translation)Netwax Lab
Network Address Translation (NAT) is designed for IP address conservation. It enables private IP
networks that use unregistered IP addresses to connect to the Internet. NAT operates on a router,
usually connecting two networks together, and translates the private (not globally unique) addresses in
the internal network into legal addresses, before packets are forwarded to another network.
Many network operators still struggle with which type of data-plane encoding they should use for segment routing. The world is hyper-connected and we can’t afford to be late to deliver 5G. Using IPv4, IPv6 and MPLS data-plane encoding keeps us moving forward.
Technical Overview of Cisco Catalyst 9200 Series SwitchesRobb Boyd
TechWiseTV's Cisco Container Platform live workshop took place on July 18th.
For the first time in the industry, a single family of fixed, stackable, and modular switches are running on the same IOS-XE operating system along with a common ASIC.
Cisco’s Catalyst 9200 rounds out the lower end of its incredible Catalyst 9000 family of switches. The 9200 is designed for small, medium, and branch deployments, providing greater modularity, redundancy, and stackability than the Catalyst 2960 it replaces.
Register now.
Die monatlichen Anlässe in Zusammenarbeit mit dem Swiss IPv6 Council behandeln verschiedene technische Themenbereiche von IPv6.
Das Referat von Jen Linkova vom 30. November 2015 widmete sich dem Neighbor Discovery Protokoll, einem Schlüsselmechanismus um Verbindungen zwischen IPv6 Knotenpunkten und LANs aufzubauen. Die Referentin fokussierte sich in der Präsentation auf die technischen Details des Designs, der Implementierung sowie Sicherheitsaspekten.
Gerne stellen wir Ihnen die Präsentation zum Anschauen und Herunterladen zur Verfügung. Haben Sie Feedback zum Event? Wir sind gespannt auf Ihre Meinung.
You may have hoped to retire before IPv6 became a reality, but unfortunately the IPv4 address exhaustion came too fast. For the rest of us, we’re going to bite off a small piece of the 15-year old IPv6 pie and talk about how to get started!
• Address format refresher
• IPv4 and IPv6 protocol comparison
• IPv6 neighbor discovery and auto-configuration
• Current migration and coexistence strategies
• ICMPv6, DHCPv6, and DNSv6
• How to get started at home
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...gogo6
gogo6 IPv6 Video Series. Event, presentation and speaker details below:
EVENT
gogoNET LIVE! 4: IPv6 & The Internet of Things. http://gogonetlive.com
November 12 – 14, 201, Silicon Valley, California
Agenda: http://gogonetlive.com/gogonetlive4-agenda.asp
PRESENTATION
IoT Field Area Network Solutions & Integration of IPv6 Standards
Abstract: http://www.gogo6.com/profiles/blogs/my-presentation-at-gogolive-integration-of-ipv4-and-non-ip
Presentation video: http://www.gogo6.com/video/iot-field-area-network-solutions-integration-of-ipv6-standards-by
Interview video: http://www.gogo6.com/video/interview-with-carsten-bormann-at-gogonet-live-4-ipv6-iot-confere
SPEAKER
Patrick Grossetete - Technical Marketing Engineer (IoT), Cisco
Bio/Profile: http://www.gogo6.com/profile/PatrickGrossetete
MORE
Learn more about IPv6 on the gogoNET social network and our online training courses
http://www.gogo6.com/main
Get free IPv6 connectivity with Freenet6
http://www.gogo6.com/Freenet6
Subscribe to the gogo6 IPv6 Channel on YouTube
http://www.youtube.com/subscription_center?add_user=gogo6videos
Follow gogo6 on Twitter
http://twitter.com/gogo6inc
Like gogo6 on Facebook
http://www.facebook.com/pages/IPv6-products-community-and-services-gogo6/161626696777
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...Louis Göhl
Take a sprinkling of Windows 7, add Windows Server 2008 R2, IPv6 and IPsec and you have a solution that will allow direct access to your corporate network without the need for VPNs. Come to these demo-rich sessions and learn how to integrate DirectAccess into your environment. In Part 1 learn about IPv6 addressing, host configuration and transitioning technologies including 6to4, ISATAP, Teredo and IPHTTPS. Through a series of demos learn how to build an IPv6 Network and interoperate with IPv4 networks and hosts. In Part 2 we add the details of IPSec, and components that are only available with Windows 7 and Windows Server 2008 R2 to build the DirectAccess infrastructure. Learn how to control access to corporate resources and manage Internet connected PCs through group policy. Part 1 is highly recommended as a prerequisite for Part 2.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
https://bit.ly/3KACoyV
The ER diagram for the project is the foundation for the building of the database of the project. The properties, datatypes, and attributes are defined by the ER diagram.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
4. IPv6 for the Enterprise in 2015
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/whitepaper_c11-586154.pdf
5. Framing the Attack Surface
• Layer 2 tyipcally involves Ethernet (switches) or WiFi (controllers) links
• Security is only as strong as your weakest link
• When it comes to networking, layer 2 can be a relativley weak link
Physical Links
MAC Addresses
IP Addresses
Protocols/Ports
Application Stream Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
Presentation
Session
Transport
Network
Data Link
Physical
Initial Compromise
Compromised
7. IPv6 Host Portion Address Assignment
Similar to IPv4 New in IPv6
Manually configured StateLess Address AutoConfiguration
SLAAC EUI64
SLAAC
Privacy Extensions
Assigned via DHCPv6
8. 00 90 27 ff fe 17 fc 0f
OUI Device Identifier
00 90 27 17 fc 0f
02 90 27 ff fe 17 fc 0f
0000 00U0 U=
1 = Universel/unique
0 = Local/not unique
U bit must
be flipped
ff fe
00 90 27 17 fc 0f
9. IPv6 Privacy Extensions (RFC 4941)
• Generated on unique 802 using MD5, then stored for next iteration
• Enabled by default in Windows, Android, iOS, Mac OS/X, Linux
• Temporary or Ephemeral addresses for client application (web browser)
Recommendation: Good for the mobile user, but not for your
organization/corporate networks (Troubleshooting and accountability)
2001 DB8
/32 /48 /64
Random Generated Interface ID
0000 1234
10. Stable Interface ID Generation (RFC 7217)
• RID = hash (Prefix, Net_Iface, DAD_Counter, secret_key)
• Generate IID’s that are Stable/Constant for Each Network Interface
• IID’s Change As Hosts Move From One Network to Another
10
Implementation of the RID is left to the OS Vendor and MAY differ between
Client and Server
2001 DB8
/32 /48 /64
Random ID
0000 1234
11. DHCPv6
DHCPv6 Server
2001:db8::feed:1
DHCPv6 Solicit
• Source – fe80::1234, Destination - ff02::1:2
• Client UDP 546, Server UDP 547
• Original Multicast Encapsulated in Unicast (Relay)
• DUID – Different from v4, used to identify clients
• ipv6 dhcp relay destination 2001:db8::feed:1
DHCPv6 Relay
DHCPv6 Relay
SOLICIT (any servers)
ADVERTISE (want this address)
REQUEST (I want that address)
REPLY (It’s yours)
12. Disabling Ephemeral Addressing
• Enable DHCPv6 via the M flag
• Disable auto configuration via the A bit in option 3
• Enable Router preference to high
• Enable DHCPv6 relay
interface fastEthernet 0/0
ipv6 address 2001:db8:1122:acc1::1/64
ipv6 nd managed-config-flag
ipv6 nd prefix default no-autoconfig
ipv6 nd router-preference high
ipv6 dhcp relay destination 2001:db8:add:café::1
14. • Catalyst Integrated Security Features (CISF)
• Dsniff - Dug Song
• Ettercap – source forge
IPv4 vulnerabilities & Countermeasures
Port
Security
15. IPv6 Hacking Tool’s
• ARP is replaced by Neighbor Discovery Protocol
• Nothing authenticated
• Static entries overwritten by dynamic ones
• Stateless Address Autoconfiguration
• rogue RA (malicious or not)
• Attack tools are real!
• Parasit6
• Fakerouter6
• Alive6
• Scapy6
• …
16. IPv6 Snooping
IPv6 First Hop Security (FHS)
IPv6 FHS
RA
Guard
DHCPv6
Guard
Source/Prefix
Guard
Destination
Guard
Protection:
• Rogue or
malicious RA
• MiM attacks
Protection:
• Invalid DHCP
Offers
• DoS attacks
• MiM attacks
Protection:
• Invalid source
address
• Invalid prefix
• Source address
spoofing
Protection:
• DoS attacks
• Scanning
• Invalid
destination
address
RA
Throttler
ND
Multicast
Suppress
Reduces:
• Control traffic
necessary for
proper link
operations to
improve
performance
Core Features Advance Features Scalability & Performance
Facilitates:
• Scale
converting
multicast traffic
to unicast
17. Address Exhaustion – Parasite6
• Attacker hacks any victim's DAD attempts
• Victim will need manual intervention to configure IP address
Src = UNSPEC
Dst = Solicited-node multicast A
Data = A
Query = Does anybody use A?
Src = any C’s IF address
Dst = A
Option = link-layer address of C
A B
NS
NA
C
18. Misconfiguration
• Admin/Intern sends RA’s with false prefix
• Enthusiast who has a tunnel broker account
• The most frequent threat by non-malicious user
B
Src = C link-local address
Dst = All-nodes
Options = prefix BAD
RA
A C
19. Malicious Attack – Floodrouter6
• Flooding RA’s overwhelms the system, OSX, MSFT, ipad/phone, Android
B
RA, prefix BAD1
A 2 3 5
RA, prefix BAD2
RA, prefix BAD3
RA, prefix BAD4
RA, prefix BAD5
RA, prefix BAD6
C
Update: MSFT Addresses Vulnerability in
IPv6 Could Allow Denial of Service
(2904659) Published: February 11, 2014
20. Malicious Attack – Fakerouter6
• Attacker spoofs Router Advertisement with false on-link prefix
• MITM, Splash Screen, Capture
B
Src = B’s link-local address
Dst = All-nodes
Options = prefix BAD
RA
A C
21. • Port ACL
• interface FastEthernet0/2
• ipv6 traffic-filter ACCESS_PORT in
deny icmp any any router-advertisement
• Feature Based
• interface FastEthernet0/2
• ipv6 nd raguard
• Policy Based
ipv6 snooping policy HOST!
security-level guard! ! ! ! !
limit address-count 2 !
device-role node!
interface GigabitEthernet1/0/2!
ipv6 snooping attach-policy HOST!
HOST
Device-role
RA
RA
RA
RA
RA
ROUTER
Device-role
22. IPv6 FHS – DHCPv6 Guard
Prevent Rogue DHCP responses from misleading the client
DHCP Server
DHCP Req.
I am a DHCP
Server
DHCP Client
23. • Deep control packet Inspection
• Address Glean (ND , DHCP, data)
• Address watch
• Binding Guard
IPv6 FHS – Snooping
Instrumental link-operation security feature that analyzes control/data
switch traffic, detect IP address, and store/update them in Binding Table
to ensure rogue users cannot spoof or steal addresses.
Intf IPv6 MAC VLAN State
g1/0/10 ::000A 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
IPv6 Binding Table (RFC6620)
IPv6 Source
Guard
IPv6 Destination
Guard
Device Tracking
24. IPv6 FHS – IPv6 Source Guard
Mitigates Address High Jacking, Ensures Proper Prefix
Intf IPv6 MAC VLAN State
g1/0/10 ::000A 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
g1/0/21 ::0021 0021 200 Active
~Host A
NDP or DHCPv6
Host A
25. IPv6 Destination Guard
• Mitigate prefix-scanning attacks and Protect ND cache
• Drops packets for destinations without a binding entry
Intf IPv6 MAC VLAN State
g1/0/10 ::0001 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
Forward packet
Lookup
Table
found
No
Ye
s
NS
2001:db8::1
Ping 2001:db8::1
Ping 2001:db8::4
Ping 2001:db8::3
Ping 2001:db8::2
27. Secure Neighbor Discovery – SeND (RFC 3756)
• Each device has a RSA key pair
• Ultra light check for validity
SHA-1
RSA Keys
Priv Pub
Subnet
Prefix
Interface
Identifier
Crypto. Generated Address
Signature
SeND Messages
Modifier
Public
Key
Subnet
Prefix
CGA Params
28. SeND Operation
Router R
host
Certificate Authority CA0
Certificate Authority
Certificate C0
Router
certificate
request
Router certificate CR
Certificate Path Solicit (CPS): I trust CA0, who are you ?
Certificate Path Advertize (CPA): I am R, this is my certificate CR
1
2
3
4
5
6 Verify CR against CA0
7 Start using R as default gateway
Router Advertisement
29. SeND OS Support
• Microsoft Windows 7 or Server 2008
• No native Supplicant
• TrustRouter application (not NA/NS)
• WinSEND application works with all NDP traffic
• Apple Mac
• No native Supplicant
• TrustRouter application (not NA/NS)
• Linux and/or Unix
• Easy-SEND
• ND-Protector
• IPv6-Send-CGA
31. Fundamentals of 802.1X
RADIUS802.1X
Ethernet / WLAN IP / Layer 3
Windows
Native
Apple OSX
Native
Cisco
Anyconnect
Open 1X
Ethernet
Switch
Router
Wireless
Controller
Access
Point
Identity
Services
Engine
Network
Policy
Server
Free
RADIUS
Access
Control
Server
Active Directory
Token Server
Open
LDAP
Supplicant Authenticator
Authentication
Server
Identity
Store
33. RADIUS802.1X
IP / Layer 3
Supplicant Authenticator
Authentication
Server
Identity
Store
Fundamentals of 802.1X
EAP: EAP-SUCCESS
RADIUS: ACCESS-ACCEPT
[+Authorization Attributes ]
802.1X
RADIUS
EAP
Port-Authorized
802.1X
EAP
Port-Unauthorized
(If authentication fails)
EAP: Extensible Authentication Protocol
34. Three proven deployment scenarios
Authentication without
Access control
Minimal impact to
users and the network
Highly Secure, Good
for logical isolation
36. MAC Authentication Bypass
MAB
802.1X
Timeout
EAPoL: EAP Request Identity
EAPoL: EAP Request Identity
EAPoL: EAP Request Identity
Any Packet RADIUS: ACCESS-REQUEST
RADIUS Service-Type: Call-Check
AVP: 00-10-23-AA-1F-38
RADIUS: ACCESS-ACCEPT
MAC Authentication Bypass (MAB) requires a MAC database | MAB may cause delayed network access due to EAP timeout
Bypassing “Known” MAC Addresses
00-10-23-AA-1F-38 Authenticator Authentication Server
LAN
802.1X
No
802.1X
Endpoints without supplicant will fail 802.1X authentication!
Authentication
ServerAuthenticator
37. LAN
RADIUS
Server
Cisco ISE
Web
Server
Web Pages: Login, Login Expiry,
Auth-Success, Auth-Failure, etc.
Settings: Max Sessions, Timeout,
Max Fail Attempts, TCP-Port, etc.
HTTP(S)
LAN
RADIUS
Server
HTTP(S) RADIUS
Authenticator
Web Pages: Login, Login Expiry,
Auth-Success, Auth-Failure
Settings: Max Sessions, Timeout,
Max Fail Attempts, Banner, etc.
Web Authentication
Secure alternative to 802.1X Typically meant for Guest user authentication Doesn’t require a supplicant.1X
Local Web Authentication (LWA) Central Web Authentication (CWA)
IP address prior to authentication Authenticator hosts web pages
Separate method like .1X & MAB RADIUS Service-Type: Outbound
IP address prior to authentication Central Server hosts web pages
.1X / MAB is authorized w URL Centralized administration
38. Private VLAN’s
38
• Prevent Node-Node Layer-2 communication
• Promiscuous (router port) talks to all other port types
• Isolated port can only contact a promiscuous port/s
• Community ports can contact their group and promiscuous port/s
• DAD ND Proxy
• Prevents address conflicts
• Internet Edge, Data Center
• Reducing attack surface, malware propagation
• Service Provider
• Client/customer isolation
Community
Ports
Community
Ports Isolated
Port
Promiscuous
Port
R
40. § Gain Operational Experience now
§ Security enforcement is possible
§ Control IPv6 traffic as you would IPv4
§ “Poke” your Provider’s
§ Lead your OT/LOB’s into the Internet
Key Take Away