SlideShare a Scribd company logo
1 of 21
Download to read offline
1 v1.2
2 v1.2
IPv6 Deployment Planning
and Security Considerations
Md Abdul Awal | APNIC
awal@apnic.net
3 v1.2
IPv6 in South East Asian Countries
https://stats.labs.apnic.net/ipv6
MM ~40%
TH ~45%
VN ~58%
MY ~70%
PH ~16%
SG ~23%
ID ~14%
4 v1.2
IPv6 Deployment Planning
5 v1.2
IPv6 Deployment – Where to Start?
Get IPv6 Address
from RIR / NIR /
ISP
Assess network
for IPv6
readiness
Prepare IPv6
address plan that
makes sense
Arrange dual-
stack peering
with upstream
Configure IPv6 in
your backbone
network
Test IPv6
connectivity
internally
Start providing
IPv6 to
customers
Monitor and
evaluate
6 v1.2
Subnet at the Nibble Bit Boundary
/36 slices (1 x 4 bits)
2001:db8:0000::/36
2001:db8:1000::/36
2001:db8:2000::/36
2001:db8:3000::/36
….
….
2001:db8:f000::/36
/40 slices (2 x 4 bits)
2001:db8:0000::/40
2001:db8:0100::/40
2001:db8:0200::/40
2001:db8:0300::/40
….
….
2001:db8:ff00::/40
/44 slices (3 x 4 bits)
2001:db8:0000::/44
2001:db8:0010::/44
2001:db8:0020::/44
2001:db8:0030::/44
….
….
2001:db8:fff0::/44
/48 slices (4 x 4 bits)
2001:db8:0000::/48
2001:db8:0001::/48
2001:db8:0002::/48
2001:db8:0003::/48
….
….
2001:db8:ffff::/48
Subnetting at the Nibble Bit is
simple and easy to manage
Nibble bit subnets of 2001:db8::/32
7 v1.2
IPv6 Addressing for Point-to-point Links
2001:db8:0:1::/ 127
2001:db8:0:1::1/127
R1 R2
IPv6 Address Plan
R1 – R2 Link 2001:db8:0:1::/ 64
R3 – R4 Link 2001:db8:0:2::/ 64
R3 R4
/126 for MikroTik P2P Links
2001:db8:0:2::/126
2001:db8:0:2::1/ 126
2001:db8:0:2::2/ 126
2001:db8:0:2::3/126
/127 for P2P Links
8 v1.2
Address Assignment Plan
/34 /34 /34 /34
Contiguous assignment
may not work in the
long run
Customer 1 Customer 3 Customer 2 Customer 4
/32
Customer 1
Customer 3
Customer 2
Customer 4
Split assignment
works better for BGP
traffic engineering
9 v1.2
Customer Address Distribution
ISP
Enterprise Customer
::/127
ISP plans a /64 for each
PE-CE peering, but
configures with /127
::1/127
PE
CE
ISP
Broadband Customer
::1/64
ISP assigns /64 for
customer WAN via
SLAAC/DHCPv6
BNG/
BRAS
CPE
ISP assigns at least
one /48 for enterprise
customer LAN
ISP assigns at least /60
(or bigger) for user LAN
via DHCPv6-PD
10 v1.2
Aggregated BGP Announcements
Aggregated BGP announcements
- Easy to configure and maintain
- Keep global routing table smaller
Long list of /48s may
not be helpful at all
11 v1.2
IPv6 Address Management
• phpipam.net
• github.com/netbox-community/netbox
• spritelink.github.io/NIPAP
Free and open
source IP Address
Management tool
12 v1.2
Dual-stack Vs IPv6-only Deployment
• Advantages
– Comparatively easier
– IPv4 experience can be reused
– Troubleshooting might be easier
• Challenges
– Still need IPv4 (and NAT)
– Everything runs twice
• Advantages
– Only one AF configuration
– Very minimum need of IPv4 space
• Challenges
– Multiple translation might be needed
– Additional challenges to run NAT64,
DNS64 and 464XLAT
Dual-stack IPv6-only
It is easier for ISPs to start deploying dual-stack network
13 v1.2
IPv6 Security Considerations
14 v1.2
Create Minimum ROA - Match Your BGP Announcements
Small number of
prefix announced
Prone to validated
BGP hijack
The Max Length covers
all possible BGP
prefixes (/32 - /48) !!!
15 v1.2
BGP Filters for IPv6 Longer Prefixes (>/48)
These /64s should NOT
exist in the global
routing table
16 v1.2
Inspect Extension Headers
• Attackers use the EH as a covert channel to exchange
information (payload) undetected
• Mitigation:
– Drop unknown EH
– Drop invalid EH (0, 43)
IPv6 Header
Next Header = 4
EH
Next header = 0
TCP header + data
EH
Hidden Data
17 v1.2
Is RA always necessary?
R1 SW
Hosts with static IPv6 Addresses
RA should be disabled RA must be enabled
R1 SW
Hosts with SLAAC / DHCPv6
R1 R2
P2P Links
18 v1.2
RA Guard – Block Rouge RAs (RFC6105/7113)
19 v1.2
Careful with ICMPv6 Filters
• Filtering ICMPv6 is not straight forward
– You block ICMPv6 => you break IPv6!
• RFC4890: “ICMPv6 Filtering Recommendations”
– Permit Error messages
• Destination Unreachable (Type 1) - All codes
• Packet Too Big (Type 2)
• Time Exceeded (Type 3) - Code 0 only
• Parameter Problem (Type 4) - Codes 1 and 2 only
– Permit Connectivity check messages
• Echo Request (Type 128)
• Echo Response (Type 129)
Or, rate limit
ICMPv6 packets
20 v1.2
And, Current Security Best Practices…
• uRPF / BCP38
• Bogon Filters
• RPKI Based Filters
• BGP Policies
• PTR Records / IPv6 Reverse DNS Delegation
• Filters applied for IPv4 should also make sense for IPv6
21 v1.2
Thank You!

More Related Content

Similar to IDNIC OPM 2023: IPv6 deployment planning and security considerations

Robert Raszuk - Technologies for IPv4/IPv6 coexistance
Robert Raszuk - Technologies for IPv4/IPv6 coexistanceRobert Raszuk - Technologies for IPv4/IPv6 coexistance
Robert Raszuk - Technologies for IPv4/IPv6 coexistancePROIDEA
 
IPv6 Deployment Planning Tutorial, by Philip Smith [APNIC 38]
IPv6 Deployment Planning Tutorial, by Philip Smith [APNIC 38]IPv6 Deployment Planning Tutorial, by Philip Smith [APNIC 38]
IPv6 Deployment Planning Tutorial, by Philip Smith [APNIC 38]APNIC
 
NAT 64 FPGA Implementation
NAT 64 FPGA ImplementationNAT 64 FPGA Implementation
NAT 64 FPGA ImplementationJanith Rukman
 
IPv6 - Jozi Linux User Group Presentation
IPv6  - Jozi Linux User Group PresentationIPv6  - Jozi Linux User Group Presentation
IPv6 - Jozi Linux User Group PresentationJumping Bean
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantShixiong Shang
 
Get Ready For Ipv6
Get Ready For Ipv6Get Ready For Ipv6
Get Ready For Ipv6Rishu Mehra
 
Get Ready For Ipv6
Get Ready For Ipv6Get Ready For Ipv6
Get Ready For Ipv6technext1
 
Indonesia IPv6 Update - APAN Hanoi 2010
Indonesia IPv6 Update - APAN Hanoi 2010Indonesia IPv6 Update - APAN Hanoi 2010
Indonesia IPv6 Update - APAN Hanoi 2010Affan Basalamah
 
03 router-configuration
03 router-configuration03 router-configuration
03 router-configuration97148881557
 
IPv6 Transition Strategies
IPv6 Transition StrategiesIPv6 Transition Strategies
IPv6 Transition StrategiesAPNIC
 
IPv6 address-planning
IPv6 address-planningIPv6 address-planning
IPv6 address-planningTim Martin
 
Operational Experience of MAP-E
Operational Experience of MAP-EOperational Experience of MAP-E
Operational Experience of MAP-EAkira Nakagawa
 
Implementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernelImplementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernelOlivier Bonaventure
 
Ccna routing and switching
Ccna routing and switchingCcna routing and switching
Ccna routing and switchingCRIS FERNANDEZ
 
IPv6 Transition Techniques
IPv6 Transition TechniquesIPv6 Transition Techniques
IPv6 Transition TechniquesAPNIC
 

Similar to IDNIC OPM 2023: IPv6 deployment planning and security considerations (20)

Robert Raszuk - Technologies for IPv4/IPv6 coexistance
Robert Raszuk - Technologies for IPv4/IPv6 coexistanceRobert Raszuk - Technologies for IPv4/IPv6 coexistance
Robert Raszuk - Technologies for IPv4/IPv6 coexistance
 
IPv6 Deployment Planning Tutorial, by Philip Smith [APNIC 38]
IPv6 Deployment Planning Tutorial, by Philip Smith [APNIC 38]IPv6 Deployment Planning Tutorial, by Philip Smith [APNIC 38]
IPv6 Deployment Planning Tutorial, by Philip Smith [APNIC 38]
 
Testing PPT
Testing PPTTesting PPT
Testing PPT
 
NAT 64 FPGA Implementation
NAT 64 FPGA ImplementationNAT 64 FPGA Implementation
NAT 64 FPGA Implementation
 
IPv6 - Jozi Linux User Group Presentation
IPv6  - Jozi Linux User Group PresentationIPv6  - Jozi Linux User Group Presentation
IPv6 - Jozi Linux User Group Presentation
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
 
Get Ready For Ipv6
Get Ready For Ipv6Get Ready For Ipv6
Get Ready For Ipv6
 
Get Ready For Ipv6
Get Ready For Ipv6Get Ready For Ipv6
Get Ready For Ipv6
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhs
 
Indonesia IPv6 Update - APAN Hanoi 2010
Indonesia IPv6 Update - APAN Hanoi 2010Indonesia IPv6 Update - APAN Hanoi 2010
Indonesia IPv6 Update - APAN Hanoi 2010
 
03 router-configuration
03 router-configuration03 router-configuration
03 router-configuration
 
IPv6 Transition Strategies
IPv6 Transition StrategiesIPv6 Transition Strategies
IPv6 Transition Strategies
 
IPv6 address-planning
IPv6 address-planningIPv6 address-planning
IPv6 address-planning
 
Operational Experience of MAP-E
Operational Experience of MAP-EOperational Experience of MAP-E
Operational Experience of MAP-E
 
Run Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT NetworkRun Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT Network
 
Implementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernelImplementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernel
 
Ccna routing and switching
Ccna routing and switchingCcna routing and switching
Ccna routing and switching
 
Deploying IPv6 on OpenStack
Deploying IPv6 on OpenStackDeploying IPv6 on OpenStack
Deploying IPv6 on OpenStack
 
IPv6 Transition Techniques
IPv6 Transition TechniquesIPv6 Transition Techniques
IPv6 Transition Techniques
 
IPv6
IPv6IPv6
IPv6
 

More from APNIC

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAPNIC
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAPNIC
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemAPNIC
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessAPNIC
 

More from APNIC (20)

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & Development
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry System
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
 

Recently uploaded

『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxNIMMANAGANTI RAMAKRISHNA
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 

Recently uploaded (10)

『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptx
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 

IDNIC OPM 2023: IPv6 deployment planning and security considerations

  • 2. 2 v1.2 IPv6 Deployment Planning and Security Considerations Md Abdul Awal | APNIC awal@apnic.net
  • 3. 3 v1.2 IPv6 in South East Asian Countries https://stats.labs.apnic.net/ipv6 MM ~40% TH ~45% VN ~58% MY ~70% PH ~16% SG ~23% ID ~14%
  • 5. 5 v1.2 IPv6 Deployment – Where to Start? Get IPv6 Address from RIR / NIR / ISP Assess network for IPv6 readiness Prepare IPv6 address plan that makes sense Arrange dual- stack peering with upstream Configure IPv6 in your backbone network Test IPv6 connectivity internally Start providing IPv6 to customers Monitor and evaluate
  • 6. 6 v1.2 Subnet at the Nibble Bit Boundary /36 slices (1 x 4 bits) 2001:db8:0000::/36 2001:db8:1000::/36 2001:db8:2000::/36 2001:db8:3000::/36 …. …. 2001:db8:f000::/36 /40 slices (2 x 4 bits) 2001:db8:0000::/40 2001:db8:0100::/40 2001:db8:0200::/40 2001:db8:0300::/40 …. …. 2001:db8:ff00::/40 /44 slices (3 x 4 bits) 2001:db8:0000::/44 2001:db8:0010::/44 2001:db8:0020::/44 2001:db8:0030::/44 …. …. 2001:db8:fff0::/44 /48 slices (4 x 4 bits) 2001:db8:0000::/48 2001:db8:0001::/48 2001:db8:0002::/48 2001:db8:0003::/48 …. …. 2001:db8:ffff::/48 Subnetting at the Nibble Bit is simple and easy to manage Nibble bit subnets of 2001:db8::/32
  • 7. 7 v1.2 IPv6 Addressing for Point-to-point Links 2001:db8:0:1::/ 127 2001:db8:0:1::1/127 R1 R2 IPv6 Address Plan R1 – R2 Link 2001:db8:0:1::/ 64 R3 – R4 Link 2001:db8:0:2::/ 64 R3 R4 /126 for MikroTik P2P Links 2001:db8:0:2::/126 2001:db8:0:2::1/ 126 2001:db8:0:2::2/ 126 2001:db8:0:2::3/126 /127 for P2P Links
  • 8. 8 v1.2 Address Assignment Plan /34 /34 /34 /34 Contiguous assignment may not work in the long run Customer 1 Customer 3 Customer 2 Customer 4 /32 Customer 1 Customer 3 Customer 2 Customer 4 Split assignment works better for BGP traffic engineering
  • 9. 9 v1.2 Customer Address Distribution ISP Enterprise Customer ::/127 ISP plans a /64 for each PE-CE peering, but configures with /127 ::1/127 PE CE ISP Broadband Customer ::1/64 ISP assigns /64 for customer WAN via SLAAC/DHCPv6 BNG/ BRAS CPE ISP assigns at least one /48 for enterprise customer LAN ISP assigns at least /60 (or bigger) for user LAN via DHCPv6-PD
  • 10. 10 v1.2 Aggregated BGP Announcements Aggregated BGP announcements - Easy to configure and maintain - Keep global routing table smaller Long list of /48s may not be helpful at all
  • 11. 11 v1.2 IPv6 Address Management • phpipam.net • github.com/netbox-community/netbox • spritelink.github.io/NIPAP Free and open source IP Address Management tool
  • 12. 12 v1.2 Dual-stack Vs IPv6-only Deployment • Advantages – Comparatively easier – IPv4 experience can be reused – Troubleshooting might be easier • Challenges – Still need IPv4 (and NAT) – Everything runs twice • Advantages – Only one AF configuration – Very minimum need of IPv4 space • Challenges – Multiple translation might be needed – Additional challenges to run NAT64, DNS64 and 464XLAT Dual-stack IPv6-only It is easier for ISPs to start deploying dual-stack network
  • 13. 13 v1.2 IPv6 Security Considerations
  • 14. 14 v1.2 Create Minimum ROA - Match Your BGP Announcements Small number of prefix announced Prone to validated BGP hijack The Max Length covers all possible BGP prefixes (/32 - /48) !!!
  • 15. 15 v1.2 BGP Filters for IPv6 Longer Prefixes (>/48) These /64s should NOT exist in the global routing table
  • 16. 16 v1.2 Inspect Extension Headers • Attackers use the EH as a covert channel to exchange information (payload) undetected • Mitigation: – Drop unknown EH – Drop invalid EH (0, 43) IPv6 Header Next Header = 4 EH Next header = 0 TCP header + data EH Hidden Data
  • 17. 17 v1.2 Is RA always necessary? R1 SW Hosts with static IPv6 Addresses RA should be disabled RA must be enabled R1 SW Hosts with SLAAC / DHCPv6 R1 R2 P2P Links
  • 18. 18 v1.2 RA Guard – Block Rouge RAs (RFC6105/7113)
  • 19. 19 v1.2 Careful with ICMPv6 Filters • Filtering ICMPv6 is not straight forward – You block ICMPv6 => you break IPv6! • RFC4890: “ICMPv6 Filtering Recommendations” – Permit Error messages • Destination Unreachable (Type 1) - All codes • Packet Too Big (Type 2) • Time Exceeded (Type 3) - Code 0 only • Parameter Problem (Type 4) - Codes 1 and 2 only – Permit Connectivity check messages • Echo Request (Type 128) • Echo Response (Type 129) Or, rate limit ICMPv6 packets
  • 20. 20 v1.2 And, Current Security Best Practices… • uRPF / BCP38 • Bogon Filters • RPKI Based Filters • BGP Policies • PTR Records / IPv6 Reverse DNS Delegation • Filters applied for IPv4 should also make sense for IPv6