Redistribution is necessary when routing protocols connect and must pass routes between the two.
Route Redistribution involves placing the routes learned from one routing domain, such as RIP, into
another routing domain, such as EIGRP.
While running a single routing protocol throughout your entire IP internetwork is desirable, multiprotocol routing is common for a number of reasons, such as company mergers, multiple departments
managed by multiple network administrators, and multi-vendor environments. Running different
routing protocols is often part of a network design.
A
PROJECT REPORT
On
CISCO CERTIFIED NETWORK ASSOCIATE
A computer network, or simply a network, is a collection of computer and other hardware components interconnected by communication channels that allow sharing of resources and information. Where at least one process in one device is able to send/receive data to/from at least one process residing in a remote device, then the two devices are said to be in a network. Simply, more than one computer interconnected through a communication medium for information interchange is called a computer network.
Redistribution is necessary when routing protocols connect and must pass routes between the two.
Route Redistribution involves placing the routes learned from one routing domain, such as RIP, into
another routing domain, such as EIGRP.
While running a single routing protocol throughout your entire IP internetwork is desirable, multiprotocol routing is common for a number of reasons, such as company mergers, multiple departments
managed by multiple network administrators, and multi-vendor environments. Running different
routing protocols is often part of a network design.
A
PROJECT REPORT
On
CISCO CERTIFIED NETWORK ASSOCIATE
A computer network, or simply a network, is a collection of computer and other hardware components interconnected by communication channels that allow sharing of resources and information. Where at least one process in one device is able to send/receive data to/from at least one process residing in a remote device, then the two devices are said to be in a network. Simply, more than one computer interconnected through a communication medium for information interchange is called a computer network.
In this webinar, we cover how Border Gateway Protocol works. Starting from key concepts, you'll learn about Autonomous Systems, the BGP protocol, AS Path, learning and advertising routes, RIBs and route selection. See the webinar recording at https://www.thousandeyes.com/webinars/how-bgp-works
This presentation gives a brief description about IP Address (Internet protocol address), Classes of IPv4. And also included, what is IPv4 and what is IPv6.
A PROJECT REPORT
On
CISCO CERTIFIED NETWORK ASSOCIATE
A computer network, or simply a network, is a collection of computer and other hardware components interconnected by communication channels that allow sharing of resources and information. Where at least one process in one device is able to send/receive data to/from at least one process residing in a remote device, then the two devices are said to be in a network. Simply, more than one computer interconnected through a communication medium for information interchange is called a computer network.
DHCP Stands for Dynamic Host Configuration Protocol.
DHCP is a protocol that automatically provides an IP host with its IP address and other related configuration information ( subnet mask, default gateway,DNS etc. )
Works on Protocol UDP port no 67 and 68.
In this webinar, we cover how Border Gateway Protocol works. Starting from key concepts, you'll learn about Autonomous Systems, the BGP protocol, AS Path, learning and advertising routes, RIBs and route selection. See the webinar recording at https://www.thousandeyes.com/webinars/how-bgp-works
This presentation gives a brief description about IP Address (Internet protocol address), Classes of IPv4. And also included, what is IPv4 and what is IPv6.
A PROJECT REPORT
On
CISCO CERTIFIED NETWORK ASSOCIATE
A computer network, or simply a network, is a collection of computer and other hardware components interconnected by communication channels that allow sharing of resources and information. Where at least one process in one device is able to send/receive data to/from at least one process residing in a remote device, then the two devices are said to be in a network. Simply, more than one computer interconnected through a communication medium for information interchange is called a computer network.
DHCP Stands for Dynamic Host Configuration Protocol.
DHCP is a protocol that automatically provides an IP host with its IP address and other related configuration information ( subnet mask, default gateway,DNS etc. )
Works on Protocol UDP port no 67 and 68.
Implementation of isp mpls backbone network on i pv6 using 6 pe routers MAIN PPTSatish Kumar
MAIN PPT SLIDE
IPv6 (Internet Protocol version 6) is a revision of the Internet Protocol (IP) developed by the Internet Engineering Task Force (IETF). IPv6 is intended to succeed IPv4.
IPv6 implements a new addressing system that allows for far more addresses to be assigned than with Ipv4.
Multiprotocol Label Switching (MPLS) is deployed by many service providers for establishing their backbone networks.
The Cisco implementation of IPv6 provider edge router over MPLS is called 6PE,and it enables IPv6 sites to communicate with each other over an MPLS IPv4 core network using MPLS label switched paths.
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPTSatish Kumar
MINI PPT
IPv6 (Internet Protocol version 6) is a revision of the Internet Protocol (IP) developed by the Internet Engineering Task Force (IETF). IPv6 is intended to succeed IPv4.
IPv6 implements a new addressing system that allows for far more addresses to be assigned than with Ipv4.
Multiprotocol Label Switching (MPLS) is deployed by many service providers for establishing their backbone networks.
The Cisco implementation of IPv6 provider edge router over MPLS is called 6PE,and it enables IPv6 sites to communicate with each other over an MPLS IPv4 core network using MPLS label switched paths.
In this webinar, we were discussing about IPv6 technology (what is it, why we use it, benefits of IPv6, how it is written, IPv6 Address type and IPv6 Addressing), and how its implemented on RouterOS.
the recording is available on youtube (GLC NETWORKS CHANNEL): https://www.youtube.com/channel/UCI611_IIkQC0rsLWIFIx_yg
Webinar topic: IPv6 with Mikrotik
Presenter: Achmad Mardiansyah
In this webinar series, We are discussing IPv6 with Mikrotik
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/en/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram
The recording is available On :
https://youtu.be/C8Tfh1a9y20
First Step in Media-over-IP Network Design: What Should You Do?Koji Oyama
One of the current biggest issues in the design and development of the SMPTE ST-2110-based broadcasting facilities is the shortage of Media-over-IP (MoIP) network design engineers who understand both broadcasting and network communications. This is the topic that has been discussed for several years, and I have been working to train engineers over the past years through my experience of the MoIP network design, the situation is getting worse and more serious as the number of the facility developments increases.
This presentation can help the target audience, broadcast engineers, who are studying or to study MoIP network technology. When trying to build an actual ST-2110-based network, the first question would be how we design a specific IP network. Unlike peer-to-peer SDI network where we can focus on the physical connection, the data on the MoIP network can be transmitted with inbounded multiple streams in an Ethernet optical cable, and multicast routing settings are required in its network switches. In other words, not only physical design but also logical design becomes more important. The more complicated the system becomes, the more complicated the logical configuration becomes. The network architecture design and its IP addressing could be a key to success of the reliable and scalable network. These technique and idea would be similar as the ones in software engineering, which kind of knowledge and skill set has never been needed by broadcast engineers before.
If the SDN controller manages the configuration of its network switches in the near future, it may be possible to build a system without knowing specifically how to implement the logic network design. However, once the network occurs in trouble, engineers who don’t have the network design skill would be at a loss, there should be a risk that we would not be able to analyze to take workarounds. For this reason, I believe it is necessary to study the fundamental skill of such appropriate MoIP network design.
At the previous NAB2022 and IBC2022 IPShowcase, I introduced the essential terminologies for configuring network switches that network engineers should know (VLAN, VRF, Multicast routing, IGMP, PIM, OSPF, LAG/LACP etc.), and how to design and verify the logical network. In addition, I shared some information about the actual issues I have faced so far.
In this presentation, after summarizing the previous two talks, I will focus on the ‘design’ that engineers should think a little more, such as network architecture, network switch selection, physical connection design, and logical connection design including IP address assignment. I would also like to explain some more tips on how to do the design. In addition, I would like to talk about things to be careful about in the design, and things to think about in the future, such as safety design to prevent unexpected failures and errors.
In this webinar, we are talking about BGP implementation on mikrotik router. the presentation starts with the fundamental of BGP and then discuss about Basic BGP setting on RouterOS
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
1. Fernando Gont
IPv6 Security & Myth Busting
“Enterprise & IPv6” Workshop, UK IPv6 Council.
London, UK. April 24th
, 2023
2. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
About...
●
Security Researcher and Consultant
●
Published:
●
35+ IETF RFCs (15+ on IPv6)
●
Author of the SI6 Networks' IPv6 toolkit
●
https://www.si6networks.com/tools/ipv6toolkit
●
More at: https://www.gont.com.ar
3. 3
“Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
Motivation for this presentation
4. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
Motivation for this presentation
●
Lots of myths around:
●
Security was considered during the design of the protocol
●
Network security paradigm will change from network-centric to host-centric
●
IPv6 will lead to increased IPsec usage
●
IPv6 will recover the “end-to-end” properties of the Internet
●
All them have a concrete negative effect:
●
They set incorrect expectations
●
They usually result in deployments that overlook security
5. 5
“Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
General considerations about IPv6
security
6. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
Interesting aspects of IPv6 security
●
We have much less experience with IPv6 than with IPv4
●
IPv6 implementations are much less mature than their IPv4 counterparts
●
Security products (firewalls, NIDS, etc.) have less support for IPv6 than for IPv4
●
Increased complexity in the resulting Internet:
●
Two inter-networking protocols (IPv4 and IPv6)
●
Increased use of NATs
●
Increased use of tunnels
●
Lack of trained human resources
…but even then, IPv6 is the only option on the table to remain in this
business
8. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
Introduction
●
IPv6 options are included in “extension headers”
●
They sit between the IPv6 header and the upper-layer protocol
●
There may be multiple instances, of multiple extension headers, each with
multiple options
●
Hence, IPv6 follows a “header chain” type structure. e.g.,
IPv6 HbH DO DO TCP
9. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
Processing IPv6 Extension Headers
●
EH Processing limits
IPv6 HbH DO DO TCP
Limit on number of processed headers
#1 #2 #3 ...
N bytes
Limit on EH header chain length
10. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
Processing IPv6 Extension Headers (II)
●
Possible options in the presence of implementation limits:
●
Punt the packet to the general purpose CPU → DoS
●
Pass the packet → circumvention of security controls
●
Drop the packet → unreliability in packets with EHs
●
Many implementations do #1 or #2 :-(
11. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
Security Implications of Extension Headers
●
Evasion of security controls
●
DoS due to processing requirements
●
DoS due to implementation errors
●
Extension Header-specific issues
12. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
Advice on Extension Headers
●
Analyze your EH requirements
●
Block IPv6 packets with unexpected EHs
13. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
IPsec
●
Some had the expectation that IPv6 would foster IPsec usage
●
The “Node Requirements” RFC used to require IPsec implementation
●
Most implementations were non-compliant
●
The requirement was eventually removed
●
So… no changes to be expected with respect to IPv4
●
Or, actually…
Many networks filter packets that contain IPsec EHs, thus
making it rather unreliable
16. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
Introduction
●
The main driver for IPv6 is its larger address space
●
IPv6 addresses are 128-bit long
●
IPv6 hosts simultaneously employ multiple addresses of:
●
Different scope (link-local, global, etc.)
●
Different type (unicast, multicast, etc.)
●
Different lifetime (stable, temporary)
●
IPv6 subnets are typically a /64
17. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
IPv6 Global Unicast Addresses
●
Where:
●
GRP: As delegated by the upstream provider or RIR (same as in IPv4)
●
Subnet ID: Same as in IPv4
●
Interface ID (IID): Analogous to IPv4’s Host-ID
Global Routing Prefix Subnet ID Interface ID
| n bits | m bits | 128-n-m bits |
18. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
How are IPv6 IIDs generated
●
Manually
●
Embed the IPv4 address (e.g. 2001:db8::192.168.1.1)
●
Low-byte (e.g. 2001:db8::1, 2001:db8::2, etc.)
●
Wordy (e.g. 2001:db8::dead:beef)
●
Automatically
●
Embed the underlying MAC address ← original standard
●
F(Prefix, secret) ← current standard
●
Generated by a DHCPv6 server (implementation-specific algorithm)
22. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
Advice on IPv6 address scanning
●
Network reconnaissance is a key phase of every attack
●
Making the attacker’s life more difficult is always useful
●
There may be limitations and/or trade-offs involved:
●
Enterprise may rely on a specific DHCPv6 vendor
●
Cloud provider may assign predictable addresses via DHCPv6
●
Organization may employ a specific pattern for server addresses
24. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
IPv6 deployment model
●
IPv6 can provide public (global) IPv6 addresses to every device
●
This does not need to imply “End-to-End connectivity”
●
Suggested deployment model:
25. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
Suggested enterprise security policy
●
Only allow outgoing communications (and return traffic)
●
Where necessary & possible:
●
Use temporary addresses along with stable addresses
●
Allow incoming connections only to specific sable addresses
26. 28
“Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
IPv6 Addressing
Unique Local Addresses (ULAs)
27. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
Address Scope Security Properties
●
A non-global scope may provide “prophylactic” security
●
Address “filtering” as a result of limited address scope
●
Orthogonal to other filtering mechanisms
28. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
Public Internet
Organizational Network
Address Scope Security Properties: Isolation
Unaddressable!
Scoped (e.g. ULA) addresses
29. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
Public Internet
Organizational Network
Address Scope Security Properties: Stability
Scoped (e.g. ULA) addresses
30. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
More controversial use cases
●
Some deployments mimic the IPv4 architecture
●
Motivation: well-understood model
31. 34
“Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
IPv6 Addressing
Host-centric vs. Network-centric Security Paradigm
32. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
Changes in the security paradigm?
●
Some predict that IPv6 hosts will not rely on network-based controls
●
But IPv4 does not really rely on a network-centric paradigm!
●
IPv6 will implement both host-based and network-based controls:
●
They provide different layers of protection (defense in depth)
●
This is even more critical in the IoT-era
●
No changes with respect to the IPv4 world, actually!
33. 36
“Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
IPv6 Addressing
Enforcing Access Control Lists (ACLs)
34. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
Introduction
●
Access Control Lists are a core component of security operations
●
Allow-lists:
– Meant to allow access to a resource from a prefix
●
Block-lists:
– Meant to block access to a resource
35. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
What is behind an IPv6 prefix?
●
Multiple addresses may map to a single host
●
Hosts typically configure multiple addresses
●
Addresses are typically selected from a /64
●
But a user might control a larger address block (e.g. a whole /48)
●
A single IPv6 address may map to multiple hosts
●
NAT-PT for IPv6 is not uncommon
●
Kubernetes typically do IPv6 ULAs + NAT
●
All these aspects are key when implementing IPv6 ACLs
36. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
IPv6 Allow-lists: Challenges
●
Use of temporary addresses (RFC8981) means:
●
Addresses change on a regular basis
●
Addresses from multiple hosts may be intermingled in the same /64
●
So...What should we “allow”?
●
If specifying /128s, the ACLs might fail
37. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
IPv6 Block-lists: Challenges
●
Quite often, these are dynamically introduced as /128s, via e.g.:
●
SIEM/IPS
●
fail2ban
●
IP reputation services (e.g., abuseipdb.com)
●
But...what should we “block”?
●
If blocking /128s, a skilled attacker might:
●
Intentionally exhaust the number of entries in your block-list
●
Circumvent the block-list (i.e., use throw-away IPv6 addresses)
38. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
IPv6 Allow-lists: Guidance
●
Employ stable addresses (only):
●
Use:
– manual configuration, or,
– DHCPv6, or,
– SLAAC & disable temporary addresses (e.g. via group policies)
●
Specify allow-lists as /128s
●
Embrace temporary addresses usage:
●
Segregate systems into different subnets
●
Specify allow-lists as, e.g., /64s
39. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
IPv6 Block-lists: Guidance
●
If block-lists are dynamically-generated:
●
May need to dynamically aggregate ACLs
●
Possibly adjust the ACL lifetime based on the aggregation level
40. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
IPv6 Block-lists: Guidance (II)
LEVEL PREF_LEN AGGR_THRES ACL_LIFETIME
1 /128 10 1 hour
2 /64 10 1 hour
3 /56 10 30 min
4 /48 N/A 15 min
“Where possible, agregate at least AGGR_THRESN LEVELN ACLs into a
single LEVEL(N+1) ACL. Remove this new ACL after ACL_LIFETIME(N+1)”
●
One possible implementation for dynamic block-lists:
42. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
Overview
●
IPv6 supports to automatic configuration mechanisms:
●
SLAAC (mandatory)
●
DHCPv6 (optional)
●
IPv6 is a bit of “Configuration Anarchy”:
●
No IPv6 address lease database (no leases, actually!)
●
Hard to predict configuration outcome (except via ad-hoc domain policies)
●
DHCPv6 tends to be more Enterprise-friendly:
●
Matches DHCPv4 behavior
●
But… Android does not support DHCPv6
43. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
Automatic Configuration: Deployment alternatives
●
Provide different networks for mobiles vs. workstations
●
SLAAC for mobiles
●
DHCPv6 for everything else
●
MAC ↔ IPv6 address correlation:
●
DHCPv6: “Built in”
●
SLAAC: Use NDP monitoring to build IPv6 address lease database
– May also want to disable temporary addresses via domain policies.
44. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
Security implications of automatic configuration
●
IPv6 security controls should match their IPv4 counterparts
●
Do you implement ARP and DHCPv4 security controls?
●
No → No need to mitigate their IPv6 counterparts
●
Yes → Deploy RA-Guard, DHCPv6-{Snooping, Shield}, FHS, and the like
●
If you do deploy security controls:
●
Enforce controls for SLAAC, DHCPv6 and ND
●
Beware of evasion via IPv6 extension headers!
45. 49
“Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
Security implications of IPv6 on IPv4
Networks
46. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
Can IPv6 security be ignored for IPv4-only networks?
●
IPv6 support is typically enabled by default for all general OSes
●
i.e., most networks have at least partial IPv6 deployment
●
IPv6 security cannot be ignored for such “IPv4-only” networks
47. “Enterprise & IPv6” Workshop
London, UK. April 24th
, 2023
VPN leakages
●
VPN leakages may occur when VPN software lacks IPv6 support
●
Typical scenario:
●
Your VPN software does not support IPv6
●
You attach to a network that supports IPv6
●
You establish a VPN tunnel with your home/office
●
All IPv6 traffic leaks from the VPN
●
Even in 2023, some vendors are still failing in this area