The document discusses IPv6 and its implementation across the Defense Research and Engineering Network (DREN). It provides a brief introduction to IPv6, noting its vast address space and other benefits. It describes DREN's dual stack implementation approach and some security challenges introduced by IPv6, such as vulnerabilities in new implementations and issues with privacy addresses. The document recommends deploying IPv6 now rather than waiting for a crisis scenario due to IPv4 address depletion.
This document discusses security considerations for IPv6. It notes that default IPv6 subnets have 264 addresses, making network scanning impractical. ICMPv6 limits ping responses to limit reconnaissance. IPv6 uses multicast for functionality replaced by broadcast in IPv4, preventing amplification attacks. Privacy extensions for IPv6 addresses inhibit device tracking but complicate internal network management. Overall, best practices for securing IPv4 against worms, sniffing and other attacks also apply to IPv6.
Hands-on Experience with IPv6 Routing and ServicesCisco Canada
This document provides an agenda and overview for a hands-on lab session on IPv6 routing and services. The lab session will consist of 8 exercises that provide experience with IPv6 addressing, neighbor discovery, static routing, HSRP, EIGRPv6, tunnels, OSPFv3, and BGPv6. The first lab focuses on configuring IPv6 addressing and stateless address autoconfiguration on routers and hosts in a simple site using unique local addresses. Subsequent labs introduce global unicast addressing across multiple sites and additional labs cover various IPv6 routing protocols.
T-Mobile USA is pursuing an IPv6 deployment strategy to address IPv4 address exhaustion and prepare for continued growth. Their strategy involves deploying dual-stack with NAT44 initially, but targeting an IPv6-only network with NAT64/DNS64 to transition users. They conducted a friendly user trial of IPv6-only which showed most applications working but identified areas like Skype and video chat that were broken. Their lessons emphasize making the business case, engaging enthusiasts, and creating a roadmap while being mindful of security and digital divide considerations.
Ron Broersma presented on his organization's experiences deploying IPv6 and the challenges they faced. Some of the major issues included lack of feature parity between IPv4 and IPv6 implementations, vendors not fully supporting IPv6, and issues with privacy addresses and rogue router advertisements. He also discussed the operational complexity of managing dual-stack networks and provided an update on progress deploying IPv6 within the U.S. government. Key lessons learned included gaining hands-on operational experience with IPv6 before extensive planning and addressing common mistakes in initial addressing plans.
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsMark Smith
The document discusses issues encountered when testing and evaluating residential customer premise equipment (CPE) implementations of IPv6. Some key issues included CPE sending unsolicited router advertisements too frequently, not properly decrementing prefix lifetimes, setting an incorrect current hop limit value, using non-unique local IPv6 addresses, and not supporting newer transport protocols like SCTP. The document emphasizes the importance of thorough testing and RFC compliance for CPE in order to ensure stable and interoperable IPv6 connectivity and services.
Jan Zorz - IPv6 and mobile emergency response teamsIKT-Norge
Jan Žorž presented on his work with IPv6 and emergency response systems. He discussed the GEN6 project which is developing IPv6-enabled self-organizing systems for emergency teams. As part of this, Jan Žorž is leading a Slovenian pilot project that will deploy an IPv6 network for a fire department to demonstrate seamless connectivity, automatic configuration, mobility, and secure transmission of data, voice, and video across different network technologies. Jan Žorž also discussed his role in updating the RIPE-501 IPv6 procurement document and demonstrated the DSMIPv6-TLS technology for secure mobile IPv6 communications.
This document discusses security considerations for IPv6. It notes that default IPv6 subnets have 264 addresses, making network scanning impractical. ICMPv6 limits ping responses to limit reconnaissance. IPv6 uses multicast for functionality replaced by broadcast in IPv4, preventing amplification attacks. Privacy extensions for IPv6 addresses inhibit device tracking but complicate internal network management. Overall, best practices for securing IPv4 against worms, sniffing and other attacks also apply to IPv6.
Hands-on Experience with IPv6 Routing and ServicesCisco Canada
This document provides an agenda and overview for a hands-on lab session on IPv6 routing and services. The lab session will consist of 8 exercises that provide experience with IPv6 addressing, neighbor discovery, static routing, HSRP, EIGRPv6, tunnels, OSPFv3, and BGPv6. The first lab focuses on configuring IPv6 addressing and stateless address autoconfiguration on routers and hosts in a simple site using unique local addresses. Subsequent labs introduce global unicast addressing across multiple sites and additional labs cover various IPv6 routing protocols.
T-Mobile USA is pursuing an IPv6 deployment strategy to address IPv4 address exhaustion and prepare for continued growth. Their strategy involves deploying dual-stack with NAT44 initially, but targeting an IPv6-only network with NAT64/DNS64 to transition users. They conducted a friendly user trial of IPv6-only which showed most applications working but identified areas like Skype and video chat that were broken. Their lessons emphasize making the business case, engaging enthusiasts, and creating a roadmap while being mindful of security and digital divide considerations.
Ron Broersma presented on his organization's experiences deploying IPv6 and the challenges they faced. Some of the major issues included lack of feature parity between IPv4 and IPv6 implementations, vendors not fully supporting IPv6, and issues with privacy addresses and rogue router advertisements. He also discussed the operational complexity of managing dual-stack networks and provided an update on progress deploying IPv6 within the U.S. government. Key lessons learned included gaining hands-on operational experience with IPv6 before extensive planning and addressing common mistakes in initial addressing plans.
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsMark Smith
The document discusses issues encountered when testing and evaluating residential customer premise equipment (CPE) implementations of IPv6. Some key issues included CPE sending unsolicited router advertisements too frequently, not properly decrementing prefix lifetimes, setting an incorrect current hop limit value, using non-unique local IPv6 addresses, and not supporting newer transport protocols like SCTP. The document emphasizes the importance of thorough testing and RFC compliance for CPE in order to ensure stable and interoperable IPv6 connectivity and services.
Jan Zorz - IPv6 and mobile emergency response teamsIKT-Norge
Jan Žorž presented on his work with IPv6 and emergency response systems. He discussed the GEN6 project which is developing IPv6-enabled self-organizing systems for emergency teams. As part of this, Jan Žorž is leading a Slovenian pilot project that will deploy an IPv6 network for a fire department to demonstrate seamless connectivity, automatic configuration, mobility, and secure transmission of data, voice, and video across different network technologies. Jan Žorž also discussed his role in updating the RIPE-501 IPv6 procurement document and demonstrated the DSMIPv6-TLS technology for secure mobile IPv6 communications.
IETF IPv6 Activities Report by Cathy Aronson at ARIN 36. Presentation and webcast archive available at: https://www.arin.net/participate/meetings/reports/ARIN_36/ppm.html
Eric Vyncke - Layer-2 security, ipv6 norwayIKT-Norge
The document discusses IPv6 first hop security features like DHCP snooping and dynamic ARP inspection for IPv6. It provides an overview of the security issues with IPv6 neighbor discovery such as router advertisements being sent without authentication, allowing for man-in-the-middle attacks and denial of service. It then describes various IPv6 first hop security features that can help mitigate these issues, such as RA guard, DHCP guard, and IPv6 neighbor discovery inspection.
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
Henrik Strøm discusses IPv6 security from an attacker's perspective. He outlines 6 points on how attackers can exploit IPv6 vulnerabilities, including using IPv6 to bypass IPv4 access controls when on a local network, spoofing router advertisements to hijack traffic, using tunneling to enable inbound and outbound connectivity, and launching denial of service attacks. He recommends network administrators decide how to implement IPv6 security, monitor for IPv6 traffic, harden clients and servers, and filter all types of IPv6 tunneling. Further reading suggests there is still significant work needed on IPv6 firewalling and many IPv4 issues have been transferred to IPv6.
Application Engineered Routing: Allowing Applications to Program the NetworkCisco Canada
The document discusses Application Engineered Routing (AER), which allows applications to program networks using Segment Routing and an intelligent SDN controller. AER provides a stateless, scalable architecture that supports application-network interaction and dynamic traffic patterns. It uses Segment Routing to encode end-to-end policy in packets and an SDN controller for traffic optimization, visibility, and automation. The architecture aims to balance distributed and centralized control to simplify operations and enable new revenue-generating services.
The document discusses the RIPE-501 procurement specification for IPv6 networking equipment and an effort to create an updated version. It provides an overview of the RIPE-501, the process of starting it in Slovenia and spreading it globally, and improvements in the proposed new version including additional device types and a single compliance method. It encourages feedback on the draft updated version and provides contact information for comments.
2015 update: SIP and IPv6 issues - staying Happy in SIPOlle E Johansson
What's the state of SIP and IPv6?
- An update I gave at the Netnod spring Meeting 2015.
Nothing much is happening, despite the fact that we have proven real issues with dual stacks in SIP.
Discussion slides for the SIP forum IPv6 task group conference call 12/12/12 covering issues with SIP DNS, SIP and locating next hop in a dual stack world and issues with Server Based ALG decisions for media paths.
The document discusses the transition from IPv4 to IPv6. It notes that managing this transition is challenging as it requires moving through intermediate technologies like CGN, CDNs, and ALGs that help bridge IPv4 and IPv6. The risks include the internet evolving in an unexpected direction during this transition phase. The document also outlines some of the tunneling and address sharing techniques that can help provide IPv6 service and address IPv4 exhaustion, but cautions that each new level of indirection introduces complexity.
The document discusses the World IPv6 Launch event scheduled for June 6, 2012. It notes that IPv4 addresses are exhausted, IPv6 is the replacement standard that has been available for over 15 years, and the 2012 event aims to fully transition the internet to IPv6 without the ability to rollback to prevent future growth issues due to IPv4 exhaustion. Major internet organizations are participating to ensure all content and services are fully accessible over IPv6.
[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS NetworksG. Geshev
This is the updated version of my talk from ekoparty and PacSec.
General MPLS and MPLS related concepts were briefly introduced to the audience, followed by an overview of a typical service provider network, classic topologies and basic traffic engineering strategies.
Several network reconnaissance techniques were presented that could allow an adversary to partially or, in some cases, fully reveal the MPLS backbone Label Switching Router (LSR) interconnections by leaking internal LSR IP addresses. Furthermore, certain vendor implementations were found to allow traffic to be sent directly to LSR IP addresses, which if the vendors followed the specification would be mitigated against.
A potential attack scenario against service provider infrastructure was demonstrated with a walk-through of an attack against customers of a shared MPLS environment. In addition, the concept of Virtual Routing and Forwarding (VRF) was explained, with further discussion on VRF hopping attacks. Several vendors were found to be susceptible to these kind of attacks that allow for performing what can be described as VLAN hopping in the context of MPLS. In summary, successfully executing a VRF hopping attack allows for breaking out of our own VRF and injecting traffic into another customer’s VRF.
IPV6 Network Simulation Projects Research GuidancePhdtopiccom
This document discusses IPv6 network simulation projects for students. It lists several prime development tools for IPv6 simulation, including OMNeT++, Ns2, Qualnet, OPNET, and NS3. It also outlines some leading network simulation topics in IPv6, such as large scale IoT networks, IPv6/IP real time services, 5G networks deployment, encrypted IPv6 addressing, and sensor networks deployment. The document encourages contacting the website for more information on IPv6 projects.
A presentation that tries to set an IPv6 agenda for the SIP community. VoIP and IPv6 is a natural match. If we want unified communication to be truly global and unified - we need to build solutions on IPv6 and not Ipv4.
SIP and DNS - federation, failover, load balancing and moreOlle E Johansson
SIP use DNS to find a server for a specific URI, like sip:alice@example.com. With DNS a SIP service can provide failover, load balancing and much more. SIP without DNS is a broken solution. SIP and DNS rocks!
This document provides an overview of IPv6, the latest revision of the Internet Protocol. IPv6 was developed by IETF to address the problem of IPv4 address exhaustion, as IPv4 addresses were being depleted. IPv6 features a much larger 128-bit address space compared to 32-bits in IPv4, providing vastly more unique IP addresses. It also includes improvements in routing, network autoconfiguration, security, quality of service, and mobility support. The document discusses the history and development of IPv6, as well as its addressing modes, address types, headers, communication methods, and transition technologies from IPv4 to IPv6 networks.
The document is from a 2011 IPv6 Forum conference presentation about making the transition to IPv6. It discusses myths around IPv6 adoption, such as the ideas that NAT solved the IPv4 address shortage or that IPv6 is only relevant in Asia. It also provides tips for enabling the IPv6 transition, including deploying dual stack, enforcing security, leveraging applications, and aligning business and IT plans to manage the risks of transitioning network infrastructure. The presentation aims to convince organizations to start adopting IPv6.
Possible futures for the internet: Sander Steffann, IPv6 specialist, co-chair...IPv6no
Possible futures for the internet: Sander Steffann, IPv6 specialist, co-chair, RIPE Address Policy Working group
IKT-Norge IPv6 forum IPV6 konferanse 23 & 24 mai 2011
The document discusses several methods for migrating from IPv4 to IPv6 including native dual stack, DS-Lite, NAT64, and 6RD. Native dual stack allows simultaneous use of IPv4 and IPv6 but is the most complex to deploy. DS-Lite tunnels IPv4 packets over IPv6 to allow an IPv6-only access network. NAT64 provides IPv4-IPv6 translation to allow access to IPv4 servers from an IPv6 network. 6RD allows lightweight IPv6 deployment without upgrades by encapsulating IPv6 in IPv4. Each method has different impacts on the access network, subscriber edge, and home network domains.
How to Build Advanced Voice Assistants and ChatbotsCisco DevNet
Learn more about the CodeMotion Voice Machine and Cisco DevNet Chatbot. Understand what a typical bot journey is and where to go to get more information about Cisco Spark and Tropo.
Oasis Communication Technologies is an expert in IPv6 deployment based on their experience implementing IPv6 networks for various clients over many years. They discuss three case studies: an early dual-stack deployment for IGLD, a global IPv6 rollout for PCCW Global using 6PE, and a customer deployment for Xfone 018. They also discuss lessons learned, including that the core network is simple but access networks are complex, addressing design is challenging, and that lack of IPv6-enabled content and customer equipment readiness are major barriers to adoption.
The document discusses Estonia's policy and legal framework development for digital security. It outlines Estonia's goals of developing a coordinated cyber security strategy, increasing competence, improving legal frameworks, and bolstering international cooperation. It also describes Estonia's three-level baseline security system called ISKE, which provides different sets of security measures depending on assets' security requirements. The system is modeled after Germany's IT Baseline Protection Manual and aims to ensure the security of Estonia's state information systems through standards and auditing processes defined in legislation.
Trüb produces Estonia's national eID card, which citizens use for digital authentication and signatures. Estonia launched its eID program in 2002, and it is now used across both public and private sectors. The eID system underpins Estonia's transition to a digital society, allowing online access to over 600 services including e-voting, e-health records, and e-tax filing. Security is ensured through encryption, PIN codes, and citizens' ability to monitor third party access to their data. The success of Estonia's eID program stems from early investment in internet infrastructure, public-private partnerships, and developing user-friendly applications to drive adoption.
IETF IPv6 Activities Report by Cathy Aronson at ARIN 36. Presentation and webcast archive available at: https://www.arin.net/participate/meetings/reports/ARIN_36/ppm.html
Eric Vyncke - Layer-2 security, ipv6 norwayIKT-Norge
The document discusses IPv6 first hop security features like DHCP snooping and dynamic ARP inspection for IPv6. It provides an overview of the security issues with IPv6 neighbor discovery such as router advertisements being sent without authentication, allowing for man-in-the-middle attacks and denial of service. It then describes various IPv6 first hop security features that can help mitigate these issues, such as RA guard, DHCP guard, and IPv6 neighbor discovery inspection.
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
Henrik Strøm discusses IPv6 security from an attacker's perspective. He outlines 6 points on how attackers can exploit IPv6 vulnerabilities, including using IPv6 to bypass IPv4 access controls when on a local network, spoofing router advertisements to hijack traffic, using tunneling to enable inbound and outbound connectivity, and launching denial of service attacks. He recommends network administrators decide how to implement IPv6 security, monitor for IPv6 traffic, harden clients and servers, and filter all types of IPv6 tunneling. Further reading suggests there is still significant work needed on IPv6 firewalling and many IPv4 issues have been transferred to IPv6.
Application Engineered Routing: Allowing Applications to Program the NetworkCisco Canada
The document discusses Application Engineered Routing (AER), which allows applications to program networks using Segment Routing and an intelligent SDN controller. AER provides a stateless, scalable architecture that supports application-network interaction and dynamic traffic patterns. It uses Segment Routing to encode end-to-end policy in packets and an SDN controller for traffic optimization, visibility, and automation. The architecture aims to balance distributed and centralized control to simplify operations and enable new revenue-generating services.
The document discusses the RIPE-501 procurement specification for IPv6 networking equipment and an effort to create an updated version. It provides an overview of the RIPE-501, the process of starting it in Slovenia and spreading it globally, and improvements in the proposed new version including additional device types and a single compliance method. It encourages feedback on the draft updated version and provides contact information for comments.
2015 update: SIP and IPv6 issues - staying Happy in SIPOlle E Johansson
What's the state of SIP and IPv6?
- An update I gave at the Netnod spring Meeting 2015.
Nothing much is happening, despite the fact that we have proven real issues with dual stacks in SIP.
Discussion slides for the SIP forum IPv6 task group conference call 12/12/12 covering issues with SIP DNS, SIP and locating next hop in a dual stack world and issues with Server Based ALG decisions for media paths.
The document discusses the transition from IPv4 to IPv6. It notes that managing this transition is challenging as it requires moving through intermediate technologies like CGN, CDNs, and ALGs that help bridge IPv4 and IPv6. The risks include the internet evolving in an unexpected direction during this transition phase. The document also outlines some of the tunneling and address sharing techniques that can help provide IPv6 service and address IPv4 exhaustion, but cautions that each new level of indirection introduces complexity.
The document discusses the World IPv6 Launch event scheduled for June 6, 2012. It notes that IPv4 addresses are exhausted, IPv6 is the replacement standard that has been available for over 15 years, and the 2012 event aims to fully transition the internet to IPv6 without the ability to rollback to prevent future growth issues due to IPv4 exhaustion. Major internet organizations are participating to ensure all content and services are fully accessible over IPv6.
[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS NetworksG. Geshev
This is the updated version of my talk from ekoparty and PacSec.
General MPLS and MPLS related concepts were briefly introduced to the audience, followed by an overview of a typical service provider network, classic topologies and basic traffic engineering strategies.
Several network reconnaissance techniques were presented that could allow an adversary to partially or, in some cases, fully reveal the MPLS backbone Label Switching Router (LSR) interconnections by leaking internal LSR IP addresses. Furthermore, certain vendor implementations were found to allow traffic to be sent directly to LSR IP addresses, which if the vendors followed the specification would be mitigated against.
A potential attack scenario against service provider infrastructure was demonstrated with a walk-through of an attack against customers of a shared MPLS environment. In addition, the concept of Virtual Routing and Forwarding (VRF) was explained, with further discussion on VRF hopping attacks. Several vendors were found to be susceptible to these kind of attacks that allow for performing what can be described as VLAN hopping in the context of MPLS. In summary, successfully executing a VRF hopping attack allows for breaking out of our own VRF and injecting traffic into another customer’s VRF.
IPV6 Network Simulation Projects Research GuidancePhdtopiccom
This document discusses IPv6 network simulation projects for students. It lists several prime development tools for IPv6 simulation, including OMNeT++, Ns2, Qualnet, OPNET, and NS3. It also outlines some leading network simulation topics in IPv6, such as large scale IoT networks, IPv6/IP real time services, 5G networks deployment, encrypted IPv6 addressing, and sensor networks deployment. The document encourages contacting the website for more information on IPv6 projects.
A presentation that tries to set an IPv6 agenda for the SIP community. VoIP and IPv6 is a natural match. If we want unified communication to be truly global and unified - we need to build solutions on IPv6 and not Ipv4.
SIP and DNS - federation, failover, load balancing and moreOlle E Johansson
SIP use DNS to find a server for a specific URI, like sip:alice@example.com. With DNS a SIP service can provide failover, load balancing and much more. SIP without DNS is a broken solution. SIP and DNS rocks!
This document provides an overview of IPv6, the latest revision of the Internet Protocol. IPv6 was developed by IETF to address the problem of IPv4 address exhaustion, as IPv4 addresses were being depleted. IPv6 features a much larger 128-bit address space compared to 32-bits in IPv4, providing vastly more unique IP addresses. It also includes improvements in routing, network autoconfiguration, security, quality of service, and mobility support. The document discusses the history and development of IPv6, as well as its addressing modes, address types, headers, communication methods, and transition technologies from IPv4 to IPv6 networks.
The document is from a 2011 IPv6 Forum conference presentation about making the transition to IPv6. It discusses myths around IPv6 adoption, such as the ideas that NAT solved the IPv4 address shortage or that IPv6 is only relevant in Asia. It also provides tips for enabling the IPv6 transition, including deploying dual stack, enforcing security, leveraging applications, and aligning business and IT plans to manage the risks of transitioning network infrastructure. The presentation aims to convince organizations to start adopting IPv6.
Possible futures for the internet: Sander Steffann, IPv6 specialist, co-chair...IPv6no
Possible futures for the internet: Sander Steffann, IPv6 specialist, co-chair, RIPE Address Policy Working group
IKT-Norge IPv6 forum IPV6 konferanse 23 & 24 mai 2011
The document discusses several methods for migrating from IPv4 to IPv6 including native dual stack, DS-Lite, NAT64, and 6RD. Native dual stack allows simultaneous use of IPv4 and IPv6 but is the most complex to deploy. DS-Lite tunnels IPv4 packets over IPv6 to allow an IPv6-only access network. NAT64 provides IPv4-IPv6 translation to allow access to IPv4 servers from an IPv6 network. 6RD allows lightweight IPv6 deployment without upgrades by encapsulating IPv6 in IPv4. Each method has different impacts on the access network, subscriber edge, and home network domains.
How to Build Advanced Voice Assistants and ChatbotsCisco DevNet
Learn more about the CodeMotion Voice Machine and Cisco DevNet Chatbot. Understand what a typical bot journey is and where to go to get more information about Cisco Spark and Tropo.
Oasis Communication Technologies is an expert in IPv6 deployment based on their experience implementing IPv6 networks for various clients over many years. They discuss three case studies: an early dual-stack deployment for IGLD, a global IPv6 rollout for PCCW Global using 6PE, and a customer deployment for Xfone 018. They also discuss lessons learned, including that the core network is simple but access networks are complex, addressing design is challenging, and that lack of IPv6-enabled content and customer equipment readiness are major barriers to adoption.
The document discusses Estonia's policy and legal framework development for digital security. It outlines Estonia's goals of developing a coordinated cyber security strategy, increasing competence, improving legal frameworks, and bolstering international cooperation. It also describes Estonia's three-level baseline security system called ISKE, which provides different sets of security measures depending on assets' security requirements. The system is modeled after Germany's IT Baseline Protection Manual and aims to ensure the security of Estonia's state information systems through standards and auditing processes defined in legislation.
Trüb produces Estonia's national eID card, which citizens use for digital authentication and signatures. Estonia launched its eID program in 2002, and it is now used across both public and private sectors. The eID system underpins Estonia's transition to a digital society, allowing online access to over 600 services including e-voting, e-health records, and e-tax filing. Security is ensured through encryption, PIN codes, and citizens' ability to monitor third party access to their data. The success of Estonia's eID program stems from early investment in internet infrastructure, public-private partnerships, and developing user-friendly applications to drive adoption.
Public sector innovation lessons from E-Estonia / Siim SikkutSiim Sikkut
Slides from OECD Public Sector Innovation conference talk on 12 November 2014 - lessons of what works from experience of E-Estonia (aka digital innovation)
How Estonia is helping to shape cyber resiliencermdesilva
Ahead of Cyber Defence and Network Security 2012, we spoke with Heli Tiirmaa-Klaar, Senior Advisor to the Undersecretary at the Estonian MoD, about the pioneering work that Estonia has contributed to global cyber security measures. Heli provides insight into the progress being made in regards to developing cyber policy, an integrated CERT team, and the underlying issue of improving cyber forensics to ensure future accuracy when it comes to identifying the source of a network attack.
The document discusses how a new era of technology including big data, social media, mobile devices, and cloud computing is transforming business and society. This shift provides opportunities to gain individual insights from massive data, engage customers personally across multiple touchpoints, and use cloud-based infrastructure to drive strategic change. The forces of big data, mobile devices, social networks, and cloud computing are fundamentally rewiring how society and businesses operate.
The document discusses cyber security issues at the United Nations. It outlines that new technologies have led to new security problems as malicious state and non-state actors launch cyber attacks against government and private networks. While the UN aims to prevent war and agree on norms of behavior, states have differing interests and ideological approaches to these issues. The document examines the work of the UN Group of Governmental Experts on cyber security, noting successes in establishing cyberspace is not lawless but challenges remain in reaching agreement due to ideological divides and limited state cooperation and preparedness to address cyber attacks. Sources for further information on these UN cyber security discussions are provided.
IPv4 is the current version of the Internet Protocol but has limitations including a limited 32-bit address space that is nearly depleted, lacking built-in network security, and limited quality of service capabilities. IPv6 was developed to address these issues by using a larger 128-bit address space to avoid scarcity, incorporating IPsec to provide security, and improving quality of service and auto-configuration features. While IPv6 adoption is still growing, transitioning networks to be dual-stacked with both IPv4 and IPv6 ensures compatibility and avoids missing traffic from users on IPv6-only networks.
Einbrüche, Viren, Trojaner, machen auch unter IPv6 nicht Halt. Als Marktführer im Bereich Unified-Threat-Management (UTM) entwickelt Fortinet umfassende Sicherheitslösungen zur Bekämpfung solcher Bedrohungen - für IPv4 und IPv6 Netzwerke. Der Workshop orientierte Vortrag zeigt die Notwendigkeit von umfassenden Security Lösungen bei der Migration zu IPv6 auf.
4. IPv6 Security - Workshop mit Live Demo - Marco Senn FortinetDigicomp Academy AG
Einbrüche, Viren, Trojaner, machen auch unter IPv6 nicht Halt. Als Marktführer im Bereich Unified-Threat-Management (UTM) entwickelt Fortinet umfassende Sicherheitslösungen zur Bekämpfung solcher Bedrohungen - für IPv4 und IPv6 Netzwerke. Der Workshop orientierte Vortrag zeigt die Notwendigkeit von umfassenden Security Lösungen bei der Migration zu IPv6 auf.
This document discusses various techniques for IPv6 transition and coexistence with IPv4, including:
- Dual-stack which allows simultaneous support of both IPv4 and IPv6.
- Tunnels which encapsulate IPv6 packets in IPv4 packets to provide IPv6 connectivity through IPv4 networks.
- Translation techniques like NAT64 which allow communication between IPv4-only and IPv6-only nodes.
The document discusses various techniques for transitioning from IPv4 to IPv6, including dual stack, tunnels, and translation. Dual stack allows simultaneous support of both IPv4 and IPv6 by keeping both protocol stacks. Tunnels encapsulate IPv6 packets in IPv4 packets to carry IPv6 traffic over IPv4 networks. Translation techniques like NAT64 algorithmically translate IPv4 and IPv6 addresses to allow communication between IPv4-only and IPv6-only nodes. Newer methods like 464XLAT and DS-Lite aim to address IPv4 exhaustion by sharing public IPv4 addresses among more clients.
This document provides guidance on rapidly deploying IPv6 for ISP networks. It begins by outlining common concerns with IPv6 implementation and then provides steps to take including: starting implementation in a lab; enabling IPv6 on core infrastructure; enabling customer services in stages from easiest to hardest; and conducting a network readiness assessment. The document then provides examples of enabling IPv6 on routers and end customer connections using a simplified IPv6 addressing scheme. It discusses additional considerations like security, Linux and Windows test beds, non-networking devices, sources of help, and convincing management of the need for IPv6 deployment.
This document discusses the security of IPv6 and addresses some common myths. It provides a brief comparison of IPv4 and IPv6, noting areas of both similarity and difference. While IPv6 introduces some new capabilities like larger addresses and mandatory IPsec support, it also brings new potential security issues from features like stateless autoconfiguration. Proper implementation and ongoing evaluation work is needed to understand IPv6 security as attack surfaces continue to be explored. Transition technologies also introduce new vectors that require consideration. Overall, IPv6 differs little from IPv4 at the network layer, and securing applications and higher layers remains paramount.
This document discusses the security of IPv6 and addresses some common myths. It provides a brief comparison of IPv4 and IPv6, noting areas of both similarity and difference. While IPv6 introduces some new capabilities like larger addresses and mandatory IPsec support, it also brings new potential security issues like those related to auto-configuration. Proper implementation and ongoing evaluation work is needed to help secure both protocols. Overall, IPv6 provides capabilities but does not inherently improve security without diligent configuration and management.
This document discusses strategies for deploying IPv6 in cellular networks given the impending exhaustion of IPv4 addresses and increasing number of internet-connected devices. The best long-term solution is dual-stack (IPv4 and IPv6), but alternatives like IPv6-only with NAT64 and 464XLAT can work as well by allowing IPv6-only devices to access IPv4 content. NAT64 and DNS64 enable IPv6-only clients to reach IPv4 servers, while 464XLAT provides a more efficient solution that works for applications using literal IPv4 addresses. Large-scale deployments by mobile carriers demonstrate the viability of IPv6-only networks with NAT64 or 464XLAT.
12.00 - Dr. Tim Chown - University of SouthamptonIPv6 Summit 2010
1) The university deployed IPv6 in a phased approach over many years, first running it in 1997 and now having a large dual-stack production network.
2) They took a dual-stack approach to allow existing IPv4 systems while gaining experience with IPv6. Managing the complexity of dual-stack has been the main challenge.
3) Early experiences included getting IPv6 connectivity, enabling core services like DNS and web servers, and porting internal software. Harder aspects involved multi-addressing, some application support, and security issues like rogue routers.
The document summarizes discussions from IETF 94 and RIPE 71 conferences. Several new DNS-related RFCs were published, including ones on DNSSEC, DANE, and IPv6. Discussions also covered DNS record ordering, DS record management automation, and measuring the SMTP over TLS adoption. IPv6 performance improvements were noted since 2011, though challenges remain. DNSTAP was introduced as a new technology for monitoring DNS server operations with minimal performance impact.
Happy Eyeballs v2 (HEv2) extends Happy Eyeballs v1 to improve user experience during IPv6 and IPv4 connection attempts. While HEv2 still prefers IPv6, it may reorder address preference to accelerate connection times. However, HEv2 can hide IPv6 failures, making it difficult for operators to monitor IPv6 quality. A new draft proposes extending HEv2 to report failures to operators via syslog. RFC8273 describes assigning each host a unique IPv6 prefix, improving isolation and management in shared environments like hotspots and data centers.
The document discusses the upcoming introduction of IPv6. [1] IPv6 is a new standard for IP numbering that will provide more IP addresses as the current IPv4 addresses are running out. [2] It will help overcome limitations in the old IPv4 system and ensure there are enough addresses available into the next century. [3] The document outlines some of the key features and improvements IPv6 will provide, such as larger packet sizes, better security features, quality of service support, and mobility support.
IPv6 is the next generation Internet Protocol that provides a vastly larger number of IP addresses compared to the current IPv4. It features 128-bit addressing which allows for trillions of devices to have unique IP addresses. IPv6 also aims to make networking more secure and allow for more efficient routing. The transition from IPv4 to IPv6 is underway, with most modern operating systems and network hardware now supporting IPv6, though applications support is still growing. IPv6's expanded addressing capabilities and additional features will help meet future demands on the Internet as more devices connect online.
This document discusses IPv6 transition strategies for service providers. It begins by noting that the IANA pool of IPv4 addresses has been exhausted and regional registries will soon run out as well. While existing IPv4 networks will continue to function, many devices and applications only support IPv4, creating an "IPv4 long tail" that will be challenging to transition to IPv6. The document then evaluates options for service providers, including dual-stack, translators, and tunnels. It provides more detail on implementing a dual-stack infrastructure in the core network using protocols like IS-IS, OSPF, and BGP. 6PE and 6VPE are introduced as options to provide IPv6 connectivity over an IPv4 MPLS
This document provides a 3-paragraph summary of a 10-page project report on IPv6. The report was submitted by Udipto Ghosh to MIT Pune in partial fulfillment of a post-graduate diploma in management. The summary discusses that IPv6 is an evolutionary upgrade to IPv4 designed to allow continued growth of the internet. It also describes some key features of IPv6 like larger address space and auto-configuration. The transition from IPv4 to IPv6 is expected to occur gradually as IPv6 is deployed incrementally for early benefits while coexisting with IPv4 for a long time.
This document provides an overview of IPv6, the latest revision of the Internet Protocol. IPv6 was developed by IETF to address the problem of IPv4 address exhaustion, as IPv4 addresses were being depleted. IPv6 features a much larger 128-bit address space compared to 32-bits in IPv4, providing vastly more unique IP addresses. It also includes improvements in routing, network autoconfiguration, security, quality of service, and mobility support. The document discusses the history and development of IPv6, its addressing modes and types, headers, communication methods, transitioning from IPv4, routing, and the future of IPv6.
The University of Edinburgh is undergoing a large project to reprocure its campus networking infrastructure. The existing network, which has grown organically over many years, contains equipment that is up to 20 years old and no longer meets the university's needs. After an internal review in 2014 recommended a new network be procured, the university embarked on a multi-stage competitive dialogue procurement process that is still ongoing. The process involves pre-market engagement, shortlisting bidders, and multiple rounds of dialogue and evaluation to refine solutions before selecting a final vendor. The procurement has proven to be a large undertaking but may result in a network solution tailored to the university's unique requirements.
This document provides an overview and agenda for a course on Introduction to IPv6 for Service Providers. The course covers IPv6 essentials such as addressing, operations, applications/services, routing protocols, and transition strategies. It discusses the rationale for adopting IPv6 including the depletion of IPv4 addresses and the need to support the growing number of internet-connected devices. The document outlines some of the key limitations of IPv4 like fragmentation and the issues with long-term reliance on Network Address Translation (NAT) to overcome the address space depletion.
This document summarizes a presentation on successfully deploying IPv6. The presentation covers dual stack migration planning, training for deployment success, addressing challenges, IPv6 routing, dual-protocol applications, and troubleshooting dual-protocol networks. The presentation advises organizations to add IPv6 while continuing to run IPv4 for many years, treat IPv6 deployment as a long-term program rather than a project, and focus initial efforts on internet-facing devices.
China and Russia are active in cyber operations. China conducts cyber reconnaissance and uses soft power through the internet to influence values. The document discusses a cyber attack on Google and ties it to Chinese universities. Russia focuses on developing cyber policy and military cyber theory, as well as information and electronic warfare equipment. Both countries see value in preemptive cyber attacks and deception operations to gain strategic advantage.
The document discusses cloud security risks and threats identified by the Cloud Security Alliance (CSA). The CSA is a non-profit organization focused on best practices for cloud security. The top 7 cloud security threats according to a CSA survey are: 1) data loss/leakage, 2) abuse and nefarious use of cloud computing, 3) insecure APIs, 4) malicious insiders, 5) account/service and traffic hijacking, 6) unknown risk profiles, and 7) shared technology vulnerabilities. The CSA guidance provides best practices to help secure cloud computing.
4. IP version 6
• “IP” (Internet Protocol) is the glue that makes the Internet work
– Every device on the network has an IP “address”
• What we use today is IP version 4
– In production use for 27 years (1983), and showing its age
– 32 bit addresses
• IPv6 is the next generation Internet protocol
– Huge address space (128 bit addresses)
– Aggregation based hierarchy for route table efficiency
– Simplified, fixed length header – better options support
– Mandatory IPsec (promise for improved security)
– Autoconfiguration, ease of renumbering
– Support for QoS
• The most important piece right now is that it has incredibly vast
address space
17-May-10 4
5. The piece that has changed
ISO 7 Layer Model
Application
Internet Stack
Presentation
Session Sockets
Transport TCP, UDP
Network IPv6
IP
Link Mac Layer
Physical
17-May-10 5
6. The Transition to IPv6
• Running out of IPv4 address space
– Expected depletion in 2012
• Every network connected device must
upgrade.
• Transition to IPv6 should have happened by
now
– delays in product availability and maturity
– apathy on all fronts, lack of sense of urgency
– other priorities
17-May-10 6
7. Implementation approach:
“Dual Stack”
• IPv6 is not compatible with IPv4.
– They can exist side by side, but don’t interoperate.
• It is not possible to communicate between IPv4 and
IPv6 Internets without translators.
– Translators are problematic, and we should avoid them.
• “Dual Stack” is when you run both protocols on all
networks and systems.
– This allows full connectivity to both IPv4 and IPv6 Internets.
– It is the most pragmatic transition mechanism today if you
have sufficient IPv4 addresses.
• When we speak of “transition”, we mean “transition
to dual-stack”, not to “IPv6 only”.
17-May-10 7
8. Address exhaustion
• ARIN Board of Trustees Resolution dated 7 May 2007:
RESOLUTION OF THE BOARD OF TRUSTEES OF ARIN ON INTERNET
PROTOCOL NUMBERING RESOURCE AVAILABILITY
WHEREAS, community access to Internet Protocol (IP) numbering Resources has proved
essential to the successful growth of the Internet; and,
WHEREAS, ongoing community access to Internet Protocol version 4 (IPv4) numbering
resources can not be assured indefinitely; and,
WHEREAS, Internet Protocol version 6 (IPv6) numbering resources are available and
suitable for many Internet applications,
BE IT RESOLVED, that this Board of Trustees hereby advises the Internet community that
migration to IPv6 numbering resources is necessary for any applications which require
ongoing availability from ARIN of contiguous IP numbering resources; and,
BE IT ORDERED, that this Board of Trustees hereby directs ARIN staff to take any and all measures necessary to assure
veracity of applications to ARIN for IPv4 numbering resources; and,
BE IT RESOLVED, that this Board of Trustees hereby requests the ARIN Advisory Council to consider Internet Numbering
Resource Policy changes advisable to encourage migration to IPv6 numbering resources where possible.
Unanimously passed by the Board of Trustees on 7 May 2007.
17-May-10 8
10. Notice of IPv4 Address
Depletion
“Make your organization’s
publicly accessible resources
available via IPv6 as soon as
possible”
17-May-10 10
11. Potential scenario
• Projected IPv4 address depletion in 2012
– Address blocks become scarce commodity
– Broken into smaller pieces, and “sold”
• Then, IPv4 Routing tables exceed router capacity
– Upwards of 2M routes, won’t fit router memory
– Some parts of Internet become isolated
• Islands of IPv6-only
– Can’t get IPv4 addresses
– Don’t want complexity of dual stack
– National mandates
• No good IPv4/IPv6 translator solution yet
– But IETF is working on proposals.
17-May-10 11
13. Background
• DREN (Defense Research and Engineering Network)
– is DoD’s Internet Service Provider for the Research and
Engineering community
– also serves as the DoD IPv6 “pilot” network
• Started the transition to IPv6 nearly 10 years ago
• In full production “dual stack” for some years now
– Significant operational experience, and lessons learned
17-May-10 13
14. Benefits already realized
• Adversaries can’t map nets, due to sparse addressing
• Vastly reduced routing tables, resulting in faster convergence
• Everything gets an address (or many of them), and NATs are
eliminated.
– End to end model is restored
– With IPSEC, an end to end security model is possible
– Facilitates “one-IP one-service” model
– Improved battery life of network devices (sensors, cell phones)
• Multicast is greatly simplified
– Rendezvous Point (RP) embedded in multicast group address
– No more MSDP
* NATs: Network Address Translators
* IPSEC: Internet Protocol Security
* MSDP: Multicast Source Discovery Protocol
17-May-10 14
16. IPv6 Security Review
• Independent security review
performed by SAIC for DREN
during 2005
– Publicly available
• Conclusions:
– protocol is no less secure
than v4
17-May-10 16
17. Maturity of Implementations
• IPv4 is very mature, implementations are
solid
– used heavily for over 20 years
• IPv6 is very new
– limited production experience
– vendors aren’t “eating their own dogfood”
– we haven’t found all the bugs yet
Near certainty that we will find Denial of Service Vulnerabilities
17-May-10 17
18. Tunnels
• If systems are connected to a network that does not
support IPv6, they may try to “tunnel” IPv6 in IPv4
packets
– Popular mechanisms are 6to4, ISATAP, Teredo
– Default in Windows
• Tunnels can bypass firewalls and other security
protections
– can easily happen by accident
– you may not be aware that it is happening
• Recommendation:
– Block tunnels (IP Protocol 41) at security boundaries
17-May-10 18
19. Rogue routers
• In IPv6, routers announce themselves using “RA” (router
advertisements)
• Systems on the network learn a default gateway from the RAs
– part of the auto-configuration feature of IPv6
• Any system could pretend to be an IPv6 router and send RAs
– other systems will hear this and route traffic to this rogue router
– denial of service to the entire subnet
• Windows systems that have Internet Connection Sharing (ICS)
enabled will do this automatically.
• Solution:
– Long term – Implement “RA Guard” when available
– Near term – set router priority to “high” on the true routers
17-May-10 19
20. THC report - 2008
• http://www.thc.org
• Confirms early implementations are immature
– 47 implementation bugs reported by June 2008
• Conclusions:
– no serious new risks with IPv6
– some security improvements over IPv4
• scanning and worming will be harder
• no record-route, no uptime check
• easier filtering and attack tracing
17-May-10 20
21. Many products lack IPv6 support
• Many products that are critical to security
infrastructure are not IPv6-enabled
– Firewall
– Web cache/proxy
– Load balancer
– Intrusion Detection System (IDS)
– Intrusion Prevention System (IPS)
– Many VPN products
• Both SSL VPNs and IPSEC VPNs
– Vulnerability assessment and forensics tools from
most vendors
17-May-10 21
22. Privacy addresses
• See RFC 4941
• Windows systems do this by default (and we don’t like it!)
• Breaks many things in our environment
– Forensics
– Stable DNS entries
– Automated management tools
• Could fix with DHCPv6, but client not available in important OS’s
– Windows XP, Mac OSX
• Would be nice if RA’s could say “don’t do this”
• So we have to visit every Windows machine to disable this.
– Breaks the “plug and play” goal of IPv6 for clients.
• How To: (next slide)
17-May-10 22
23. Disabling privacy
addresses
• Windows XP
ipv6 -p gpu UseTemporaryAddresses no
• Windows 2003
netsh interface ipv6 set privacy state=disabled store=persistent
• Windows Vista
netsh interface ipv6 set privacy state=disabled store=persistent
netsh interface ipv6 set global randomizeidentifiers=disabled
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
• Windows 2008
netsh interface ipv6 set global randomizeidentifiers=disabled
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
17-May-10 23
24. Dual Stack complexities
• Operating dual stack is like running two separate
networks in parallel
• All security mechanisms must be equally applied to
both network protocols
– otherwise one of them becomes the “weakest link”
– new entry vector for adversaries
• Addition of complexity
– makes it harder to maintain
– more prone to mistakes
• Recommendation: topological and security
congruency
– same topology for both IPv4 and IPv6 components
– identical security policies, ACLs, defences, etc.
17-May-10 24
25. VPN problems
• Travelers and telecommuters use client VPNs to connect to the
corporate Intranet securely
– Like Cisco IPSEC VPN or Juniper SSL VPN
• Only tunnels the IPv4 traffic (today)
• IPv6 traffic, if supported at all, goes outside this tunnel
– IPv6 traffic is now in the clear over the Internet, where user may think it is
protected
– But it may be blocked by the corporate firewall
• Seriously impacts performance for IPv6-enabled remote users.
• Users disable IPv6 to fix it (bad scenario)
• Solution:
– Deploy ISATAP to Intranet.
– But MACs don’t have ISATAP client support.
17-May-10 25
26. Crisis response
• Deployment of anything in a crisis is prone to
mistakes
– insufficient time to plan and design the solution
– insufficient time to develop or procure the best
tools
• Waiting too long to deploy IPv6 will put you
into a crisis scenario at some point
• Recommendation: deploy IPv6 now
– you should have been working on it for a few
years now
17-May-10 26
27. Summary
• DREN has been successfully using IPv6 in a
production environment, with many dual-
stack systems and services, for years
• IPv6 presents some new security challenges,
but it is fundamentally no less secure than
IPv4
• Most significant problem is the very limited
deployment to date
• Strongest recommendation: IPv6-enable your
public facing services now!
17-May-10 27