Global Internet is not ready for IPv6 only Cisco support NAT64 above ASR Series User bandwidth management is way to complex 464 XLAT does not support general WiFi routers Existing server system support Operation & Security Policy We have almost 50k active Customer and planning for 500k Overhead cost of deployment (NAT64 & DNS64)

1. Security Myth of
IPv6 and DNS64
A. S. M. Shamim Reza
Deputy Manager
Network Operation Center
Link3 Technologies Ltd

2. [~]# whoami
Linux Geek
Open Source Software Enthusiast
EC-Council Certified Security Analyst
ASMShamimReza
ShamimRezaSohag
sohag.shamim@gmail.com

3. The Journey
Importance of Having IPv6
Challenges
Myths and Reality
Associated IPv6 Protocol Security
Do’s and Don’t

4. Importance of having IPv6
 Running out of IPv4 address
 IPv6 has done the math

5. Challenges

6. Things we had to Calculate
 Global Internet is not ready for IPv6 only
 Cisco support NAT64 above ASR Series
 User bandwidth management is way to complex
 464 XLAT does not support general WiFi routers
 Existing server system support
 Operation & Security Policy
 We have almost 50k active Customer and planning for 500k
 Overhead cost of deployment (NAT64 & DNS64)

7. Things that we come-up with
 Existing Bandwidth Manager & Spam firewall Support Dual-Stack
 Linux and Windows based system support IPv6 by-default
 Host based IDS and Firewall supports IPv6
 As an ISP we need to go with NAT64 & DNS64
 Dual-Stack for Infrastructure & IPv6 Only for end user
 DNS64 will managed by BIND & CentOS 6

8. Difference between IPv4 & IPv6
IPv4 IPv6
Web, DNS, DHCH Web, DNS64, DHCPv6
TCP, UDP TCP, UDP
ICMP ICMPv6

9. Myths and Reality
What have we been told and What have we found

10. The Myths
IPv6 is too new
to be attacked
My network is
IPv4 only

11. Myths - My network is IPv4 only
Reality – All the OS have IPV6 activated by default

12. Myths - IPv6 is too new to be attacked
Reality – Same things with Different Name and tactics.
Attacks Tools
Reconnaissance Alive6, Nmap
Amplification Smurf6, Rsmurf6
DHCPv6 Spoofing flood_dhcpc6, fake_dhcps6
DAD Spoofing, Redirect Spoofing Dos-new-ipv6, redir6

13. Outcome of Myths
 IPv6 is not more or less secure than IPv4
 Knowledge of associated protocols is the best security measures
 Mindset change is required

14. Associated IPv6 Protocol Security

15. Protocol to be considered before
deployment
ICMPv6 NDP
DNS64DHCPv6

16. DNS Server – What we had
Authoritative
Recursive DNS
Software resources Hardware resources
CentOS 5 32 bit Core – 2
RAM – 4 GB
HDD – Sata 7.2k RPM
bind-utils-9.3.4-10.P1.el5
ypbind-1.19-11.el5
bind-libs-9.3.4-10.P1.el5

17. DNS Server - What we have Faced
 OS version is about to obsolete
 Resource utilization was about to fill up
 Log search was not administration friendly

18. DNS Server - What we have done
 Upgraded the OS to CentOS 6 64bit
 Divided the Authoritative & Recursive in to TWO server
 Deployed the DNS system with CHROOT
 Calculate the session of Recursive DNS system
 Deployed the Recursive server with IP Anycast
 Configured the Recursive log based on search criteria

19. DNS Server - What we have done
Software Resources Hardware Resources
CentOS 6.9 64 bit CPU Core – 4 with 2 Socket
RAM – 8 GB DDR4
HDD – Sata SAS 15k RPM
bind-libs-9.8.2-0.62.rc1.el6_9.5.x86_64
bind-sdb-9.8.2-0.62.rc1.el6_9.5.x86_64
rpcbind-0.2.0-13.el6_9.1.x86_64
bind-dyndb-ldap-2.3-8.el6.x86_64
bind-9.8.2-0.62.rc1.el6_9.5.x86_64
bind-devel-9.8.2-0.62.rc1.el6_9.5.x86_64
bind-chroot-9.8.2-0.62.rc1.el6_9.5.x86_64
bind-utils-9.8.2-0.62.rc1.el6_9.5.x86_64
iptables-1.4.7-16.el6.x86_64
iptables-ipv6-1.4.7-16.el6.x86_64

20. How DNS64 Works

21. DNS64 Server
With the New System - what we have
 We have configure the DNS64 at the Recursive system
 Forget to tune the Kernel and Iptables
 Forget to Calculate the Log volume

22. DNS64 Server
What we have faced
 Session per second was 4k/second
 Increased to 5k/second
 Query response was slower/ Some of the users are not getting response
 Hard disk about to filled up with the log stored
 For every query there are 2 separate line for IPv4 & Ipv6

23. Log Format of DNS64

24. DNS64 Server
Action that we have taken
 We are having almost 4GB of log file in one hour
 Configured the log rotation based on file size
 Then we have decided to move all the log to the central server after
every one hour

25. DNS64 Server
Performance tuning
Checked the System –
# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 262144
Changed it –
# sysctl -w net.netfilter.nf_conntrack_max=524288

26. DNS64 Server
Security tuning
 Configuration is for sysctl.conf file
1. To stop IPv6 routing advertisement –
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
2. TO Stop ICMPv6 redirect –
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0

27. DNS64 server
1. To stop DAD related attack–
net.ipv6.conf.all.accept_dad = 0
net.ipv6.conf.default.accept_dad = 0
net.ipv6.conf.enp0s8.accept_dad = 0
net.ipv6.conf.all.dad_transmits = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.enp0s8.dad_transmits = 0

28. DNS64 server
Security tuning
 Configuration is for IP6TABLES
#!/bin/bash
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -I INPUT 1 -d ff02::1 -j DROP
ip6tables -I INPUT 2 -i eth1 -m ipv6header --header dst --soft -j DROP
ip6tables -I INPUT 3 -i eth1 -m ipv6header --header hop --soft -j DROP
ip6tables -I INPUT 4 -i eth1 -m ipv6header --header route --soft -j DROP
ip6tables -I INPUT 5 -i eth1 -m ipv6header --header frag --soft -j DROP
ip6tables -I INPUT 6 -i eth1 -m ipv6header --header auth --soft -j DROP
ip6tables -I INPUT 7 -i eth1 -m ipv6header --header esp --soft -j DROP
ip6tables -I INPUT 8 -i eth1 -m ipv6header --header none --soft -j DROP

29. DO’s and Don’t
 IPv6 is moving faster, you can’t walk slow
 Keep updated with knowledge
 NO IPv6 Only thoughts for Infrastructure
 Make a inventory of existing system
 List of Necessaries that you Need NOT that you Want

30. Top 10 countries for IPv6 support (Feb
2018)

31. Top 10 countries of IPv6 Default for
Dual-Stack User