This document summarizes several technology updates related to IPv6 that are being discussed and standardized within the IETF. It covers issues and proposals regarding core IPv6 protocols like site-local addressing and prefix delegation. It also discusses routing protocol issues, DNS considerations, transition mechanisms, neighbor discovery security, and the IPv6 firewall architecture. The document provides an overview of the status and remaining issues for each topic.
The “Hands on Experience with IPv6 Routing and Services” Techtorial will provide attendees an opportunity to configure, troubleshoot, design and implement an IPv6 network using IPv6 technologies and features such as: IPv6 addressing, IPv6 neighbor discovery, HSRPv6, static routing, OSPFv3, EIGRPv6 and BGPv6. You will be provided with a scenario made up of an IPv4 network where you will get the opportunity to configure and implement IPv6 based on the requirements on the network, i.e., where would you deploy dual stack, where it make sense to do funneling and how to deploy IPv6 routing protocols without impacting your existing Network infrastructure.
The “Hands on Experience with IPv6 Routing and Services” Techtorial will provide attendees an opportunity to configure, troubleshoot, design and implement an IPv6 network using IPv6 technologies and features such as: IPv6 addressing, IPv6 neighbor discovery, HSRPv6, static routing, OSPFv3, EIGRPv6 and BGPv6. You will be provided with a scenario made up of an IPv4 network where you will get the opportunity to configure and implement IPv6 based on the requirements on the network, i.e., where would you deploy dual stack, where it make sense to do funneling and how to deploy IPv6 routing protocols without impacting your existing Network infrastructure.
How to set up an IPv6 LAN with Linux. Using IPv6 requires two steps, firstly setting up the local LAN to support IPv6 and secondly connecting to the internet. The exact mechanism to connect to the Internet depends on your ISP. If you have an IPv4 address of IPv6 and whether you trying to access an IPv4 or IPv6 host.
Jumping Bean offers IPv6 training for businesses (http://www.jumpingbean.co.za/ipv6-training)
IPv6 Autoconfig full process from initial configuration of IPV6 Node. Refreshment of IPv6 Addresses using RA or DHCPv6. How to keep your home config everywhere you go and only logout when you want to, not when you move to a new access point.
Internet Protocol version 6 (IPv6) is what you are going to discover onwards. Here, you will get format, features and related required information of IPv6 addresses and its related protocols.
This is an introduction about 6RD, a protocol to transport IPv6 in IPv4 invented by Remi Despres. It is the protocol for SPs who want to provide access to their customers over an IPv4 Internal Backbone.
It is actually 6to4 protocol customized for Service Providers with a configurable prefix.
It has been deployed in 2007 by Free, a French SP and has proven its scalability and its reliability.
It is supported by CISCO in IOS and in other devices like ASR1K for the BR and in more and more cheap CPE for access as well as Linux.
For a full overview of all the principle Transition Protocols, please refer to this blog:
http://www.fastlaneus.com/blog/?p=335
And this video:
http://youtu.be/TqmKCqYsk5A
And a Video of this presentation is currently uploading on youtubes:
http://youtu.be/PrnFWgqlhj0
Fred Bovy
IPv6 Forum Gold Certified Engineer
IPv6 Forum Gold Certified Trainer
CISCO 15 years CCIE #3013
CISCO 18 years CCSI #33517 (before was #95003)Meet me on
Twitter: FredBovySkype: FredericBovyBlog: http://www.fastlaneus.com/blogEmail: fred.bovy@fastlaneus.com,
fred@fredbovy.com
Basics of IPv6 networking. Addressing, stateless autoconfiguration and other IPv6 features explained. We will introduce features supported by RouterOS and explain how to build dual-stack network. We will also show how to obtain your own IPv6 prefix in case where there no possibility to get IPv6 connectivity natively. Live examples of configuration of IPv6 routing protocols. Presentation will cover the features and differences between IPv4 and IPv6 implementations. Lecture focuses on OSPFv3 but we will also explain RIPng and BGP configuration.
How to set up an IPv6 LAN with Linux. Using IPv6 requires two steps, firstly setting up the local LAN to support IPv6 and secondly connecting to the internet. The exact mechanism to connect to the Internet depends on your ISP. If you have an IPv4 address of IPv6 and whether you trying to access an IPv4 or IPv6 host.
Jumping Bean offers IPv6 training for businesses (http://www.jumpingbean.co.za/ipv6-training)
IPv6 Autoconfig full process from initial configuration of IPV6 Node. Refreshment of IPv6 Addresses using RA or DHCPv6. How to keep your home config everywhere you go and only logout when you want to, not when you move to a new access point.
Internet Protocol version 6 (IPv6) is what you are going to discover onwards. Here, you will get format, features and related required information of IPv6 addresses and its related protocols.
This is an introduction about 6RD, a protocol to transport IPv6 in IPv4 invented by Remi Despres. It is the protocol for SPs who want to provide access to their customers over an IPv4 Internal Backbone.
It is actually 6to4 protocol customized for Service Providers with a configurable prefix.
It has been deployed in 2007 by Free, a French SP and has proven its scalability and its reliability.
It is supported by CISCO in IOS and in other devices like ASR1K for the BR and in more and more cheap CPE for access as well as Linux.
For a full overview of all the principle Transition Protocols, please refer to this blog:
http://www.fastlaneus.com/blog/?p=335
And this video:
http://youtu.be/TqmKCqYsk5A
And a Video of this presentation is currently uploading on youtubes:
http://youtu.be/PrnFWgqlhj0
Fred Bovy
IPv6 Forum Gold Certified Engineer
IPv6 Forum Gold Certified Trainer
CISCO 15 years CCIE #3013
CISCO 18 years CCSI #33517 (before was #95003)Meet me on
Twitter: FredBovySkype: FredericBovyBlog: http://www.fastlaneus.com/blogEmail: fred.bovy@fastlaneus.com,
fred@fredbovy.com
Basics of IPv6 networking. Addressing, stateless autoconfiguration and other IPv6 features explained. We will introduce features supported by RouterOS and explain how to build dual-stack network. We will also show how to obtain your own IPv6 prefix in case where there no possibility to get IPv6 connectivity natively. Live examples of configuration of IPv6 routing protocols. Presentation will cover the features and differences between IPv4 and IPv6 implementations. Lecture focuses on OSPFv3 but we will also explain RIPng and BGP configuration.
What is Digital Rebar Provision (and how RackN extends)?rhirschfeld
Walks through how Digital Rebar Provision rethinks bare metal automation beyond simple O/S install into an integrated workflow system for building data center underlay.
INCLUDES VIDEO OF PRESO
Overview of IPv6 protocol along with various transition scenarios for the migration from IPv4 to IPv6
IPv6 is the current and future Internet Protocol standard. As anticipated, IPv4 addresses became exhausted around 2012.
The IP address scarcity is the main driver for IPv6 protocol adoption.
IPv6 defines a much larger address space that should be sufficient for the foreseeable future, even taking into account Internet of Things scenarios with zillions of small devices connected to the Internet.
IPv6 is, however, much more than simply an expansion of the address space. IPv6 defines a clean address architecture with globally aggregatable addresses thus reducing routing table sizes in Internet routers.
IPv6 extension headers provide a standard mechanism for stacking protocols such as IP, IPSec, routing headers and upper layer headers such as TCP.
ICMP (Internet Control Message Protocol) is already defined for IPv4. ICMP was totally revamped for IPv6 and as ICMPv6 provides common functions like IP address and prefix assignment.
Lack of business drivers for migrating to IPv6 is responsible for sluggish adoption of IPv6 in carrier and enterprise networks.
Numerous transition mechanisms were developed to ease the transition from IPv4 to IPv6. Many of these mechanisms are complex and difficult to administer.
The transition mechanisms can be coarsely classified into dual-stack, tunneling and translation mechanisms.
Overview of RARP, BOOTP, DHCP and PXE protocols for dynamic IP address assignment.
Dynamic IP address assignment to a host (or interface) is a common problem in TCP/IP based networks.
Manual and static assignment of IP addresses does not scale well and becomes a labor intensive task with a growing number of hosts.
An early approach for dynamic IP address assignment was RARP (Reverse ARP) which ran directly on the Ethernet protocol layer.
The many problems of RARP such as the inability to be routed between subnets were solved with BOOTP (Bootstrap Protocol).
BOOTP, however, ended to have its own set of limitations like lack of a lease time for IP addresses.
DHCP (Dynamic Host Configuration Protocol) was therefore defined as an extension to BOOTP.
DHCP is backward compatible with BOOTP thus allowing some degree of interoperability between the 2 protocols.
The state-of-the-art protocol for dynamic IP address assignment is, however, is DHCP.
DHCPv6 is an adaption of DHCP for IPv6 based networks.
You may have hoped to retire before IPv6 became a reality, but unfortunately the IPv4 address exhaustion came too fast. For the rest of us, we’re going to bite off a small piece of the 15-year old IPv6 pie and talk about how to get started!
• Address format refresher
• IPv4 and IPv6 protocol comparison
• IPv6 neighbor discovery and auto-configuration
• Current migration and coexistence strategies
• ICMPv6, DHCPv6, and DNSv6
• How to get started at home
IPv6 is short for "Internet Protocol Version 6". IPv6 is the "next generation" protocol designed by the IETF to replace the current version Internet Protocol, IP Version 4 ("IPv4").
Learn about IBM z/VSE Live Virtual Class 2012, that is easily extendable, Simplier routing, multicasting, has automatic configuration and Full mobile device support.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
2. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 2
Abstract
IPv6-related issues in IETF
Core Protocol issues
Routing Protocol issues
DNS-related issues
Transition Mechanisim issues
Security-related issues
3. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 3
Core Protocol Issues
Site-Local Address
Prefix Delegation
Flow-Label
Router Renumbering
(Mobile-IPv6 is covered in later
presentation)
4. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 4
Site-local Address (Overview)
Site-local address spec. has two distinct
characteristics
Private use is allowed, like 192.168.0.0/16
Site-Border Router has to distinguish addresses in
different sites
e.g. FEC0::1%site1 and FEC0::1%site2 are different
Issues
Site-local addresses are often duplicated among
networks
e.g. When multiple networks are merged together, and both
networks use fec0:1:2::/48
Site-Border-Router is a serious headache
for implementors, standardization, and operation.
5. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 5
Site-local Address (Proposal)
“Deprecate Site-local” and introduce a new solution
Remove ‘Site-Border’, but keep localness and uniqueness
Global-Unique Local Address (FC00::/7)
Locally used unique address
guarantees 40-bit uniqueness
not allowed to redistribute to the Internet
Split into two parts
FC00::/8=Centrally assigned by some registries (TBD)
FD00::/8=Locally assigned without any registries
1111 110 MD5-hash SLA Interface-ID0/1
7 bit 40 bit 16 bit 64 bit
6. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 6
Remaining Issues in FC00::/7
It may lead to an IPv6-NAT introduction?
Simultaneous use of global address and FC00::/7 is better
Source address selection
Longest-match algorithm (RFC3484) is sufficient
DNS server
Two-face DNS server is necessary, like IPv4 private address
handling.
Well-known site-local address?
e.g. DNS server address (FEC0:0:0:FFFF::1)
Global-unique local address is not suitable
Since it varies by networks
Use of FEC0::/10 needs further consideration, even after site-local
address deprecation
Who manages the ‘registry’?
40-bit uniqueness is enough?
7. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 7
Prefix Delegation (Overview)
Plug & Play for (esp.) SOHO Routers
Use some protocol to automatically delegate
prefix from upstream router to downstream
routers
PC SOHO
Router
Delegates prefix
automatically (normally /48)
ISP
Router
Plug and Play
by RA (/64)
Choose a prefix (/64) for PC segment
8. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 8
Prefix Delegation (Status)
Standardization almost finished
Concept and requirement are approved in IPv6 WG.
Various protocols are proposed, but DHCPv6-based one
seems to be the winner
Does not distribute IPv6 addresses in DHCPv6
Just uses DHCPv6 protocol framework to distribute IPv6 prefixes
Distributes other information (e.g. DNS server) as well
Lots of Implementations
gone through lots of Interoperability testing
TAHI, Connectathon, IPv6 Showcase, DHCPv6-Interop
ISPs have already started PD service in Japan
9. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 9
IPv6 Flow Label
Issue
IPv6 architecture defines a flow-label field in
IPv6 header, but its usage is not explicitly
defined.
Status
Framework is approved in WG.
Sender determines Flow Label by some means
Intermediate routers don't overwrite Flow Label
Receiver handles the packet appropriately according
to the Flow Label field value.
How to use this framework?
Up to the controlling protocols, like RSVP etc.
10. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 10
Router Renumbering
Overview
Router Renumbering protocol is defined, but is it really
practical?
If not so, what is the right procedure for manual renumbering?
Status
Does not seem practical; it cannot change embedded
prefixes.
DNS record
• Even with A6, you have to reconfigure some record manually.
• A6 does not work if a prefix is referred to by other DNS domains
(e.g. www.tcpdump.org refers to KAME’s IPv6 address)
Packet Filter, IPv4/v6 Translator
Server info in Application Installer (e.g. NetBSD), URL
Do you really have to ‘renumber’ on some flag-day?
Unlike IPv4, you can use old prefix and new prefix in the same
time
12. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 12
Routing Protocol Issues
(General Comment)
Almost all of the routing protocol supports
IPv6, except for the obsolete ones.
RIPRIPng, OSPFOSPFv3, (ISIS),
BGPBGP4+
IGMPv2MLDv1, IGMPv3MLDv2, (PIM-SM/DM)
DVMRP, MSDP(no protocol)
IPv6-specific issues are rare:
Most of the routing protocol problem is version-
independent
if there is a problem in XXX for IPv6, it is also a problem in
XXX for IPv4.
13. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 13
BGP4+ issue
Link-local BGP4+ peering
IPv6 nexthop in BGP4+ spec
What should be included in Global Nexthop
field in case of link-local BGP4+ peering?
Unspecified address(::) or linklocal address
BGP4+ implementations should obey the ‘IETF
principle’
• Send in either manner, but accept both cases
Global Nexthop
(Optional) link-local Nexthop
(if the peer is directly connected together)
14. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 14
IS-ISv6 issues
IPv6-over-IPv4 tunnel in ISIS-Topology database?
IS-IS protocol handshake has to be done in OSI packet
(not IPv4 nor IPv6)
IS-IS protocol mandates GRE tunnel
All the IPv6-over-IPv4 tunnel has to shift to GRE
tunnel? (at least router-router tunnel)
What if IPv4 and IPv6 network topologies are
different?
IS-IS protocol assumes network topology is same
among protocols
M-ISIS (Multi-topology ISIS) is proposed
15. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 15
Multihome
Overview
When a site wants to have multiple upstream ISPs,
what should it do?
1. Obtain their own IPv6 prefix and do E-BGP routing
AS number & BGP operation is mandatory
2. Receives a prefix from each ISP, and use proper
prefix according to destination
Source address selection on Host
Nexthop selection based on source address (and destination)
How to renumber when upstream ISP changes
Status
Being discussed in IETF Multi6 WG, but still no
concensus...
17. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 17
DNS Server Discovery
(Overview)
IPv6 address is automatically configured, but
other information still needs manual
configuration.
e.g. DNS server, NTP server, ...
Especially DNS server autoconfiguration is
important in IPv6, considering the length of IPv6
address.
(recursive) DNS server address
DNS domain search path
Hostname registration
18. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 18
DNS Server Discovery (Status)
Still under discussion in DNSOP WG
Roughly three solutions are proposed:
Anycast solution
RA-based solution
(stateless) DHCPv6-based solution
PC Router
Have an anycast address
(FEC0:0:0:FFFF::1~3)
DNS-Server
PC Router
DNS server addr
=the anycast addr(s)
Sends RA with a
new NDP option
PC Router
DHCPv6 Reply with
DNS Server option
DHCPv6 Information-Request
with Rapid-Commit option
DNS server addr
=addr(s) in the
new NDP option
DNS server addr
=addr(s) in the
DNS server option
Sends RS
19. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 19
DNS Server Discovery (Issues)
1. How to update the DNS server address when it changes?
2. What happens when a different server advertises a different
DNS server address?
3. Should it allow dynamic DNS registration?
4. How about other information? (e.g. NTP server, SIP server …)
Anycast
RA
DHCPv6
4321
Anycast
Mechanisms
solves it
(no address
change)
Use the Dynamic
DNS update (out of scope,
seems like using
a special DNS
record)
Use the Dynamic
DNS update
Use the existing
DHCPv6 option
DHCPv6
handshake
prevents it
DHCPv6
Reconfig
message
Use a DNS
server lifetime?
Use a DNS
server
preference?
-Use the Dynamic
DNS update.
- Handle within it
20. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 20
AAAA vs A6
Overview
Two kinds of DNS records are configured
AAAA: a simple extension of A-record
A6: DNS record supporting router-renumbering
But A6 is not deployed, because of its
complexity
Status
IETF decision
AAAA : for normal IPv6 operation
A6: for further experimental study
21. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 21
ip6.int vs ip6.arpa
Overview
IPv6 PTR record had used “ip6.int” as its
domain name.
“ip6.int” was registered later as an international
TLD.
Status
“ip6.arpa” is proposed
2001::/16 uses ip6.arpa (and ip6.int for the time
being)
3ffe::/16 still uses only “ip6.int” (owing to a
administrative reason), but “ip6.arpa” introduction is
planned.
22. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 22
PTR record usage
Some protocol (implementation) requires PTR-
record lookup for authentication
If there is a PTR record for the source address of the
client, then it is authenticated
Is it really practical in IPv6 world?
Not all the IPv6 addresses are available from PTR record
Link-local address
Most of IPv6 addresses generated by stateless autoconfiguration
Privacy address extension
If they just wanted to look up name from address, ICMP-
node-information-query is available.
23. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 23
Transition Mechanism Issues
Transition Mechanisms
Transition Mechanism Issues
(Detailed transition scenario is discussed
in later presentation)
25. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 25
Transition Mechanism Issues
There is no perfect mechanism
Tunnel-based
IPv6 network topology IPv4 network topology
IPv4 address is necessary
• i.e. IPv4 address shortage problem remains unsolved
Cannot go through NAT
• (Teredo is the only exception, but it’s too complex…)
Translator-based
In general, IPv4 to IPv6 tranlation is difficult.
Not works for the applications embedding IP address in their
payload. (e.g. FTP, SIP)
Proxy-based
Works only on the specific protocol
Are they really easier than simple dual-stack
network?
26. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 26
Security-related Issues
Securing Neighbor Discovery
Privacy Address Extension
IPv6 Firewall Architecture
27. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 27
Securing Neighbor Discovery
Overview
Plug & Play can lead to an improper network use by
wrong NDP cache by NA spoofing
wrong RA announcement by RA spoofing
Status
CGA(Cryptographically-Generated Address)
Use a specially-authenticated link-local address in NDP-related
handshake.
discussed in SEND WG
L2 authentication
PAP/CHAP (for PPP), 802.1x (for Ethernet) etc
IPv6 over IPv4 tunnel
Not a perfect answer
If IPv4 network use is permitted (politically), IPv6 does not introduce
any additional security-risk.
28. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 28
Privacy Address Extension
Overview
Normally IPv6 interface-ID constructed by EUI-64 using MAC
address
Source address in IPv6 packet tells who sends the packet
Privacy Address Extension
use random interface-ID
Status
Standardized and implemented
RFC3041
Windows-XP enabled it by default
Issues
DNS reverse PTR record?
How to accept connection from outside?
hostname to address mapping?
Does it really provides enough “privacy”?
29. Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 29
IPv6 Firewall Architecture
IPv4-like firewall does not coexist with ‘End-to-End
principle’ (esp. IPsec)
Layer-3/4 Packet Filter
How to protect or permit End-to-End IPsec communication?
Application-level Gateway
It terminates End-to-End communication
Personal Firewall
Can it torelate with DoS attack?
Firewall architecture needs update in IPv6 era.
There are some ‘IPv6-firewall’ products or solutions, but
most of them just support IPv6 in their legacy firewall.