You are on page 1of 61

IPv6 Security Threats

and Mitigations

BRKSEC-2003

BRSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2

© 2006, Cisco Systems, Inc. All rights reserved. 1
Presentation_ID.scr
Session Objectives

ƒ IPv6 vs. to IPv4 from a threat and mitigation
perspective
ƒ Advanced IPv6 security topics like transition options
and dual stack environments
ƒ Requirements: Basic knowledge of the IPv6 and
IPsec protocols as well as IPv4 security best practices

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3

For Your
For Reference Slides Reference

ƒ There are more slides in the hand-outs than
presented during the class
ƒ Those slides are mainly for reference and are
indicated by the book icon on the top right corner
(as on this slide)

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4

© 2006, Cisco Systems, Inc. All rights reserved. 2
Presentation_ID.scr
Agenda

ƒ Shared Issues by IPv4 and IPv6
ƒ Specific Issues for IPv6
IPsec everywhere, dual-stack, tunnels and 6VPE

ƒ IPv6 Security Best Common Practice
ƒ Enforcing a Security Policy in IPv6
ACL, Firewalls and Host IPS

ƒ Enterprise Secure Deployment
Secure IPv6 transport over public network

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5

Shared Issues

Security Issues Shared by IPv4 and IPv6

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6

© 2006, Cisco Systems, Inc. All rights reserved. 3
Presentation_ID.scr
Reconnaissance in IPv4
Relatively Easy to Perform
1. DNS/IANA crawling (whois) to determine ranges
2. Ping sweeps and port scans
3. Application vulnerability scans

[tick:/var] scott# nmap -sP 10.1.1.0/24
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host (10.1.1.0) seems to be a subnet broadcast …
Host (10.1.1.1) appears to be up.
Host (10.1.1.12) appears to be up.
Host (10.1.1.22) appears to be up.
Host (10.1.1.23) appears to be up.
Host (10.1.1.101) appears to be up.
Host (10.1.1.255) seems to be a subnet broadcast …
Nmap run completed -- 256 IP addresses (7 hosts up)
scanned in 4 seconds

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7

Reconnaissance in IPv6
Subnet Size Difference
ƒ Default subnets in IPv6 have 264 addresses
10 Mpps = More than 50 000 years

ƒ NMAP doesn’t even support ping sweeps on
IPv6 networks

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8

© 2006, Cisco Systems, Inc. All rights reserved. 4
Presentation_ID.scr
Reconnaissance in IPv6
Scanning Methods Are Likely to Change
ƒ Public servers will still need to be DNS reachable
More information collected by Google...
Cfr SensePost BiDiBLAH

ƒ Increased deployment/reliance on dynamic DNS
More information will be in DNS

ƒ Administrators may adopt easy-to-remember addresses
(::10,::20,::F00D, ::C5C0 or simply IPv4 last octet for
dual stack)
ƒ By compromising hosts in a network, an attacker can
learn new addresses to scan

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9

Reconnaissance in IPv6?
Easy with Multicast!
ƒ For example, all routers (FF05::2) and all DHCP servers
(FF05::1:3)
No need for reconnaissance anymore

ƒ Some deprecated (RFC 3879) site-local addresses are
still used
FEC0:0:0:FFFF::1 DNS server

Source Destination Payload

Attacker FF05::1:3 DHCP Attack 2001:0410::50

2001:0410::60

2001:0410::70

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10

© 2006, Cisco Systems, Inc. All rights reserved. 5
Presentation_ID.scr
Preventing Reconnaissance
with IPv6 Multicast
Organization B

Organization A ipv6 access-list NO_RECONNAISSANCE
deny any fec0::/10
permit any ff02::/16
permit any ff0e::/16
deny any ff00::/8
permit any any

ƒ The site-local/anycast addresses must be filtered at the
border in order to make them unreachable from the outside
ƒ ACL block ingress/egress traffic to
Block FEC0::/10 (site-local addresses)
Permit mcast to FF02::/16 (link-local scope)
Permit mcast to FF0E::/16 (global scope)
Block all mcast
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11

Viruses and Worms in IPv6

ƒ Viruses and email worms: IPv6 brings no change
ƒ Other worms:
IPv4: reliance on network scanning
IPv6: not so easy (see reconnaissance) ¼ will use
alternative techniques
ƒ Worm developers will adapt to IPv6
ƒ IPv4 best practices around worm detection and
mitigation remain valid
ƒ Potential router CPU attacks if aggressive scanning
Router will do Neighbor Discovery...

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12

© 2006, Cisco Systems, Inc. All rights reserved. 6
Presentation_ID.scr
IPv6 Privacy Extensions (RFC 3041)
/23 /32 /48 /64

2001 Interface ID

Temporary addresses for IPv6 host client application,
e.g. web browser
ƒ Inhibit device/user tracking
ƒ Random 64 bit interface ID, then run Duplicate Address Detection
before using it
ƒ Rate of change based on local policy

Recommendation: Use Privacy Extensions for
External Communication but Not for Internal
Networks (Troubleshooting and Attack Trace Back)
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13

How to Prevent Privacy Extension

ƒ Microsoft Windows
Deploy a Group Policy Object (GPO)

or

netsh interface ipv6 set global randomizeidentifiers=disabled
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
netsh interface ipv6 set privacy state=disabled store=persistent

ƒ Alternatively
Use DHCP (see later) to a specific pool
Ingress filtering allowing only this pool

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14

© 2006, Cisco Systems, Inc. All rights reserved. 7
Presentation_ID.scr
Access Control in IPv6
Privacy Extension
ƒ Good to protect the privacy of a host/user
ƒ Hard to define authorization policy when the Layer 3 information is
always changing :-)

Management System New IPv6
Address—2001:DB8:F15:C15::2*
Internal Server
Firewall 2001:DB8:F15:c16::1/64
IPv6
Intranet X
Management System IPv6
Address—2001:DB8:F15:C15::1* Action Src Dest Src Port Dst Port
2001:DB8: 2001:DB8:
Permit Any 80
F15:C15::1 F15:c16::1
Deny Any Any

*Not real RFC3041 derived addresses
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15

L3-L4 Spoofing in IPv4

ƒ L4 spoofing can be done in concert with L3 spoofing
to attack systems (most commonly running UDP, i.e.
SNMP, Syslog, etc.)

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16

© 2006, Cisco Systems, Inc. All rights reserved. 8
Presentation_ID.scr
IPv6 Bogon Filtering
ƒ In IPv4, easier to block bogons than to permit non-bogons
ƒ In IPv6, in the beginning when a small amount of top-level
aggregation identifiers (TLAs) has been allocated
Easier to permit non-bogons
Now, more complex: http://www.cymru.com/Bogons/ipv6.txt

ƒ Now IPv6 is in a similar situation as IPv4
¼ Same technique = uRPF

Inter-Networking Device
with uRPF Enabled
IPv6
Intranet X IPv6
Intranet/Internet
IPv6 Unallocated
Source Address
No Route to SrcAddr ¼ Drop
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17

L3 Spoofing in IPv6
uRPF Remains the Primary Tool for Protecting
Against L3 Spoofing

uRPF Loose Mode Inter-Networking Device
with uRPF Enabled
Access
Layer X IPv6
Intranet/Internet
Spoofed IPv6 No Route to Src Addr Prefix
Source Address ¼ Drop

uRPF Strict Mode Inter-Networking Device
with uRPF Enabled
Access
Layer X IPv6
Intranet/Internet
Spoofed IPv6 No Route to Src Addr Prefix out the
Source Address Packet Inbound Interface¼ Drop

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18

© 2006, Cisco Systems, Inc. All rights reserved. 9
Presentation_ID.scr
ICMPv4 vs. ICMPv6

ƒ Significant changes
ƒ More relied upon

ICMP Message Type ICMPv4 ICMPv6
Connectivity Checks X X
Informational/Error Messaging X X
Fragmentation Needed Notification X X
Address Assignment X
Address Resolution X
Multicast Group Management X
Mobile IPv6 Support X

ƒ ¼ ICMP policy on firewalls needs to change
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19

For Your
Generic ICMPv4 Reference

Border Firewall Policy
Internal Server A

Internet

ICMPv4 ICMPv4
Action Src Dst Name
Type Code

Permit Any A 0 0 Echo Reply

Permit Any A 8 0 Echo Request

Dst. Unreachable—
Permit Any A 3 0
Net Unreachable
Dst. Unreachable—
Permit Any A 3 4
Frag. Needed
Time Exceeded—
Permit Any A 11 0
TTL Exceeded

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20

© 2006, Cisco Systems, Inc. All rights reserved. 10
Presentation_ID.scr
For Your
Equivalent ICMPv6 Reference

Border Firewall Policy*
Internal Server A

Internet

ICMPv6 ICMPv6
Action Src Dst Name
Type Code

Permit Any A 128 0 Echo Reply

Permit Any A 129 0 Echo Request

Permit Any A 1 0 No Route to Dst.

Permit Any A 2 0 Packet Too Big

Time Exceeded—
Permit Any A 3 0
TTL Exceeded
*RFC 4890
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21

For Your
Potential Additional ICMPv6 Reference
Border Firewall Policy* Internal Server A
Firewall B

Internet

ICMPv6 ICMPv6
Action Src Dst Name
Type Code

Permit Any A 4 0 Parameter Problem

Permit Any B 2 0 Packet too Big

Permit Any B 130–132 0 Multicast Listener

Neighbor Solicitation
Permit Any B 133/134 0
and Advertisement

Permit Any B 4 0 Parameter Problem

*RFC 4890
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22

© 2006, Cisco Systems, Inc. All rights reserved. 11
Presentation_ID.scr
Fragmentation Used in IPv4 by Attackers

ƒ Great evasion techniques
ƒ Tools like whisker, fragrout, etc.
ƒ Makes firewall and network intrusion detection harder
ƒ Used mostly in DoSing hosts, but can be used for
attacks that compromise the host

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23

Fragment Header: IPv6

Next Header = 44
IPv6 Basic Header
Fragment
Header Fragment Header

Fragment Header
Next Header Reserved Fragment Offset
Identification
Fragment Data

ƒ In IPv6 fragmentation is done only by the end system
ƒ Reassembly done by end system like in IPv4
ƒ Attackers can still fragment in intermediate system on purpose
ƒ ¼ a great obfuscation tool
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24

© 2006, Cisco Systems, Inc. All rights reserved. 12
Presentation_ID.scr
IPv6 Fragmentation: Still Need
Reassembly in the Firewall and NIPS
Imagine an Attacker Sends:

1.1 IP11 TCP US
Time
1.2 IP12 ER
2.1a IP21a TCP ro
2.1b IP21b TCP fo
2.2 IP22 ot

ƒ Should we consider 2.1a part of the data stream “USER root”?
ƒ Or is 2.1b part of the data stream? “USER foot”
If the OS makes a different decision than the monitor: bad
Even worse: different OSs have different protocol interpretations

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25

IPv6 Fragmentation
Issues for Non-Stateful Filtering Devices
ƒ Procedure
1. Parse the next headers until the fragment header
Extract the flags and offset
2. Parse further NHs until the upper layer protocol
3. Check if enough of the upper Layer protocol header
is within the first fragment

ƒ This makes matching against the first fragment
non-deterministic: TCP/UDP/ICMP might not be there
But in a later fragment
¼ Need for stateful inspection

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26

© 2006, Cisco Systems, Inc. All rights reserved. 13
Presentation_ID.scr
IPv6 Fragmentation
Fragment Keyword in IPv6 ACL
ƒ fragment keyword matches
Non-initial fragments (same as IPv4)
And the first fragment if the L4 protocol cannot be determined

ƒ Best common practice
Deny IPv6 fragments destined to an internetworking device
(DoS vector)
Infrastructure ACL

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27

IPv6 Routing Header
ƒ An extension header
ƒ Processed by the listed intermediate routers
ƒ Two types
Type 0: Similar to IPv4 source routing (multiple intermediate routers)
Type 2: Used for mobile IPv6

Next Header = 43
IPv6 Basic Header
Routing Header
Routing Header

Routing Header
Next Header Ext Hdr Length RH Type Segments Left

Routing Header Data

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28

© 2006, Cisco Systems, Inc. All rights reserved. 14
Presentation_ID.scr
Type 0 Routing Header
Issue #1: Traffic Rebound
ƒ Rule on the Firewall
ƒ Allow proto tcp from any to webserver port 80
ƒ Deny proto tcp from any to any
Web

Host1 src=host1,dst=web,
payload proto=tcp, dport=80
rtheader=host2, segments
left=1 src=host1,
dst=host2
rtheader=web,
segments left=0
payload proto=tcp,
IPv6 dport=80
Network
Host2
Firewall

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29

Type 0 Routing Header
Issue #2: Amplification Attack
ƒ What if attacker sends a packet with RH containing
A ¼ B ¼ A ¼ B ¼ A ¼ B ¼ A ¼ B ¼ A ...

ƒ Packet will loop multiple time on the link R1-R2
ƒ An amplification attack!

A B

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30

© 2006, Cisco Systems, Inc. All rights reserved. 15
Presentation_ID.scr
IPv6 Type 2 Routing Header

ƒ Required by mobile IPv6 (see later)
ƒ Rebound/amplification attacks impossible
Only one intermediate router: the mobile node home address

Next Header = 43
IPv6 Basic Header
Routing Header
Routing Header

Routing Header
Next Header Ext Hdr Length RH Type = 2 Segments Left = 1

Mobile Node Home Address

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31

Preventing Routing Header Attacks

ƒ Apply same policy for IPv6 as for Ipv4:
Block Routing Header type 0

ƒ Prevent processing at the intermediate nodes
no ipv6 source-route
Windows, Linux, MacOS: default setting

ƒ At the edge
With an ACL blocking routing header

ƒ RFC 5095 (December 2007) RH0 is deprecated
Default Cisco IOS® will change in 12.5T

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32

© 2006, Cisco Systems, Inc. All rights reserved. 16
Presentation_ID.scr
Quick Refresh
ARP and DHCP Attacks in IPv4
ƒ With ARP misuse host W can claim to be the default
gateway and hosts X and Y will route traffic through
him; ¼ man in the middle attack

1.2.3.0/24

.1

Host Y Host X Host W
.2 .3 .4

• With DHCP it is similar except the attacker just
needs to put a DHCP server on the wire delivering
false information (gateways, DNS servers, etc.)
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33

ICMP without Any
Neighbor Discovery Issue #1 Authentication
Gives Exactly Same
Stateless Autoconfiguration Level of Security as
ARP for IPv4 (None)
ƒ Router Solicitations are sent by booting
nodes to request router advertisements Attack Tool:
for configuring fake_router6

Can Make Any
IPv6 Address the
Default Router
1. RS 2. RA 2. RA

1. RS: 2. RA:
Src = :: Src = Router Link-local
Address
Dst = All-Routers Dst = All-nodes multicast
multicast Address address
ICMP Type = 133 ICMP Type = 134
Data = Query: please send RA Data= options, prefix, lifetime,
autoconfig flag
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34

© 2006, Cisco Systems, Inc. All rights reserved. 17
Presentation_ID.scr
Neighbor Discovery Issue #2
Neighbor Solicitation
Security Mechanisms
Built into Discovery
Protocol = None
A B
¼ Very Similar to ARP

Src = A
Dst = Solicited-node multicast of B Attack Tool:
Parasite6
ICMP type = 135
Answer to All NS,
Data = link-layer address of A Claiming to Be All
Query: what is your link address? Systems in the LAN...
Src = B
Dst = A
ICMP type = 136
Data = link-layer address of B
A and B Can Now Exchange
Packets on This Link
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35

Neighbor Discovery Issue #3
Duplicate Address Detection
ƒ Duplicate Address Detection (DAD) uses neighbor solicitation to
verify the existence of an address to be configured

From RFC 2462:
A B
« If a Duplicate @
Is Discovered…
the Address Cannot
Src = :: Be Assigned to the
Dst = Solicited-node multicast of A Interface »
ICMP type = 135
Data = link-layer address of A ÙWhat If: Use MAC@
of the Node You Want
Query = what is your link address?
to DoS and Claim Its
IPv6 @

Attack Tool:
dos-new-ipv6
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36

© 2006, Cisco Systems, Inc. All rights reserved. 18
Presentation_ID.scr
ICMP Issue #4 Original Packet Has to
Be Included to Prevent
Spoofed Redirect Spoofed Redirect…
ƒ Redirect is used by a router to signal But
the reroute of a packet to a better router What if Attacker First Sent
ICMP Echo Request?
ƒ Original packet has to be included... The Reply Packet Is
Predictable…

A B In IPv4: « no ip icmp redirect »
R2
In IPv6: « no ipv6 redirect »

Src: A
R1 Dst IP: 2001:DB8:C18:2::1
Dst Ethernet: R2 (Default Router)

Redirect:
2001:DB8:C18:2::/64 Src IP: R2 (Default Router)
Dst IP: A
BRKSEC-2003
Data: Good Router = R1
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37

Neighbor Discovery Attacks in
IPv6 RFC 3756

ƒ Redirect attacks
A malicious node redirects packets away from a legitimate
receiver to another node on the link

ƒ Denial-of-service attacks
A malicious node prevents communication between the node
under attack and other nodes

ƒ Flooding denial-of-service attacks
A malicious node redirects other hosts’ traffic to a victim node
creating a flood of bogus traffic at the victim host

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38

© 2006, Cisco Systems, Inc. All rights reserved. 19
Presentation_ID.scr
Secure Neighbor Discovery (SEND)
RFC 3971

ƒ Certification paths
Anchored on trusted parties, expected to certify the authority
of the routers on some prefixes

ƒ Cryptographically Generated Addresses (CGA)
IPv6 addresses whose the interface identifier is
cryptographically generated

ƒ RSA signature option
Protect all all messages relating to neighbor and
router discovery

ƒ Timestamp and nonce options
Prevent replay attacks

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39

Cryptographically Generated Addresses
CGA RFC 3972 (Simplified)
ƒ Each devices has a RSA key pair (no need for cert)
ƒ Ultra light check for validity
ƒ Prevent spoofing a valid CGA address

RSA Keys Modifier
Priv Pub (nonce)
Public
Key SHA-1
Subnet
Prefix
Signature CGA Params

Subnet Interface
Prefix Identifier

SEND Messages
Crypto. Generated Address
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40

© 2006, Cisco Systems, Inc. All rights reserved. 20
Presentation_ID.scr
Secure Neighbor Discovery: Caveats

ƒ Private/public key pair on all devices for CGA
ƒ Overhead introduced
Routers have to do many public/private key calculation
(some may be done in advance of use)
¼ Potential DoS target
Routers need to keep more state
ƒ Available: Linux
ƒ Microsoft: no support on Vista, probably Windows 2008
ƒ Future implementation: Cisco IOS

BRKSEC-4003: Advanced IPv6 Security:
Secure Neighbor Discovery
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41

DHCPv6 Threats

ƒ Note: use of DHCP is announced in Router
Advertisements
ƒ Rogue devices on the network giving misleading
information or consuming resources (DoS)
Rogue DHCPv6 client and servers on the network
(same threat as IPv4)
Rogue DHCPv6 servers on the site local multicast address
(FF05::1:3) (new threat in IPv6)

ƒ Tampering of communication between DHCPv6 relays
and servers
ƒ Scanning possible if leased addresses are consecutive

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42

© 2006, Cisco Systems, Inc. All rights reserved. 21
Presentation_ID.scr
DHCPv6 Threat Mitigation

ƒ Rogue clients and servers can be mitigated by using
the authentication option in DHCPv6
There are not many DHCPv6 client or server implementations
using this today

ƒ Cisco Network Registrar®
DHCPv6 Server
Leased addresses are random ¼ scanning difficult
Can also lease temporary addresses (like privacy extension)

ƒ For really paranoid: Protect the relay to server
communications with IPsec (similar to IPv4)

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43

Quick Reminder
IPv4 Broadcast Amplification: Smurf
160.154.5.0

ICMP REPLY D=172.18.1.2 S=160.154.5.14
Attempt to
Overwhelm WAN
ICMP REPLY D=172.18.1.2 S=160.154.5.15
Link to
Destination
ICMP REPLY D=172.18.1.2 S=160.154.5.16

ICMP REPLY D=172.18.1.2 S=160.154.5.17
172.18.1.2
ICMP REPLY D=172.18.1.2 S=160.154.5.18

ICMP REPLY D=172.18.1.2 S=160.154.5.19

Belgian
ICMP REQ D=160.154.5.255 S= 172.18.1.2 Schtroumpf
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44

© 2006, Cisco Systems, Inc. All rights reserved. 22
Presentation_ID.scr
IPv6 and Broadcasts

ƒ There are no broadcast addresses in IPv6
ƒ Broadcast address functionality is replaced with the
appropriate link local multicast address
Link Local All Nodes Multicast—FF02::1
Link Local All Routers Multicast—FF02::2

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45

IPv6 and Other Amplification Vectors

ƒ Specific mention is made in ICMPv6 RFC that no ICMP
error message should be generated in response to a
packet with a multicast destination address
ƒ The exceptions are the packet too big message and the
parameter problem ICMP messages
ƒ RFC 2463 Section 2.4 (e.2)

Implement Ingress Filtering of Packets with
IPv6 Multicast Source Addresses
Rate Limit ICMP Packets

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46

© 2006, Cisco Systems, Inc. All rights reserved. 23
Presentation_ID.scr
Preventing IPv6 Routing Attacks
Protocol Authentication
ƒ BGP, ISIS, EIGRP no change:
An MD5 authentication of the routing update

ƒ OSPFv3 has changed and pulled MD5 authentication
from the protocol and instead is supposed to rely on
transport mode IPsec
ƒ RIPng also relies on IPsec
ƒ IPv6 routing attack best practices
Use traditional authentication mechanisms on BGP
and IS-IS
Use IPsec to secure protocols such as OSPFv3 and RIPng

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47

For Your
OSPF or EIGRP Authentication Reference

interface Ethernet0/0
ipv6 ospf 1 area 0
ipv6 ospf authentication ipsec spi 500 md5
1234567890ABCDEF1234567890ABCDEF

interface Ethernet0/0
ipv6 authentication mode eigrp 100 md5
ipv6 authentication key-chain eigrp 100 MYCHAIN

key chain MYCHAIN
key 1
key-string 1234567890ABCDEF1234567890ABCDEF
accept-lifetime local 12:00:00 Dec 31 2006
12:00:00 Jan 1 2008
send-lifetime local 00:00:00 Jan 1 2007 23:59:59
Dec 31 2007
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48

© 2006, Cisco Systems, Inc. All rights reserved. 24
Presentation_ID.scr
IPv6 Attacks with Strong IPv4
Similarities
ƒ Sniffing
Without IPsec, IPv6 is no more or less likely to fall victim to a sniffing
attack than IPv4
ƒ Application layer attacks
Even with IPsec, the majority of vulnerabilities on the Internet today are
at the application layer, something that IPsec will do nothing
to prevent
ƒ Rogue devices
Rogue devices will be as easy to insert into an IPv6 network as in IPv4
ƒ Man-in-the-Middle Attacks (MITM)
Without IPsec, any attacks utilizing MITM will have the same likelihood
in IPv6 as in IPv4
ƒ Flooding
Flooding attacks are identical between IPv4 and IPv6
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49

IPv6 Stack Vulnerabilities

ƒ IPv6 stacks are new and could be buggy
ƒ IPv6 enabled application can have bugs
ƒ Some examples
Apple Mac OS X IPv6 Packet Processing Double-Free Memory
Corruption (November 2007)
Cisco Security Advisory: IPv6 Routing Header (May 2007)
OpenBSD remote code execution in IPv6 stack (March 07)
Python getaddreinfo() remote IPv6 buffer overflow
Apache remote IPv6 buffer overflow
...

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50

© 2006, Cisco Systems, Inc. All rights reserved. 25
Presentation_ID.scr
By the Way: It Is Real /
IPv6 Hacking Tools
Let the Games Begin
ƒ Sniffers/packet capture ƒ Scanners
Snort IPv6 security scanner
TCPdump Halfscan6
Sun Solaris snoop Nmap
COLD Strobe
Ethereal Netcat
Analyzer ƒ DoS Tools
Windump 6tunneldos
WinPcap 4to6ddos
NetPeek Imps6-tools
Sniffer Pro
ƒ Packet forgers
ƒ Worms Scapy6
Slapper SendIP
ƒ Advisories/field notices Packit
http://www.cisco.com/warp/public/707/ci Spak6
sco-sa-20050126-ipv6.shtml
ƒ Complete tool
http://www.kb.cert.org/vuls/id/658859
http://www.thc.org/thc-ipv6/
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51

By the Way: It Is Real /
IPv6 Hacking Tools
Let the Games Begin
ƒ Sniffers/packet capture ƒ Scanners
Snort IPv6 security scanner
TCPdump Halfscan6
Sun Solaris snoop Nmap
COLD Strobe
Ethereal Netcat
Analyzer ƒ DoS Tools
Windump 6tunneldos
WinPcap 4to6ddos
NetPeek Imps6-tools
Sniffer Pro
ƒ Packet forgers
ƒ Worms Scapy6
Slapper SendIP
ƒ Advisories/field notices Packit
http://www.cisco.com/warp/public/707/ci Spak6
sco-sa-20050126-ipv6.shtml
ƒ Complete tool
http://www.kb.cert.org/vuls/id/658859
http://www.thc.org/thc-ipv6/
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52

© 2006, Cisco Systems, Inc. All rights reserved. 26
Presentation_ID.scr
Specific IPv6 Issues

Issues Applicable Only to IPv6

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53

IPv6 Header Manipulation
ƒ Unlimited size of header chain (spec-wise) can make
filtering difficult
ƒ Potential DoS with poor IPv6 stack implementations
More boundary conditions to exploit
Can I overrun buffers with a lot of extension headers?

Perfectly Valid IPv6 Packet
According to the Sniffer

Header Should Only Appear Once
Destination Header Which Should
Occur at Most Twice
Destination Options Header Should
Be the Last

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54

© 2006, Cisco Systems, Inc. All rights reserved. 27
Presentation_ID.scr
The IPsec Myth
IPsec End-to-End Will Save the World
ƒ IPv6 mandates the implementation of IPsec
ƒ IPv6 does not require the use of IPsec
ƒ Some organizations believe that IPsec should be used
to secure all flows...
Interesting scalability issue (n2 issue with IPsec)
Need to trust endpoints and end-users because the network
cannot secure the traffic: no IPS, no ACL, no firewall
Network telemetry is blinded: NetFlow of little use
Network services hindered: What about QoS?

Recommendation: Do not use IPsec end to end within an
administrative domain
Suggestion: Use IPsec for residential

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55

IPv4 to IPv6 Transition Challenges

ƒ 16+ methods, possibly in combination
IP spoofing

ƒ Dual stack
Consider security for both protocols
Cross v4/v6 abuse
Resiliency (shared resources)

ƒ Tunnels
Bypass firewalls (protocol 41 or UDP)

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56

© 2006, Cisco Systems, Inc. All rights reserved. 28
Presentation_ID.scr
Dual Stack Host Considerations

ƒ Host security on a dual-stack device
Applications can be subject to attack on both IPv6 and IPv4

ƒ Host security controls should block and inspect traffic
from both IP versions
Host intrusion prevention, personal firewalls, VPN
clients, etc.
IPv4 IPsecVPN with
No Split Tunneling

Dual Stack Client
IPv6 HDR IPv6 Exploit
Does the IPsec Client Stop an
Inbound IPv6 Exploit?

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57

Dual Stack with Enabled IPv6 by Default
ƒ Your host:
IPv4 is protected by your favorite personal firewall...
IPv6 is enabled by default (Vista, Linux, MacOS, ...)

ƒ Your network:
Does not run IPv6

ƒ Your assumption:
I’m safe

ƒ Reality
You are not safe
Attacker sends Router Advertisements
Your host configures silently to IPv6
You are now under IPv6 attack

ƒ ¼ Probably time to think about IPv6 in your network
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58

© 2006, Cisco Systems, Inc. All rights reserved. 29
Presentation_ID.scr
Enabling IPv6 on a Remote Host
(In this Case MacOS)
1. Dual-Stack
MacOS: Any
2. Hacker: I’m the Router IPv6 Router?

3. Newly Enabled IPv6
MacOS Does DAD
4. The Full IPv6 Address
of the MacOS
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59

IPv6 Tunneling Summary
ƒ RFC 1933/2893 configured ƒ Only allow authorized
and automatic tunnels endpoints to establish tunnels
ƒ RFC 2401 IPsec tunnel ƒ Static tunnels are deemed
as “more secure,” but
ƒ RFC 2473 IPv6 generic
less scalable
packet tunnel
ƒ Automatic tunneling
ƒ RFC 2529 6over4 tunnel
mechanisms are susceptible
ƒ RFC 3056 6to4 tunnel to packet forgery and
DoS attacks
ƒ ISATAP tunnel
ƒ These tools have the same
ƒ MobileIPv6 (uses RFC2473) risk as IPv4, just new avenues
ƒ Teredo tunnels of exploitation
ƒ Automatic IPv6 over IPv4
tunnels could be secured by
IPv4 IPsec
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60

© 2006, Cisco Systems, Inc. All rights reserved. 30
Presentation_ID.scr
L3–L4 Spoofing in IPv6 When Using IPv6
over IPv4 Tunnels
ƒ Most IPv4/IPv6 transition mechanisms have no authentication built in
ƒ ¼ an IPv4 attacker can inject traffic if spoofing on IPv4 and
IPv6 addresses

IPv6 ACLs Are Ineffective
Since IPv4 and IPv6 Is Spoofed
Tunnel Termination Forwards
IPv4 the Inner IPv6 Packet

IPv6
Public IPv4
Internet
IPv6 Network IPv6 in IPv4 IPv6 Network
Tunnel
Tunnel Tunnel
Termination Termination
Server A Server B
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61

Transition Threats: ISATAP
ƒ Unauthorized tunnels—firewall bypass (protocol 41)
ƒ IPv4 infrastructure looks like a Layer 2 network to ALL ISATAP hosts in
the enterprise
ƒ This has implications on network segmentation and network discovery
ƒ No authentication in ISATAP—rogue routers are possible
ƒ Host security needs IPv6 support

ISATAP Router

Any Host Can Talk ISATAP Tunnels
to the Router
IPv4 Network ~ Layer 2 for IPv6 Service

Direct
Communication

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62

© 2006, Cisco Systems, Inc. All rights reserved. 31
Presentation_ID.scr
Teredo?

ƒ Teredo Navalis
A shipworm drilling holes in boat hulls

ƒ Teredo Microsoftis
IPv6 in IPv4 punching holes
in NAT devices

Source: United States Geological Survey
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63

Teredo Tunnels (1 of 3)
Without Teredo: Controls Are in Place
Without Toredo Tunnels
ƒ All outbound traffic inspected: e.g., P2P is blocked
ƒ All inbound traffic blocked by firewall

IPv6 Internet
IPv4 Internet

Teredo Relay
IPv4 Firewall

IPv4 Intranet

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64

© 2006, Cisco Systems, Inc. All rights reserved. 32
Presentation_ID.scr
Teredo Tunnels (2 of 3)
No More Outbound Control
Teredo threats—IPv6 over UDP (port 3544)
ƒ Internal users wants to get P2P over IPv6
ƒ Configure the Teredo tunnel (already enabled by default!)
ƒ FW just sees IPv4 UDP traffic (may be on port 53)
ƒ No more outbound control by FW

IPv6 Internet
IPv4 Internet

Teredo Relay
IPv4 Firewall

IPv4 Intranet

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65

Teredo Tunnels (3 of 3)
No More Outbound Control
Once Teredo is configured
ƒ Inbound connections are allowed
ƒ IPv4 firewall unable to control
ƒ IPv6 hackers can penetrate
ƒ Host security needs IPv6 support now

IPv6 Internet
IPv4 Internet

Teredo Relay
IPv4 Firewall

IPv4 Intranet

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66

© 2006, Cisco Systems, Inc. All rights reserved. 33
Presentation_ID.scr
Understand the Behavior of Vista

ƒ IPv6 is preferred over IPv4
Vista sends IPv6 NA/NS/RS upon link-up
Attempts DHCP for IPv6
Else wait for local RA received with Global or ULA
Else try ISATAP
Else try Teredo
Else use IPv4—last resort

ƒ http://www.microsoft.com/technet/network/ipv6/ipv6faq.
mspx

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67

Can We Block Rogue Tunnels?
ƒ Rogue tunnels by naïve users:
Sure, block IP protocol 41 and UDP/3544
In Windows:

netsh interface 6to4 set state state=disabled undoonstop=disabled
netsh interface isatap set state state=disabled
netsh interface teredo set state type=disabled

ƒ Really rogue tunnels (covert channels)
No easy way...
Teredo will run over a different UDP port of course
Network devices can be your friend (more to come)

ƒ Deploying native IPv6 (including IPv6 firewalls)
is probably a better alternative
ƒ Or disable IPv6 on Windows through GPO or CSA 6.0

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68

© 2006, Cisco Systems, Inc. All rights reserved. 34
Presentation_ID.scr
Can the Network Block Rogue Tunnels?

ƒ Use Flexible Packet Matching (FPM)
Blocking all Teredo addresses 2001::/32 in the UDP payload
ƒ FPM
Available in software since 12.4(4)T
Hardware implementation in PISA (requires Sup32 and Cat6K)
Classify on multiple attributes within a packet
String match and regex
Expressed in XML

0111111010101010000111000100111110010001000100100010001001

Match Pattern And Or Not
http://www.cisco.com/go/fpm
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69

FPM Configuration For Your
to Block Teredo Reference

ƒ The trick is to load protocol bootdisk:ip.phdf
block all load protocol bootdisk:udp.phdf
packets IP Version = 6
class-map type stack match-all cm-ip-udp
containing a
match field IP protocol eq 17 next UDP
Teredo source
or destination class-map type access-control match-all cm-teredo1
address in the match start udp payload-start offset 0 size 1 eq 0x60 mask 15
UDP payload match start udp payload-start offset 8 size 4 eq 0x20010000
ƒ Teredo class-map type access-control match-all cm-teredo2
addresses are match start udp payload-start offset 0 size 1 eq 0x60 mask 15
in the 2001::/32 match start udp payload-start offset 24 size 4 eq 0x20010000
(note 32) prefix
policy-map type access-control pm-teredo
class cm-teredo1
drop Teredo Prefix as
class cm-teredo2 Embedded Address
drop
policy-map type access-control pm-udp-teredo
class cm-ip-udp
service-policy pm-teredo

interface GigabitEthernet1/36
service-policy type access-control in pm-udp-teredo

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70

© 2006, Cisco Systems, Inc. All rights reserved. 35
Presentation_ID.scr
SP Transition Mechanism: 6VPE

ƒ 6VPE: the MPLS-VPN extension to also transport IPv6
traffic over a MPLS cloud and IPv4 BGP sessions
v4 only VPN v4 only VPN

10.1.1.0/24
10.1.2.0/24
PE1 PE3
VRF
v4 and v6 VPN IPv4 only MPLS VRF v4 and v6 VPN
VRF
2001:db8:1:1:/64 Dual-Stack 2001:db8:1:2:/64
Dual-Stack
IPv4-IPv6
10.1.1.0/24 IPv4-IPv6 10.1.2.0/24
PE Routers
PE Routers

VRF
v6 VPN VRF
v6 VPN
PE4 VRF
PE2
2001:db8:1:1:/64 2001:db8:1:2:/64

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71

6VPE Security
ƒ Identical to IPv4 MPLS-VPN, see RFC 4381
ƒ MPLS VPNs can be secured as well as ATM/FR VPNs
ƒ Security depends on correct operation and implementation
QoS prevent flooding attack from one VPN to another one
PE routers must be secured: AAA, iACL, CoPP …
ƒ MPLS backbones can be more secure than “normal”
IP backbones
Core not accessible from outside
Separate control and data plane
ƒ Key: PE security
Advantage: Only PE-CE interfaces accessible from outside
Makes security easier than in “normal” networks

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72

© 2006, Cisco Systems, Inc. All rights reserved. 36
Presentation_ID.scr
IPv6 Security:
Best Common Practice

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73

For Your
Candidate Best Practices Reference

ƒ Implement privacy extensions carefully
ƒ Filter internal-use IPv6 addresses at the enterprise border routers
ƒ Filter unneeded services at the firewall
ƒ Selectively filter ICMP
ƒ Maintain host and application security
ƒ Determine what extension headers will be allowed through
the access control device
ƒ Block Type 0 Routing Header at the edge
ƒ Determine which ICMPv6 messages are required
ƒ Deny IPv6 fragments destined to an internetworking device
when possible
ƒ Ensure adequate IPv6 fragmentation filtering capabilities
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74

© 2006, Cisco Systems, Inc. All rights reserved. 37
Presentation_ID.scr
For Your
Candidate Best Practices (Cont.) Reference

ƒ Implement RFC 2827-like filtering and encourage your ISP to
do the same
ƒ Document procedures for last-hop traceback
ƒ Use cryptographic protections where critical
ƒ Use static neighbor entries for critical systems
ƒ Implement ingress filtering of packets with IPv6 multicast
source addresses
ƒ Use traditional authentication mechanisms on BGP and IS-IS
ƒ Use IPsec to secure protocols such as OSPFv3 and RIPng
ƒ Use static tunneling rather than dynamic tunneling
ƒ Implement outbound filtering on firewall devices to allow only
authorized tunneling endpoints
ƒ Train your network operators and security managers on IPv6
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75

Enforcing a
Security Policy

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76

© 2006, Cisco Systems, Inc. All rights reserved. 38
Presentation_ID.scr
Cisco IOS IPv6 Access Control Lists

ƒ Can filter traffic based on source and
destination address
ƒ Can filter traffic inbound or outbound to a
specific interface
ƒ Implicit “deny all” at the end of access list
ƒ Very much like in IPv4

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77

Cisco IOS IPv6 Access Control Lists
A Trivial Example
ƒ Filtering inbound traffic from one specific source address

2001:db8:2c80:1000::1
Others

ipv6 access-list MY_ACL IPv6 Internet
permit any 2001:db8:2c80:1000::1/128
deny any 2001:db8:2c80:1000::/64

interface Serial 0
ipv6 traffic-filter MY_ACL in Serial 0

Prefix: 2001:db8:2c80:1000::/64

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78

© 2006, Cisco Systems, Inc. All rights reserved. 39
Presentation_ID.scr
IPv6 Extended Access Control Lists

ƒ Upper layers: ICMP, TCP, UDP, SCTP, any value
ƒ ICMPv6 code and type
ƒ TCP SYN, ACK, FIN, PUSH, URG, RST
ƒ L4 port numbers
ƒ Traffic class (only six bits/8) = DSCP
ƒ Flow label (0-0xFFFFF)
ƒ IPv6 header options
Fragments
Routing header type
Destination header type
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79

IPv6 ACL Implicit Rules
Implicit Permit for Enable Neighbor Discovery
ƒ The following implicit rules exist at the end of each
IPv6 ACL to allow ICMPv6 neighbor discovery:

permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any

ƒ Be careful when adding « deny ipv6 any any
log » at the end

permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any log

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80

© 2006, Cisco Systems, Inc. All rights reserved. 40
Presentation_ID.scr
For Your
IPv6 ACL to Protect VTY Reference

ipv6 access-list VTY
permit ipv6 2001:db8:0:1::/64 any

line vty 0 4
ipv6 access-class VTY in

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81

For Your
Control Plane Policing for IPv6 Reference

Protecting the Router CPU
ƒ Against DoS with Neighbor Discovery...
ƒ Can also throttle IPv6 traffic when processed in SW while IPv4
is in HW (legacy platform)
Beware of CSCso03034
ƒ If in doubt: show proc cpu | include IPv6
class-map match-all ipv6
match protocol ipv6

policy-map CoPP
class ipv6
police rate 100 pps
conform-action transmit
exceed-action drop

control-plane
service-policy input CoPP
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82

© 2006, Cisco Systems, Inc. All rights reserved. 41
Presentation_ID.scr
Cisco IOS Firewall IPv6 Support
ƒ Stateful protocol inspection (anomaly detection) of IPv6 fragmented
packets, TCP, UDP, ICMP and FTP traffic
ƒ Stateful inspection and translation services of IPv4/IPv6 packets
ƒ IPv6 DoS attack mitigation
ƒ IPv4/v6 coexistence, no need for new hardware, just software
ƒ Recognizes IPv6 extension header information such as routing header,
hop-by-hop options header, fragment header, etc.

IPv6 Router with
IPv4 Cisco IOS Firewall IPv6 Router with
Site 3 Cisco IOS Firewall IPv6
IPv6 Router with Site 1
Dual Stack
Cisco IOS Firewall Internet Router
IPv6 (IPv4) IPv6
Site 2 IPv6

IPv6 Router with
Cisco IOS Firewall
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83

ASA Firewall IPv6 Support

ƒ Since version 7.0
ƒ Dual-stack, IPv6 only, IPv4 only
ƒ Extended IP ACL with stateful inspection
ƒ Application awareness
HTTP, FTP, telnet, SMTP, TCP, SSH, UDP
ƒ uRPF and v6 Frag guard
ƒ IPv6 header security checks
ƒ Management access via IPv6
Telnet, SSH, HTTPS
ƒ Caveat: no fail-over support (should be in 8.2)
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84

© 2006, Cisco Systems, Inc. All rights reserved. 42
Presentation_ID.scr
ASA: Sample IPv6 Topology

2001:db8:c000:1052::/64
Inside
..::8 ..::7

Outside
2001:db8:c000:1051::37/64

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85

For Your
ASA 7.x: ACL Reference

Very Similar to Cisco IOS

interface Ethernet0
nameif outside
ipv6 address 2001:db8:c000:1051::37/64
ipv6 enable
interface Ethernet1
nameif inside
ipv6 address 2001:db8:c000:1052::1/64
ipv6 enable

ipv6 route outside ::/0 2001:db8:c000:1051::1

ipv6 access-list SECURE permit tcp any host
2001:db8:c000:1052::7 eq telnet
ipv6 access-list SECURE permit icmp6 any
2001:db8:c000:1052::/64

access-group SECURE in interface outside

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86

© 2006, Cisco Systems, Inc. All rights reserved. 43
Presentation_ID.scr
For Your
ASA 7.x: Stateful Inspection Reference

ASA# show conn
4 in use, 7 most used
ICMP out fe80::206:d7ff:fe80:2340:0 in
fe80::209:43ff:fea4:dd07:0 idle 0:00:00 bytes 16
UDP out 2001:db8:c000:1051::138:53 in
2001:db8:c000:1052::7:50118 idle 0:00:02 flags -
TCP out 2001:200:0:8002:203:47ff:fea5:3085:80 in
2001:db8:c000:1052::7:11009 idle 0:00:14 bytes 8975 flags
UfFRIO
TCP out 2001:db8:c000:1051::1:11008 in
2001:db8:c000:1052::7:23 idle 0:00:04 bytes 411 flags UIOB

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87

“There is no reason anymore to let your site be
wide open for IPv6.”

An IPv6 Site Administrator
Previously Fully Opened in IPv6

BRSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88

© 2006, Cisco Systems, Inc. All rights reserved. 44
Presentation_ID.scr
Cisco Security Agent and IPv6
IPv6 Support for Windows in CSA 6.0 (May 2008)
ƒ IPv6 ACL
(only on Vista)
ƒ Disable IPv6
(XP and Vista)
Deny

To Any IPv6
Addresses
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89

CSA 6.0 in Action

ƒ IPv6 traffic is denied by CSA...

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90

© 2006, Cisco Systems, Inc. All rights reserved. 45
Presentation_ID.scr
Enterprise Deployment:
Secure IPv6
Connectivity

How to Secure IPv6 over the WAN

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91

Secure IPv6 over IPv4/6 Public Internet

ƒ No traffic sniffing
ƒ No traffic injection

Public Network Site 2 Site Remote Access

ƒ6in4/GRE Tunnels Protected ƒ ISATAP Protected by
IPv4 by IPsec RA IPsec
ƒDMVPN 12.4(20)T ƒ SSL VPN Client AnyConnect
IPsec VTI 12.4(6)T N/A
IPv6

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92

© 2006, Cisco Systems, Inc. All rights reserved. 46
Presentation_ID.scr
Secure Site to Site IPv6 Traffic
over IPv4 Public Network
IPsec Protects IPv4 Unicast Traffic...
The Encapsulated IPv6 Packets
IPv6 Network

IPv6 Network
IPsec
IPv6 in IPv4 Tunnel

IPv4

GRE Tunnel Can Be Used to Transport Both
IPv4 and IPv6 in the Same Tunnel

See reference slides for more details
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93

Secure Site to Site IPv6 Traffic
over IPv4 Public Network with DMVPN

ƒ IPv6 packets over DMVPN IPv4 tunnels
In IOS release 12.4(20)T (July 2008)
IPv6 and/or IPv4 data packets over same GRE tunnel

ƒ Complete set of NHRP commands
network-id, holdtime, authentication, map, etc.

ƒ NHRP registers two addresses
Link-
Link-local for routing protocol (Automatic or Manual)
Global for packet forwarding (Mandatory)

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94

© 2006, Cisco Systems, Inc. All rights reserved. 47
Presentation_ID.scr
DMVPN for IPv6 For Your
Phase 1 Configuration Reference

Hub Spoke
interface Tunnel0 interface Tunnel0
! Optional IPv4 DMVPN configuration ! Optional IPv4 DMVPN configuration
ipv6 address 2001:db8:100::1/64 ipv6 address 2001:db8:100::11/64
ipv6 eigrp 1 ipv6 eigrp 1
no ipv6 split-horizon eigrp 1 ipv6 nhrp map multicast 172.17.0.1
no ipv6 next-hop-self eigrp 1 ipv6 nhrp map 2001:db8:100::1/128 172.17.0.1
ipv6 nhrp map multicast dynamic ipv6 nhrp network-id 100006
ipv6 nhrp network-id 100006 ipv6 nhrp holdtime 300
ipv6 nhrp holdtime 300 ipv6 nhrp nhs 2001:db8:100::1
tunnel source Serial2/0 tunnel source Serial1/0
tunnel mode gre multipoint tunnel mode gre multipoint
tunnel protection ipsec profile PROF tunnel protection ipsec profile PROF
! !
interface Ethernet0/0 interface Ethernet0/0
ipv6 address 2001:db8:0::1/64 ipv6 address 2001:db8:1::1/64
ipv6 eigrp 1 ipv6 eigrp 1
! !
interface Serial2/0 interface Serial1/0
ip address 172.17.0.1 255.255.255.252 ip address 172.16.1.1 255.255.255.252
! !
ipv6 router eigrp 1 ipv6 router eigrp 1
no shutdown no shutdown

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95

Secure Site to Site IPv6 Traffic
over IPv6 Public Network

ƒ Since 12.4(6)T, IPsec also works for IPv6
ƒ Using the Virtual Interface

interface Tunnel0
no ip address
ipv6 address 2001:DB8::2811/64
ipv6 enable
tunnel source Serial0/0/1
tunnel destination 2001:DB8:7::2
tunnel mode ipsec ipv6
tunnel protection ipsec profile ipv6

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96

© 2006, Cisco Systems, Inc. All rights reserved. 48
Presentation_ID.scr
IPv6 for Remote Devices Solutions

ƒ Enabling IPv6 traffic inside the Cisco VPN Client tunnel
NAT and Firewall traversal support
Allow remote host to establish a v6-in-v4 tunnel either
automatically or manually
ISATAP—Intra Site Automatic Tunnel Addressing Protocol
Fixed IPv6 address enables server’s side of any application
to be configured on an IPv6 host that could roam over
the world

ƒ Use of ASA 8.0 and SSL VPN Client AnyConnect
Can transfer IPv6 traffic over public IPv4

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97

Secure RA IPv6 Traffic over IPv4 Public
Network: ISATAP in IPsec

IPsec Protects IPv4 Unicast Traffic...
The Encapsulated IPv6 Packets Enterprise
VPN Head-
End (ASA,
IPv6 Network

Cisco IOS, ...)

IPsec ISATAP

IPv6 PC ISATAP
IPv4 Tunnel Server
on Dual
Stack Router

IPsec with NAT-T Can Traverse NAT
ISATAP Encapsulates IPv6 into IPv4

See reference slides for more details
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98

© 2006, Cisco Systems, Inc. All rights reserved. 49
Presentation_ID.scr
Secure RA IPv6 Traffic over IPv4 Public
Network: AnyConnect SSL VPN Client

IPv6 Network
IPv4 and IPv6 Transport in SSL
IPv6 PC ASA 8.0
AnyConnect IPv4 SSL VPN
Concentrator
Dual Stack

IPsec with NAT-T Can Traverse NAT
ISATAP Encapsulates IPv6 into IPv4

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99

ASA 8.0 and AnyConnect 2.0
for IPv6 Transport
ƒ Since 8.0 ASA SSL VPN and AnyConnect can transport IPv6

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

ipv6 local pool POOL_V6 2001:db8:5fff:81::1:1/64 8

tunnel-group DefaultWEBVPNGroup general-attributes
...
ipv6-address-pool POOL_V6

Ethernet adapter Cisco AnyConnect VPN Client Connection:

Connection-specific DNS Suffix . : cisco.com
IP Address. . . . . . . . . . . . : 192.168.0.200
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 2001:db8:5fff:81::1:1
IP Address. . . . . . . . . . . . : fe80::205:9aff:fe3c:7a00%13
Default Gateway . . . . . . . . . : 192.168.0.1
2001:db8:5fff:81::
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100

© 2006, Cisco Systems, Inc. All rights reserved. 50
Presentation_ID.scr
Conclusion

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101

Key Take Away

ƒ So, nothing really new in IPv6
Lack of operation experience may hinder security for a while

ƒ Security enforcement is possible
Control your IPv6 traffic as you do for IPv4

ƒ Leverage IPsec to secure IPv6 when possible
ƒ Beware of the IPv6 latent threat: Your network may be
vulnerable to IPv6 attacks

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102

© 2006, Cisco Systems, Inc. All rights reserved. 51
Presentation_ID.scr
Q and A

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 103

Related Sessions
ƒ BRKSEC-4003: Advanced IPv6 Security:
Secure Neighbor Discovery
ƒ BRKRST-2301: Enterprise IPv6 deployment
ƒ BRKSEC-2105: Securing IP Network Traffic Planes
ƒ BRKSEC-2002: Understanding and Preventing
Layer 2 Attacks
ƒ BRKSEC-4010: Advanced Concepts of Dynamic
Multipoint VPN

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 104

© 2006, Cisco Systems, Inc. All rights reserved. 52
Presentation_ID.scr
Recommended Reading

ƒ Continue your Cisco Live
learning experience with further
reading from Cisco Press®
ƒ Check the Recommended
Reading flyer for suggested
books

Available Onsite at the Cisco Company Store
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 105

Complete Your Online
Session Evaluation
ƒ Give us your feedback and you could win Don’t forget to activate
fabulous prizes; winners announced daily your Cisco Live virtual
account for access to
ƒ Receive 20 Passport points for each session all session material
evaluation you complete on-demand and return
for our live virtual event
ƒ Complete your session evaluation online now in October 2008.
(open a browser through our wireless network Go to the Collaboration
to access our portal) or visit one of the Internet Zone in World of
stations throughout the Convention Center Solutions or visit
www.cisco-live.com.

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 106

© 2006, Cisco Systems, Inc. All rights reserved. 53
Presentation_ID.scr
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 107

Reference Slides

For Reference Only

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 108

© 2006, Cisco Systems, Inc. All rights reserved. 54
Presentation_ID.scr
IP Mobility

2001:db8:c18::1

Correspondent Node

Home Agent
Mobile Node
Optimized Routing
Not Possible in IPv4

Mobile Node
2001:2:a010::5
Mobility Means:
ƒ Mobile devices are fully supported while moving
ƒ Built-in on IPv6
Any node can use it
ƒ Optimized routing means performance for end-users
ƒ Filtering challenges
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 109

Mobile IPv6 Security Features Overview

ƒ Protection of binding updates both to home agents
and correspondent nodes
IPsec (specially for HA)
Or binding authorization data option through the return
routability procedure

ƒ Protection of mobile prefix discovery
Through the use of IPsec extension headers

ƒ Protection of data packets transport
Home address destination option and type two routing
header specified in a manner which restricts their use
in attacks

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 110

© 2006, Cisco Systems, Inc. All rights reserved. 55
Presentation_ID.scr
Mobile IPv6 Security
Return Routability Test
ƒ Provides reasonable assurance that the MN is addressable
at its claimed CoA and at its HoA
ƒ Test whether packets addressed to the two claimed
addresses are routed back to the MN

Mobile Node Home Agent Correspondent Node
Home Test Init (HoTI)

Care-of Test Init (CoTI)
Home Test (HoT) (Key Mat 1)

Care-of Test (CoT) (Key Mat 2)
Binding Update (Computed from Key Mat 1 and 2)

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 111

MIPv6 Security Protections

ƒ BU/BA to HA must be secured through IPsec
ƒ MN and HA should use an IPsec SA to protect
the integrity and authenticity of the mobile prefix
solicitations and advertisements
ƒ Payload packets exchanged with MN can follow
the same protection policy as other IPv6 hosts
ƒ Specific security measures are defined to protect
the specificity of MIPv6
Home address destination option
Type 2 Routing header
Tunnelling headers

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 112

© 2006, Cisco Systems, Inc. All rights reserved. 56
Presentation_ID.scr
MIPv6 Security Challenges

ƒ Unlike IPv4 Mobility, IPv6 enables the MN and the CN
to communicate directly through Route Optimization
ƒ Security tools such as IDS/Firewall and Regulation
implementation such as LI can be bypassed by
design in the case of MIPv6

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 113

For Your
IPv6 for Remote Devices Reference

Router Configuration: ISATAP
IPsec Hub

F0/0 Dual-Stack
Router
Dual-stack router configuration
F0/1

ipv6 unicast-routing
Corporate !
Network interface FastEthernet0/0
description TO VPN 3000
ip address 20.1.1.1 255.255.255.0
!
interface FastEthernet0/1
description TO Campus Network
ipv6 address 2001:db8:C003:111C::2/64
!
ISATAP Address Format: interface Tunnel0
64-bit Unicast Prefix 0000:5EFE: IPv4 Addr. no ip address
32-bit 32-bit ipv6 address 2001:db8:C003:1101::/64
eui-64
Interface ID no ipv6 nd suppress-ra
tunnel source FastEthernet0/0
2001:db8:c003:1101:0:5efe:20.1.1.1 tunnel mode ipv6ip isatap

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 114

© 2006, Cisco Systems, Inc. All rights reserved. 57
Presentation_ID.scr
IPv6 for Remote Devices
Does It Work?
Windows XP Dual-Stack
Client IPsec Hub Router

10.1.99.102—VPN Address
2001:db8:c003:1101:0:5efe:10.1.99.102—IPv6 Address

Interface 2: Automatic Tunneling Pseudo-Interface

Addr Type DAD State Valid Life Pref. Life Address
--------- ---------- ------------ ------------ -----------------------------
Public Preferred 29d23h56m5s 6d23h56m5s 2001:db8:c003:1101:0:5efe:10.1.99.102
Link Preferred infinite infinite fe80::5efe:10.1.99.102

netsh interface ipv6>show route
Querying active state...

Publish Type Met Prefix Idx Gateway/Interface Name
------- -------- ---- ------------------------ --- ---------------------
no Autoconf 9 2001:db8:c003:1101::/64 2 Automatic Tunneling Pseudo-Interface
no Manual 1 ::/0 2 fe80::5efe:20.1.1.1
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 115

For Your
Secure Site-to-Site Reference

IPv6 Connectivity
IPv6 Tunnel Is Between the
Spoke Two Static IPv4 Loopbacks Hub
2001:DB8:C000:1053::4/128

2001:DB8:C000:1051::/64

Loopback 0 192.168.52.4 Loopback 0 192.168.52.7

Tunnel 4 (IPv6 in IPv4)
.22
Serial 0/0 Dynamic
0
/3
.0
04
.2
68
1
2.
19

Hub IPsec Is Using
IPsec SA Protects All Dynamic Crypto Maps
IPv6 in IPv4 Packets
Between the Static IPsec SA
Loopbacks
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 116

© 2006, Cisco Systems, Inc. All rights reserved. 58
Presentation_ID.scr
Secure Site-to-Site IPv6 Connectivity
Key Design Points
ƒ Requires a fixed IPv4 address for hub
ƒ IPv6-in-IPv4 tunnels are anchored on IPv4 loopbacks
Tunnels requires static sources and destinations

ƒ IPsec dynamic crypto maps are used
Allows for dynamic spoke IPv4 addresses
IPsec works on IPv4 packets (containing the IPv4 packets)

ƒ Traffic initiated from spokes (hub is using dynamic
crypto maps)

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 117

For Your
Spoke Configuration (1 of 2) Reference

IPv6 Tunnels

interface Loopback0
ip address 192.168.52.4 255.255.255.255

interface Tunnel4
no ip address Static IPv4
ipv6 unnumbered FastEthernet0/0 Addresses
ipv6 enable
tunnel source Loopback0
tunnel destination 192.168.52.7
tunnel mode ipv6ip
!
ip route 192.168.52.0 255.255.255.0 Serial0/0

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 118

© 2006, Cisco Systems, Inc. All rights reserved. 59
Presentation_ID.scr
For Your
Spoke Configuration (2 of 2) Reference

IPv6 IPsec

crypto ipsec transform-set 3DES esp-3des
!
crypto map IPV6_SEC 10 ipsec-isakmp
set peer 192.168.204.26 IPv4 Address of Hub
set transform-set 3DES
match address SELECTOR
IPsec Traffic Selectors:
! Fixed IPv4 Loopback
interface Serial0/0 Addresses, i.e.,
crypto map IPV6_SEC Encapsulated IPv6 Traffic
!
ip access-list extended SELECTOR
permit 41 host 192.168.52.4 host 192.168.52.7

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 119

For Your
Hub Configuration (1 of 2) Reference

IPv4 Tunnels
interface Loopback0
ip address 192.168.52.7 255.255.255.255
!
interface Tunnel4
no ip address
ipv6 unnumbered FastEthernet0/1 Static IPv4
ipv6 enable Addresses
tunnel source Loopback0
tunnel destination 192.168.52.4
tunnel mode ipv6ip

… a lot more interfaces Tunnel…

ip route 192.168.52.0 255.255.255.0 Serial0/0

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 120

© 2006, Cisco Systems, Inc. All rights reserved. 60
Presentation_ID.scr
For Your
Hub Configuration (2 of 2) Reference

IPv4 IPsec

crypto ipsec transform-set 3DES esp-3des
Dynamic Crypto Map:
! Allow IPsec from Every
crypto dynamic-map TEMPLATE 10 IP Address with Correct
set transform-set 3DES IKE Authentication
match address SELECTOR
!
crypto map IPV6_SEC 10 ipsec-isakmp dynamic TEMPLATE
!
interface Serial0/0 IPsec Traffic Selectors:
ip address 192.168.204.26 255.255.255.252
Fixed IPv4 Loopback
crypto map IPV6_SEC Addresses, i.e.,
! Encapsulated IPv6 Traffic
ip access-list extended SELECTOR
permit 41 host 192.168.52.7 192.168.52.0 0.0.0.255

BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 121

IPv6 Integration on MPLS VPN
Infrastructure: 6VPE
Dual-Stack vrf
ipv4 addresses: 10.100/16 Address-family IPv4
Dual-Stack ipv6 addresses: 2001:100::/64 Address-family IPv6
Network
P1 P2
Site-1 Dual-Stack Network
CE1 PE1 CE2
2001:101::/64 PE2 Site-2
10.101/16 VRF Red

iGP-v4 (OSPF, ISIS) 2001:201::/64
10.201/16 Dual-Stack
VRF Red LDP-v4
MP-eBGP Session Server
Address-family IPv4
Address-family IPv6 MP-iBGP Session MP-eBGP Session
Address-family VPNv4 Address-family IPv4
Address-family VPNv6 Address-family IPv6

vrf definition site1
ƒ MPLS/IPv4 Core Infrastructure is IPv6-unaware rd 100:1
ƒ PEs are updated to support Dual Stack/6VPE route-target import 100:1
route-target export 100:1
ƒ IPv6 VPN can co-exist with IPv4 VPN—same scope address-family ipv4
address-family ipv6
and policies !
ƒ 6VPE—RFC 4659—Cisco authored for IPv6 VPN interface ethernet0/0
vrf forwarding site1
over MPLS/IPv4 infrastructure ip address 10.100.1.2 255.255.0.0
ƒ Shipping in: ipv6 address 2001:100::72b/64
12.2(33)SRB (Barracuda – C7600), Q1CY’07
12.4(pi7)T (C7200, C7301, C2800, C3800), Q3CY’07
12.2(x)SB (Exodus Rel5 – C10000), Q3CY’07
BRKSEC-2003 12.2(33)SXI (Whitney 2.0 – C6500), Q4CY’07
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 122

© 2006, Cisco Systems, Inc. All rights reserved. 61
Presentation_ID.scr