Ipv6 Forum Education Logo Program

IPv6 Forum Education Certification Logo Program (Course / Engineer / Trainer / Certification )

V6.6.2

(2012-05-14)

IPv6 FORUM 1 IPv6 Education Certification Logo Program

IPv6 Forum http://www.ipv6forum.com

MODIFICATION RECORD

14 March 2010: Document Created by Latif Ladid

31 May 2010: Modified by Selvakumar Manickam on Section 5.

15 June 2010: Edited by Latif Ladid

29 June 2010: Edited by Latif Ladid

14 August 2010: Edited by Latif Ladid

20 August 2010: Edited by Latif Ladid

13 June 2011: Edited by Salman Asadullah

07 February 2012: Edited by Latif Ladid

14 May 2012: Edited by Latif Ladid

ACKNOWLEDGMENTS

The IPv6 Forum would like to acknowledge the efforts of the following individuals and organizations in the development of this specification.

Principle Authors:

Latif Ladid, IPv6 Forum

Selvakumar Manickam, Nav6 Penang Malaysia

Salman Asadullah, Cisco Systems

Commentators:

Prof Dr.Sureswaran Ramadass, Nav6 Penang Malaysia

IPv6 Forum Certified Certification Development Team:

Chip Nielsen, Cisco Systems

Srinivasa Neppalli, Cisco Systems

Jim Bailey, Cisco Systems

Harold Ritter, Cisco Systems

Salman Asadullah, Cisco Systems

Security program

Fred Bovy, ccie #3013 Chip Popoviciu, Nephos6

Web site & Database

Aurel Machalek, web site and art work, University of Luxembourg

Christoph Ooi, Database, Nav6 Penang Malaysia

INTRODUCTION

The IPv6 Forum IPv6 Education Logo Program prime objective is to encourage and accelerate the education and training on IPv6 and promote thereby swifter adoption of IPv6 in the education curriculum and programs of the universities, research institutes, vendors and training specialists.

A recent survey on IPv6 training and studies at universities have demonstrated that IPv6 training and courses are way too embryonic to have any critical impact: http://www.training4ipv6.eu/index.php/blog

Patching IPv6 with IPv4 thinking would be just extending the IPv6 address space to the Internet and not fully exploiting the rich set of new features still invisible to the normal engineer. Deploying IPv6 without upfront integration of the many built-in features such the IPv6 security and privacy protocols would be re-doing the same mistake done in the deployment of IPv4. This is even defeating the prime purpose of fixing things like security in the Internet.

It is estimated that some 20 million engineers are working on the current Internet worldwide at ISPs, corporate and all other public and private organisations and they will need training on IPv6. This is a gigantic task since it’s the first upgrade of the Internet and most probably the last one for decades to come.

The IPv6 Education Logo Program is a program intended to increase practical engineering expertise and hands-on knowledge to tackle this large undertaking ahead of us extending thereby user confidence by demonstrating that IPv6 will be deployed by qualified engineers.

The IPv6 Education Logo Program currently consist of following programs:

1 - Program

Phase I: Phase I will target mainly 5-10 days courses

- Basic Curriculum Profile (Silver)

- Advanced Curriculum Profile (Gold)

Phase II: Phase II will be a detailed course program for universities (BA,

MsC, PhD).

Phase III: Future Curriculum Programs (Diamond)

2 - Target Audiences (TA):

TA 1 - Universities - Institutes - Research Centres

TA 2 - Vendors

TA 3 - Training Institutes & Specialists

TA 4 - Train the Trainer Program (IPv6 Experts)

TA 5 - Students & Engineers Certification - Examination Profiles of TA 1-2-3-4

3 - Course Profile Definition:

TA 1: Universities: (Definition of curriculum profiles)

- Basic

- Advanced

TA 2: Vendors

- Basic

- Advanced

TA 3: Training Specialists

- Similar to TA 2

TA 4: Train the Trainer

- Advanced

Table of Contents

Table of Contents...... 6

1. Foreword...... 8

2. IPv6 Education Certification Logo Program...... 9

2.1. General...... 9

2.2. IPv6 Education Logo Program...... 11

...... 11

2.3. IPv6 Train the Trainer Logo Program ...... 12

3. Curriculum Outline...... 12

3.1. IPv6 Forum Certified Course & Network Engineer (Silver)...... 12

3.1.1. Prerequisites...... 12

3.1.2. Course Outline...... 13

3.2. IPv6 Forum Certified Course & Network Engineer (Gold)...... 14

3.2.2. Course Outline...... 15

3.3. IPv6 Forum Certified Train The Trainer Network Engineer (Gold)...... 17

3.3.1. IPv6 Forum Certified Train The Trainer Course (Gold)...... 17

3.4. IPv6 Forum Certified Certification...... 18

3.4.2. Application Process...... 18

3.4.3. Exam Topics...... 19

3.4.4. IPv6 Forum Certified Certification (Silver)...... 19

3.4.5. IPv6 Forum Certified Certification (Gold)...... 22

3.5 IPv6 Forum Certified Security Course & Engineer (GOLD)...... 24

...... 24

3.5.1 PREREQUISITES...... 24

3.5.2 COURSE OUTLINE...... 25

4. Procedure to obtain the v6 Education Logo...... 28

4.1. General...... 28

4.2. Procedure to obtain the v6 Education Logo...... 28

5. IPv6 WWW Logo Program...... 28

5.1. General...... 28

5.2. Definition - Requirements of IPv6 Education website...... 28

5.3. Definition - Specification of Checking/Validating IPv6 WWW Site Connectivity...... 29

5.3.1. IPv6 DNS Resolving Ability...... 29

5.3.2. IPv6 HTTP Access Ability...... 29

5.3.3. IPv6 WWW Maintenance Ability...... 30

5.3.4. Required quality of IPv6 Education website for validation...... 30

5.4. Procedure to obtain the v6eLogo_WWW...... 31

5.5. Image logo...... 34

5.6. Dynamic logo...... 34

6. Terminology...... 35

7. Future Programs...... 37

7.1 IPv6 Forum Certified Programmer...... 37

7.1.1 PREREQUISITES...... 37

7.1.2 COURSE OUTLINE...... 37

2. Foreword

Changes to this specification are subject to public review and approval by the IPv6 Forum IPv6 Education Logo Steering Group (v6ELSG).

Version x.y.z

Where:

x the first digit:

1 presented to v6ELSG for information;

2 presented to v6ELSG for approval;

3 or greater indicates v6ELSG approved document under change control.

y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, updates, etc.

z the third digit is incremented when editorial only changes have been incorporated in the document.

The present document describes the IPv6 Education Logo Program. This document is the result of consensus between the IPv6 Education Steering Group (v6ELSG) members and industry review

3. IPv6 Education Certification Logo Program

1.1. General

The IPv6 Forum Education Logo Program1 objective is to encourage and accelerate uptake of expertise to guarantee a solid deployment and adoption of IPv6 by web site owners, ISPs and content providers as well as design of new IPv6 apps.

The IPv6 Education Logo (v6eLogo) Program goal is to increase engineering quality by certifying solid curricula and recognize educated engineers.

The IPv6 Education Logo Program consists, of the following sub-programs:

IPv6 Education Logo Program

 Certified Certification

 IPv6 Train The Trainer Logo Program

The IPv6 Forum has created the IPv6 Education Steering Committee (v6eSG), to manage the IPv6 Education Logo Program.

1 http://www.ipv6forum.org/ipv6_enabled/ IPv6 FORUM 10 IPv6 Education Certification Logo Program

The IPv6 Education Steering Group mission is to help support IPv6 Education and Training.

The IPv6 Education Logo Steering Group (v6eSG) is structured as follows:

 IPv6 Forum President, Latif Ladid

 IPv6 Forum (Ready/Enabled/Education) Logo Programs Chairperson, Yanick Pouffary, IPv6 Forum Fellow

 IPv6 Enable Logo Steering Group Chairperson, Liu Dong, Chair China IPv6 Council / BII Group

 IPv6 Education Logo Steering Group Chairperson, Dr. Sures Ramdass / Selvakumar Manickam, IPv6 Forum Malaysia – Nav6, Co-chair Salman Asadulah, IPv6 Forum Fellow, Cisco Distinguished Engineer

 IPv6 Ready Logo Committee Chairperson, Hiroshi Esaki, Executive Director Japan IPv6 Promotion Council (v6PC) / WIDE Project

 IPv6 Ready Logo Legal/Operational, Cesar Viho, IPv6 Ready Logo Operational / IPv6 Forum Fellow / IRISA

 IPv6 Enable Logo Technical Lead IPv6 Enable ISP logo, Hiroshi Miyata, IPv6 Ready Logo Technical Lead / IPv6 Forum Fellow / TAHI Project

 IPv6 Enable Logo Advisor, Erica Johnson, IPv6 Ready Logo Regional Officer / IPv6 Forum Fellow / UNH IOL

The v6eSG is responsible for:

 Defining procedures, regulations and steps for the v6eLogo program.

 Defining the strategy for deploying the IPv6 Education Logo Program

 Administering the right to use the IPv6 Education Logo.

Final approval of the IPv6 Education procedures and scripts is done by the IPv6 Education Certification Logo Chairperson, the IPv6 Ready Logo Chairperson and IPv6 Forum President.

The IPv6 Education Logo ID data base and the IPv6 Education Web pages are administered mainly by the BII Group.

In order to maintain credibility and neutral services among vendors and users, the member that support IPv6 Education Logo Steering Group operates according to the IPv6 Ready Logo Program Code of Conduct http://www.ipv6ready.org/docs/v6LC_Code_of_Conduct.pdf and are tied by a signed Non Disclosure Commitment.

1.2. IPv6 Education Logo Program

The goal of the IPv6 Education WWW Logo (v6eLogo_WWW) program is for IPv6 Education Web sites. This program is to help support IPv6 deployment on Web sites.

Applicant’s website will be validated for IPv6 reachability as defined in this document. If passed, the IPv6 Forum then authorizes usage of the IPv6 Education WWW Logo for that website.

The basic level validates the applicant web site IPv6 reachability. For basic level validation, an automatic script will be run by the v6eSG. If the script is run successfully the applicant web site is assigned a logo ID and is listed on the IPv6 Education web page.

Note: The applicant’s web site may not be able have IPv6 reachability from the testing server(s) run by the v6eSG, not because of technical problem at the applicant’s web site, but because of technical problem at some intermediate node/network between the applicant’s web site and the testing server(s) run by the v6eSG. When the v6eSG observed the un-reachability at the applicant’s web server, an attempt will be made to identify the reachability issue.

For advanced level validation, obtaining the basic level logo is prerequisite. Please note at this date this level is not yet fully defined and will be released later on.

1.3. IPv6 Train the Trainer Logo Program

IPv6 Train the Trainer Logo program is for IPv6 experts who qualify to train future IPv6 trainers.

4. Curriculum Outline

All the training courses are delivered via instructor-led approach with hands-on lab.

• Instructor-Led Training: Set in an interactive classroom environment, the instructor will introduce concepts and guide students with detailed explanations and interesting examples to meet the student expectations and requirements and at the same time keep the students engaged.

• Hands-on Lab: Step-by-step hands-on labs with detail instructions and guide are provided to reinforce all key concepts. It allows the student to reinforce concepts by performing the tasks they have just learned.

As these are certification programs, candidates are required to pass both the written and hands-on evaluation to qualify for the certificate.

1.4. IPv6 Forum Certified Course & Network Engineer (Silver)

Plan and Implement IPv6 in a Multi-Vendor, Commercial Environment.

You will learn to:

• Implementing new networking software and devices to support IPv6.

• Implementing auto-configuration to manage IPv6 addresses.

• Configure the different IPv6 migration tools as tunnelling in order to facilitate the transition.

• Obtain and configure upgrades for common operating systems.

1.4.1. Prerequisites

A good knowledge of general networking concepts is assumed. IPv4 is reviewed as it is compared and contrasted with IPv6, but experience on IPv6 is not critical.

Knowledge on the level of Cisco Certified Network Associate (CCNA) would be an added advantage.

1.4.2. Course Outline

The Internet Protocol

• Introduction to IP

• Internet as a Datagram Network

• Internet as a Connectionless Network

• IPv6 Technical Features

• Differences between IPv4 and IPv6

• Address Space

• Quality of Service and Routing Efficiency

• Plug and Play

• Mobility

• Security

IPv6 Address Architecture and Scheme

• Notation of IPv6 addresses

• Types of addresses

• IPv6 Addressing Schemes

• A case study of IPv6 addressing scheme

OS IPv6 Configuration

• Windows

• Linux

• BSD Configuration Information

IPv6 Device Configuration

• Autoconfiguration

o Stateless autoconfiguration

o Stateful autoconfiguration

o Duplicate address detection

o Address Resolution

o Neighbour discovery procedures

o Neighbour solicitation messages

o Neighbour advertisement messages

Introduction to Routing

• Introduction Static Routing

• Introduction Dynamic Routing

• Hands on (Static Routing

Translation Mechanisms

• CGN

• NAT44

• NAT444

• AFT

Introduction to Tunneling

• 6-to-4

• 6-in-4

• 6-r-d

• Isatap

• Teredo

1.5. IPv6 Forum Certified Course & Network Engineer (Gold)

Plan and Implement Advanced IPv6 in a Multi-Vendor, Commercial Environment.

You will learn to:

• Generate and test IPv6 packets in a network.

• Plan and manage the migration of your network to IPv6.

• Implementing new networking software and devices to support IPv6.

• Install and configure associated network services such as DNS and routing protocols.

• Update and configure common networking applications such as email and Web servers.

• Configure routers and dual stack.

A good knowledge of general networking concepts is assumed. Certified IPv6 Network Engineer (CNE6) Level 1 or similar is necessary to pursue this training program.

1.5.2. Course Outline

• IPv6 Packet Generation

• Understanding scapy6

• Crafting packets

• Testing with various configurations

• IPv6 Packet Detection

• Understading SNORT IPv6 Capabilities

• Native IPv6

• IPv6 over Tunnels

• IPsec

• IPv6 IPsec overview

• Security policies and security associations

• IPsec tunneling

• IPsec Framework

• Authentication header

• Encapsulating security payload

• ESP transport mode

• ISAKMP/IKE

o Internet key exchange IPv6 IPSec in a Windows environment

o Microsoft symmetric key authentication

o Setting up the IPSec tunnel

 IPv6 Integration

• Header translation

• Tunnel Brokers

• Teredo Tunneling

• 6-in-4 Tunneling

• 6rd

• ds-lite

• Steps to migrate to IPv6

• Hardware

• Software

o Operating System (OS)

 Windows Vista/7/2008 Server

 Linux

 Mac OS

 Legacy OS

o E-mail

• Name Service in IPv6

. IPv6 and DNS

. AAAA and A6 records•

. Reverse lookup in IP.ARPA

. DNS Setup

• Routing protocols

. Dynamic routing and its advantages over the static routing

. RIPng

. OSPFv3

. ISIS for IPv6

. BGP4+

• DHCPv6

. Stateful address management

. Stateless address management

. Manual address management

1.6. IPv6 Forum Certified Train The Trainer Network Engineer (Gold)

IPv6 Forum will certify and qualify trainers to teach IPv6 Forums’ instructor-led courses. The train-the-trainer (TTT) program covers the standard syllabus with an addition of 1-day trainer’s training that will cover the following:

1) Know-how on setting up IPv6 network.

2) Configuring servers to support and enable IPv6 connectivity.

3) Advanced knowledge required for the trainer.

4) Additional evaluation catered specifically for trainer candidates.

1.6.1. IPv6 Forum Certified Train The Trainer Course (Gold)

IPv6 training courses can be developed and delivered by IPv6 experts worldwide. In order to qualify for the IPv6 Forum’s course certification, the course has to comply to the objectives highlighted for training courses highlighted from Section 5.1 through section 5.5 has to be observed by the course being evaluated to ensure consistency and standards of IPv6 capacity building is adhered to.

Through the evaluation of these courses, we can also indicate which processes should be improved, to affect better results.

The evaluation team will be comprised of esteemed members of the IPv6 Forum Global who will vet and advice on the courses brought forward and finally decides to award either Silver or Gold to the evaluated courses.

IPv6 Forum will evaluate based on (but not limited to) the following criteria:

• Content relevance to IPv6.

• Course length and class size appropriateness for training goals.

• Quality of lecturers and course materials.

• Participatory and action-learning methods used.

List of courses shown in the table below: http://www.6deploy.org/index.php?page=tutorials http://www.6diss.org/tutorials/index.html

3.4. IPv6 Forum Certified Certification

The IPv6 Forum Certified Certification program will certify vendor certifications that assess IPv6 expertise per IPv6 Forum’s specification.

Two levels of certification are provided by the IPv6 Forum Certified Certification program. Silver certifications will include beginner and intermediate IPv6 topics. Gold certification will include topics of all skill levels including advanced IPv6 topics.

This specification provides mandatory topics and optional subtopics required to obtain IPv6 Forum Certified Certification status.

Prior to receiving IPv6 Forum Certified Certification status, the vendor education web site must be reachable via IPv6. Please refer to Section 5 for details on the IPv6 Education WWW Logo program.

3.4.2. Application Process

The following information is required to apply for IPv6 Forum Certified Certification:

1. Primary contact information

2. Certification program name 3. Certification program objective 4. Publicly available exam blueprint URL 5. If applying for IPv6 Forum Certified Certification (Silver) a. Please list the topics covered in the written exam from section 3.4.4. b. Please list the topics covered in the lab exam (if applicable) from section 3.4.4. 6. If applying for IPv6 Forum Certified Certification (Gold) a. Please list the topics covered in the written exam from section 3.4.4 and 3.4.5. b. Please list the topics covered in the lab exam (if applicable) from section 3.4.4 and 3.4.5.

3.4.3. Exam Topics

In order to be certified as an IPv6 Forum Certified Certification (Silver), the required exams must cover all mandatory exam topics in section 3.4.4. The sub topics are “Optional” but are included for reference. These sub topics can be used as guidelines, but are not mandatory to meet the specification.

In order to be certified as an IPv6 Forum Certified Certification (Gold), the required exams must cover all mandatory exam topics in section 3.4.4 and section 3.4.5. As with the Silver program, the sub topics in the Gold section are optional and included for reference.

Mandatory exam topics (highlighted in bold) must be covered in both written and lab exam (if applicable).

3.4.4. IPv6 Forum Certified Certification (Silver)

 IPv6 Introduction . IPv6 packet format

o Header fields

o IPv6 extension headers

. ICMPv6

o Message types

. Differences between IPv4 and IPv6

. Address space

 IPv6 Address Architecture and Scheme

. Notation of IPv6 addresses

. Types of addresses

. IPv6 addressing schemes

. EUI-64

. Random addressing (RFC 4941)

. Manual addressing

. Address lifetimes

 IPv6 Device Configuration . Autoconfiguration

o Stateless autoconfiguration

o Stateful autoconfiguration

o Privacy extensions (RFC 4941)

. Duplicate address detection

. Address resolution

o Differences between IPv4 ARP and IPv6 ND

. Neighbor discovery procedures

o Default router selection

. Neighbor solicitation messages

o Router solicitation

o Neighbor solicitation

o Inverse neighbor solicitation

. Neighbor advertisement messages

o Router advertisement

o Neighbor advertisement

o Inverse neighbor advertisement

. Operating system details/specifics

 DHCPv6

. Stateful address management

. Stateless address management

. Manual address management

 Introduction to Tunneling

. 6-in-4 Tunneling

. Tunnel Broker

 Name Service in IPv6

. IPv6 and DNS

. AAAA records

. DNSSEC

. Reverse lookup in IP6.ARPA

. DNS Setup

o Dual stack MX records

 Introduction to IPv6 Security

. Perimeter security

. Packet filtering

. Unmonitored IPv6 risks and mitigation

. First hop security

o Rogue Router Advertisement Guard

 Introduction to IPv6 Network Management

. SNMPv3

 IPv6 Impact to Applications

. Application best practices

. Dual stack hosts

3.4.5. IPv6 Forum Certified Certification (Gold)

 IPv6 Tunneling and Translation Mechanisms

. NAT44

. NAT64

. DS-Lite

. 6PE/6VPE

. NAT-PT Deprecation (RFC 4966)

. ALG / Proxy

. ISATAP

. Teredo

. 6to4 Tunneling/6rD

. Operating system details/specifics on how tunneling is handled

• Routing Protocols & MPLS

. Static routing

. RIPng

. ISIS for IPv6

. BGP4+

. OSPFv3

. 6VPE

. Operating system details/specifics on how routing is handled

• Network Management

. IPv6 information retrieval

. Fault management

. Performance management

. Configuration management

. Availability management

. Operating system details/specifics on how network management is handled

• IPv6 Multicast

. IPv6 multicast address format

. Protocol Independent Multicast (PIM)

. Multicast Listener Discovery (MLD)

. Embedded Rendezvous Point (RP)

. Operating system details/specifics on how multicast is handled

• IPv6 Mobility

. Basic operations

. Operating system details/specifics on how mobility is handled

• IPv6 Security

. IPsec over IPv6

o IKEv2

o IPsec digital certificates

. Operating system details/specifics on how security is handled

• IPv6 Troubleshooting

. Basic troubleshooting methodology/plan

. Packet sniffing and analysis

. Use of ipconfig/ifconfig, ping/ping6, traceroute/traceroute6

. Troubleshooting routing/tunneling/vpn/translation

. Troubleshooting LAN/WAN environments

. Troubleshooting dual-stack host issues

. Troubleshooting application issues

3.5 IPv6 Forum Certified Security Course & Engineer (GOLD)

The IPv6 Forum Certified Security Program (Course, Security Engineer and Security Trainer) expands the IPv6 Forum Gold certification programs in an area of very high importance to the IPv6 deployment and IPv6 operation teams as security is one of the most often cited concerns with the IPv6 enablement. IPv6 transition also presents a

IPv6 FORUM 25 IPv6 Education Certification Logo Program unique opportunity for IT organisations to implement a comprehensive security architecture from day one.

The program defines and enforces a high standard for education and skills accreditation in the IPv6 Security specialty.

The program standardises:

· The requirements for an IPv6 Security course to be deemed complete and competitive in providing the requisite information

· The requirements for a Trainer to be deemed ready to deliver an IPv6 Security class effectively and with the necessary practical competency

· The requirements for an Engineer to demonstrate the level of expertise and competency necessary to be an effective IPv6 Security specialist.

The standards defined by this program are enforced through the process of certification of IPv6 Security course content, of IPv6 Security trainers and of IPv6 Security engineers.

1. Requirements for the Gold IPv6 Security Course Content

To be eligible for the IPv6 Forum Gold “Security Course” certification, the content of the IPv6 security course must be reviewed against the requirements listed in this section. The review is conducted by IPv6 subject matter experts identified by the IPv6 Forum.

Course objectives: The IPv6 Security Course provides the students with the knowledge needed to understand the IPv6-specific aspects of IT security, the security implications of enabling IPv6 in the environment and the operational aspects of managing, from a security perspective, an IT environment during the transition to IPv6. It is important for the course to not limit the content to network security but cover multiple aspects of securing an IPv6 enabled IT environment. The course will provide the current best practices in implementing and operating a complete IPv6 security lifecycle.

Course audience and recommended prerequisites: This course is targeted to IT security architects, design and operations engineers, IT infrastructure architects,

IPv6 FORUM 26 IPv6 Education Certification Logo Program design and operations engineers, IT professional services engineers, application developers and security compliance and governance professionals who want to get an in-depth understanding of IPv6 security.

For an effective learning experience it is recommended that participants are familiar with IPv6 technology at least the level of IPv6 Forum Silver Engineer certification (or better). It is recommended that participants are familiar with the fundamental concepts of IT security.

Knowledge acquired by the student when completing the course: IT security in general and IPv6 security in particular are vast topics. To meet the IPv6 Forum Gold certification requirements the IPv6 Security course must at a minimum ensure that the following knowledge is acquired by the students:

· Scope of IPv6 Security in IT environment (from network to applications and from processes to policies and governance)

· IPv6 protocol architecture specific elements that impact or benefit IT security

· Vulnerabilities that are IP version independent and their mitigation

· Vulnerabilities that are IPv6 specific and their mitigation

· Methods for performing IPv6 security assessment of an IT environment

· Current IPv6 security best practices

· Development and implementation of security policies

· Key IPv6 considerations for IT security products (security control, security data collection, security information and event management, vulnerability and patch management) and requirements with respect to industry standards such as IPv6 Ready Logo, USG/NIST and RIPE501.

The key concepts are covered in a vendor independent context to avoid vendor specific implementation or support constraints.

Hands on skills acquired by the student when completing the course: Along with the knowledge provided through coursework, the Gold level IPv6 Security Course must help the student develop the following minimum set of practical skills:

· Capturing malformed IPv6 packets and identifying various threat vectors

· Observe IPv6 based reconnaissance techniques and mitigate against them

· Defining and implementing best practice policies for ICMPv6

· Observe and mitigate ICMPv6 DDOS attacks

· Updating security control (ACLs, policies, etc) for IPv6 on various infrastructure equipment (switches, routers, appliances)

· Observe and mitigate first hop security threats (RA protection, ND protection, etc)

· Implement control plane (routing protocol) protection mechanisms

· Observe and mitigate security threats introduced by transition mechanisms (6to4, Teredo, 6PE, 6VPE, DS-Lite)

· IPv6 securing hosts

· Configure IPsec for IPv6

The key concepts are covered in a vendor independent context to avoid vendor specific implementation or support constraints. The student should get hands on experience with commonly used security/hacker IPv6 tools. Labs should cover both transition and steady state scenarios.

Checklist of topics that must be covered by the course to qualify for Gold certification: The following topics must be covered in the Gold IPv6 Security course. For each topic, the material must cover the risk analysis, risk mitigation and best practices:

Myths and realities regarding IPv6 security Security implications of IPv6 addressing architecture - Address and prefix size allocations - Address scoping - Privacy and Temporary Addresses - Cryptographically Generated Addresses - Special and Reserved addresses Security implications of IPv6 packet format - Main header format - Extension headers IPv6 and lower layer security mechanisms - 802.1x - Layer 2 controls First Hop security for IPv6 - Neighbor Discovery (Protect ND State machine, SeND)

- Router Discovery (Protect ND State machine, RA-Guard) - MLD Snooping Securing IPv6 provisioning mechanisms - Stateless Address Autoconfiguration - DHCPv6 (Stateless, Statefull, PD) Securing DNS Securing IPv6 Routing Protocols Securing IPv6 transport over MPLS networks Securing multicast for IPv6 Securing IPv6 Transition Mechanisms Security considerations for dual-sacked hosts Security considerations for a virtualized compute infrastructure supporting IPv6 IPv6 security considerations for applications Overview of IPv6 support in security products (FW, IPS, etc) IPv6 security assessment considerations Defining IPv6 security policies Implementing and managing IPv6 security policies IPv6 security hardening of infrastructure IPv6 forensics

It is expected but not required that the Gold IPv6 Security courses will start with an IPv6 essentials refresher.

2. Requirements for the Gold IPv6 Security Course Trainer certification

The IPv6 Security Course Trainer qualifies for the IPv6 Forum Gold certification if she meets the following requirements:

· Holds the Gold IPv6 Engineer certification

· Holds the Gold IPv6 Trainer certification

· Holds the Gold IPv6 Security Engineer certification

· Has been trained and evaluated by an IPv6 Forum approved Gold Certified IPv6 Security Trainer

· Successfully delivered at least one Gold Certified IPv6 Security Course under the observation of a Gold Certified IPv6 Security Trainer

No other industry certification is equivalent to the Gold IPv6 Security Trainer certification and can be used to lieu of the IPv6 Security Trainer Certification Process.

The IPv6 Forum policies on certification reciprocity applied to the Gold IPv6 Engineer certification remain in effect.

3. Requirements for the Gold IPv6 Security Engineer certification

An engineer qualifies for the IPv6 Forum Gold IPv6 Security certification if she meets the following requirements:

· Holds an active Gold IPv6 Engineer certification

· Successfully completes the IPv6 Forum Security certification exam administered by an IPv6 Forum authorised testing organisation. The passing score is 75% or higher.

No other industry certification is equivalent with the Gold IPv6 Security engineer certification and can be used to lieu of the IPv6 security certification exam. The IPv6 Forum policies on certification reciprocity applied to the Gold IPv6 engineer certification remain in effect.

4. Lifecycle of IPv6 Security Course, Trainer and Engineer certification

IPv6 is a live protocol, constantly evolving through the standardisation process and constantly improving from a deployment knowledge perspective based on the lessons learned by adopting organisations. Security is an area of the protocol likely to see a very steep change curve. To keep up with the changes, this specialty certification must be renewed every two years for the IPv6 Security Course, IPv6 Security Trainer and IPv6 Security Engineer:

· The IPv6 Security Course recertification consists of content review by the IPv6 Forum designated SMEs

· The IPv6 Security Trainer recertification consists of passing the Gold IPv6 Security Engineer recertification at instructor level

· The IPv6 Security Engineer recertification consists of passing the Gold IPv6 Security Engineer certification written test.

A one year grace period is granted for recertification. During this period the certification is classified: Inactive. If three or more years have elapsed since the last recertification, the certification is classified: Retired.

IPv6 can waive the recertification requirement at its discretion under special circumstances.

5. Procedure to obtain the v6 Education Logo

1.7. General

The IPv6 Forum will verify the applications in terms of source, credibility and usefulness and will monitor the certification process over time making sure the quality is maintained and possible recertification is requested when needed.

1.8. Procedure to obtain the v6 Education Logo

The process for obtaining the IPv6 Education Logo is as following:

1. Download the IPv6 Education validation specifications from the IPv6 Education Logo web site. http://www.ipv6forum.com/ipv6_Education/. Fill out the Application form online and complete the IPv6 Education Logo Usage Agreement. Press the "apply button" to show your intention of agreement

2. The applicant should also pass the WWW Logo outlined in chapter 5.

6. IPv6 WWW Logo Program

1.9. General

WWW is one of the most widely used applications of internet at present. IPv6 Education websites have already appeared. The v6eLogo_WWW program objective is to encourage adoption of IPv6 in helping web site owners to test and check their proper IPv6 enablement. However it is a prerequisite for the Education certification logo application.

1.10. Definition - Requirements of IPv6 Education website

The followings are the technical requirements, which an IPv6 Education web site must satisfied to obtain the logo.

(1) IPv6 Resolving Ability

An IPv6 Education website must have (a) global IP address, (b) AAAA resource record in global domain name system (DNS).

[Note] The Domain Name System (DNS) provides an essential service on the Internet, mapping structured names to a variety of data, typically IP addresses. The Domain Name System to support hosts running IP version 6 (IPv6) has been defined in RFC3596. AAAA resource record is defined to translate a domain name to an IPv6 address. An AAAA query

for a specified domain name in the Internet class returns all associated AAAA resource records in the answer section of a response.

(2) IPv6 HTTP Access Ability

An IPv6 Education website must be able to provide IPv6 access for visitors to the site, via http protocol.

1.11. Definition - Specification of Checking/Validating IPv6 WWW Site Connectivity

The following technical specification defines how the v6eSG checks to validate the applied IPv6 Education website, according to the reception of application from the applicant.

1.11.1. IPv6 DNS Resolving Ability

The scrip implemented in the checking/validating server(s) at the v6eSG will perform the following task, to validate Ipv6 DNS resolving ability:

 Try to resolve the domain name through 5 different DNS server, and each server for 5 times. If the DNS resolving result contains AAAA record, this resolving is counted as success. The success rate of getting the resolving result with AAAA record is formulated as followed:

DNS SR = x/25 *100% (1)

DNS SR in formulation (1) is short for DNS resolving successful rate.

The parameter x indicates how many times the IPv6 DNS resolved successfully, and “25” is the total time of the DNS resolving test.

DNS SR is first requirement for obtaining IPv6 Education WWW Logo.

1.11.2. IPv6 HTTP Access Ability

The scrip implemented in the checking/validating server(s) at the v6eSG will perform the following task to validate IPv6 HTTP access ability:

 Send HTTP request to the website for 5 times, and record times of successful response. The successful rate of HTTP accessing is formulated as followed:

HTTP SR = y/5*100% (2)

HTTP SR in formulation (2) is short for HTTP accessing successful rate.

The parameter y in formulation (2) indicates times of successful HTTP accessing.

HTTP SR is second requirement for obtaining IPv6 Education WWW Logo.

1.11.3. IPv6 WWW Maintenance Ability

The following statistics are maintained automatically for v6eLogo_WWW websites recipients.

 Daily Reach (DR) statistic is defined as the count of different unique IPv6 visitors’ addresses every day.

Note: Each unique IPv6 address count as one, regardless of how many times that address attempted to reach the website that day.

 Weekly Reach (WR) is defined as the count of different unique IPv6 visitors’ addresses every week.

1.11.4. Required quality of IPv6 Education website for validation

1.11.4.1. Primary Test

Two primary test cases have been designed for the validation of the (1) IPv6 DNS resolving ability and the (2) IPv6 HTTP ability for a website.

The applied website should meet the requirements listed in the table below. The DNS SR should be above 60%, and HTTP SR should be above 20%.

Table Requirements for primary test

DNS SR >=60%

HTTP SR >=20%

1.11.4.2. Maintenance Test

To check the maintenance ability of a v6eLogo_WWW website, the maintenance test will be automatically run by v6eSG.

The maintenance ability should meet the requirements listed in the table below. The DNS SR should be above 60%, and HTTP SR should be above 20% minimum 4 days each week.

Table Requirements for maintenance test

Condition Value

DNS SR >=60% >=4 days/week

HTTP SR>=20% >=4 days/week

1.12. Procedure to obtain the v6eLogo_WWW

The process for obtaining the IPv6 Education WWW Logo Basic level is as following:

3. Download the IPv6 Education WWW validation specifications from the IPv6 Education Logo web site. http://www.ipv6forum.com/ipv6_enabled/

4. Fill out the Application form online and complete the IPv6 Education Logo Usage Agreement. Press the "apply button" to show your intention of agreement. The URL you put in the application form is limited to the hostname of your web server.

5. Once the web site owner’s application is validated by the v6eSG, the primary test, as defined in 4.3.4.1, will begin.

 Primary test cases check the (1) IPv6 DNS resolving ability and the (2) IPv6 HTTP ability for the website.

6. 30 minutes later, if the two primary test cases are passed, the web site owner receive a Dynamic logo, as defined in 4.6, with a script to be inserted in the web site source file.

 The ability to insert this script in the web site source code validates the ownership of the web site by the applicant.

 The script checks the validity and IPv6 reachability of the web site.

The dynamic logo script records access time of each IPv6 visitor to the web site, and the last access time can be shown on the Validated List. No confidential data is kept.

7. Once the script is run successfully once the web site owner will receive a Image Logo with a unique serial number, as defined in 4.5. And the web site will be listed on the IPv6 Education WWW Web Sites list.

 Public information such as the web site’s URL, logo ID, tags and last access time of the site’s IPv6 visitor will be shown.

 Important – If the web site owner does not want to allow Maintenance test to be run the dynamic logo can now be removed. Note however that the web site status will be UNKNOWN.

8. Maintenance test, as defined in 4.3.4.2, is executed periodically to check persistence of the IPv6 service of a v6eLogo_WWW website.

 To pass the maintenance test, the DNS SR should be above 60%, and HTTP SR should be above 20% minimum 4 days each week.

 If v6eLogo_WWW website cannot meet the maintenance test for a period of continuous 6 weeks the web site will be logged as Service-out on the IPv6 Forum IPv6 Education certification web page.

Please note: The Service-out status can be due to problems on the v6eLogo_WWW web site or due to technical problem at some intermediate node/network between the v6eLogo_WWW and the testing server(s) run by the v6eSG.

Apply (1)

Fail Get error message Info check (2) Retry Pass

Primary test (3) Get test result Fail Pass

Get image logo Collect test result (4)

Status Service-In (5) Status Service-Out

Maintenance test Weeks < 6 Pass (6) Fail N

Status Service-Out

1.13. Image logo

Figure: Image logo

Image logo is authorized to applicant when the web site has passed the primary test.

The series number XX-YY-ZZZZZZZZ is unique.

XX indicates the certification level, YY marks the region or country, and ZZZZZZZZ is an id number beginning from 00000001.

1.14. Dynamic logo

When the applicant successfully passes the primary test as defined in 4.3.4.1 the v6eSG generates the corresponding Dynamic logo with a tiny embedded java script.

The Dynamic logo is registered to the applicant’s URL and cannot be used to obtain v6eLogo_WWW for any other web site.

The script works as followed:

The script first checks its validity by searching the logo ID of this script in the IPv6 Education Program’s database, and then validates the URL of this page matches this ID.

If a match is found, the script records DNS SR and HTTP SR. No confidential data is recorded.

>>>>>> Code of script to be inserted here

There are two styles of dynamic logo for applicant to choose from: classic style and mini style.

Figure: v6eLogo Classic style

Figure: v6eLogo Mini style

The status shown in the dynamic logo is as follows:

1) Testing: Primary test for IPv6 accessing is in progress.

2) Service-in: Primary test is successful and last-week maintenance test is successful or in progress.

3) Service-out: Primary test is successful and last-week maintenance test is failed.

Please note: The Service-out status can be due to problems on the v6eLogo_WWW web site or due to technical problem at some intermediate node/network between the v6eLogo_WWW and the testing server(s) run by the v6eSG.

4) Unknown: The script has been disabled. Maintenance test cannot be run due to web site owner policy.

Note: If nothing happens after you add the script in your website, please check whether the current URL matches the validated v66eLogo_WWW URL.

Note: Only after the first IPv6 web user browses this page the dynamic logo will display the status "Service-in" for v6eLogo Classic style or "IPv6-On" v6eLogo Mini style.

7. Terminology

IPv6 Forum: The IPv6 Forum a world-wide consortium, with a key focus to provide technical guidance for the deployment of IPv6, launched a single world-wide IPv6 Ready Logo Program (conformance and interoperability testing).

 IPv6 Ready Logo Program: The IPv6 Forum IPv6 Ready Logo Program provides conformance and interoperability test specifications based on open standards to support IPv6 deployment across the globe.

 IPv6 Ready Logo Committee (v6LC): To manage the IPv6 Ready Logo Program.

 IPv6 Ready Logo Regional Officer: To authorize third parties passing successfully the IPv6 tests to use the IPv6 Ready Logo

 IPv6 Education Logo Program: The IPv6 Forum IPv6 Education Logo Program objective is to encourage and accelerate deployment and adoption of IPv6 by web site owners and service providers.

 IPv6 Education WWW Logo (v6eLogo_WWW) Program: Sub-program of IPv6 Education Logo program and is applicable to web sites

 IPv6 Education ISP Logo (v6eLogo_ISP) Program: Sub-program of IPv6 Education Logo program and is applicable to service providers

 IPv6 Education Steering Committee (v6eSG): To manage the IPv6 Education Logo Program.

 IPv6 Education websites: web sites that are accessible via IPv6

 v6eLogo_WWW: IPv6 Education WWW Logo

 v6eLogo_ISP: IPv6 Education ISP Logo

 WWW: World Wide Web

 ISP: Internet Service Provider

 DNS: Domain Name System

 DNS SR: DNS resolving successful rate

 HTTP: Hypertext Transfer Protocol

 HTTP SR: HTTP accessing successful rate

8. Future Programs

7.1 IPv6 Forum Certified Programmer

Write and Implement IPv6-capable Applications in a Mixed Network Environment and port existing network applications to support IPv6.

You will learn to:

• Understand the benefits of making applications IPv6-capable.

• Perform IPv6 socket programming.

• Rewriting client and server applications to be IPv6 compatible.

• Use IPv6 porting tools.

• Parsing and mapping IPv6 address.

* Note: The programming language used in this course will be C/C++ as it is the most widely used language. Nevertheless, the approach and concepts can easily be adapted to other languages.

7.1.1 PREREQUISITES

A good knowledge of general networking concepts is imperative. Certified IPv6 Network Engineer (CNE6) Level 1 is necessary. In addition, network programming background is an added advantage. Nevertheless, some programming experience is compulsory.

7.1.2 COURSE OUTLINE

 IPv6 Refresher (I have removed Module 1,2 and 3 and replaced with this. Rationale: The participants should already have background knowledge on IP and IPv6. If they don’t, then we will be spending too much on the intro itself )

 Application Transition Scenarios and Programming Aspects

 Programming Areas that Need to be Addressed

 Data Structure

 Function Calls

 Use of Hardcoded IPv4 Address

 User Interface Issues

 Underlying Protocols

 IPv6 Porting Tools

 Tools and Resources for Porting

 Using Checkv4 tool for C/C++

o Application Modification Process

 Basic Socket Programming

 Basic Socket Interface Extension for IPv6

 Socket Interface

 IPv6 Address Family and Protocol Family

 IPv6 Address Structure

 Interface Identification

 Name to Address

 Address to Name

 Socket Options

 IP version-independent Applications

 Functions to Create IP Version-independent

 Applications

 API Modifications

 Winsock API

 Changes to API

 Module 9. Advanced Socket Interface Extensions for IPv6

 The ip6_hdr Structure

 The ICMPv6 Header Structure

 IPv6 Raw Socket

 Access to IPv6 and Extension Headers

IPv6 Based Applications

 Examples of IPv6 Applications Used Worldwide

 Network Security & IPV6

The IPv6 Forum

No part of the documentation may be reproduced for any purpose without prior permission.