DOCSLIB.ORG

Softwires Hub & Spoke with L2TP

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Softwires Hub & Spoke with L2TP Softwires Hub & Spoke with L2TP Maria Alice Dos Santos, Cisco Bill Storer, Cisco Satisfying Softwires Requirements with L2TP • There are 2 versions of L2TP: – L2TPv2 (RFC 2661) – L2TPv3 (RFC 3931) • Both versions can satisfy the Softwires requirements with some changes – For L2TPv2 the changes are very small – For L2TPv3 the changes are larger but provide extra function L2TP and NAT • L2TP supports UDP encapsulation – For L2TPv2, UDP encapsulation is mandatory – For L2TPv3 UDP encapsulation is optional • UDP encapsulation allows simple traversal of NAT L2TP and Security • L2TP supports tunnel authentication – Can authenticate the host initiating the tunnel • L2TP supports PPP encapsulation – Can authenticate the PPP user within the tunnel • L2TPv3 offers data channel security against malicious data insertion by requiring transmission and validation of a variable length cookie by the peers L2TP and Management • L2TP provides a tunnel keep alive mechanism • L2TPv2 has accounting and MIB support – RADIUS Accounting extension for tunnel (RFC 2867) – L2TPv2 MIB RFC 3371 • L2TPv3 has VCCV support – Provides diagnostic and fault detection capabilities at the session level – draft-ietf-pwe3-vccv-07 L2TP and Multicast • PIM or IGMP messages pass through the L2TP tunnel transparently • At the Hub router, each spoke appears as a PPP connection • Multicast environment here is identical to that of an edge router terminating large numbers of PPP connections L2TP and IPsec • RFC 3193 - Securing L2TP using IPsec • RFC 3948 - UDP Encapsulation of IPsec ESP Packets • ESP must be supported • Transport mode must be supported A typical L2TP/IPsec frame is as follows: IP | ESP header | UDP | L2TP | PPP | ESP trailer | Auth trailer L2TP and Scalability • L2TPv2 is widely used to provide large scale IPv4 services today. – Case in point being NTT • Routers currently support high volume L2TPv2 – Tens of thousands of concurrent L2TPv2 sessions – Call setup rates in the hundreds per second • L2TPv3 can be more efficient than l2tpv2 L2TP as Softwire Standard • L2TPv2 meets IPv6 over IPv4 softwires requirements today • L2TPv2 is currently used in multiple IPv6 over IPv4 solutions • L2TPv2 RFC2661 is 99% ready for the IPv4 over IPv6 solution • L2TPv3 is a superset of L2TPv2, with enhancements in security, scalability and flexibility for future extensions • L2TPv3 is not far from meeting all softwires requirements • L2TPv3 RFC3991 automatic fallback to L2TPv2 allows seamless transition from L2TPv2 to L2TPv3 L2TPv2 as the Immediate Solution • L2TPv2 is currently used in several IPv6 over IPv4 deployments • Implementations of key components are readily available: – LNSes supporting L2TPv2 acting as tunnel terminator, supporting IPv6 over PPP (IPv6CP) and DHCPv6 server capabilities or proxy – Standalone DHCPv6 server – RADIUS support for IPv6 prefix delegation attributes – CPEs or home routers supporting L2TPv2, IPv6 over PPP (IPv6CP) and DHCPv6 client capabilities – Windows (i.e. Longhorn) supporting IPv6 over PPP and L2TPv2 over IPSec are becoming available in the near future • The support for IPv4 over IPv6 with L2TPv2 requires the addition of IPv6 transport support for L2TPv2 (minor extension to RFC 2661). Besides that, IPv4 over PPP over L2TPv2 over IPv6 will work as in today’s L2TPv2 over IPv4 solutions IPv6 over IPv4 Softwire with L2TPv2: Case 1 – CPE as Softwire Initiator LNS Dual IPv4 AF CPE IPv6 o PPP L2TPv2 o UDP o IPv4 IPv6CP: capable of /64 interface ID assignment or uniqueness check RA /64 prefix DHCPv6 PD /48 prefix /64 prefixes DNS, etc RA DHCPv4/v6 DNS, etc ISP to Dual AF CPE PD and Dual AF CPE to Hosts Auto-Config Auto-Config IPv6 over IPv4 Softwire with L2TPv2: Case 2 – Router behind CPE as Softwire Initiator LNS IPv4 CPE Dual AF Router IPv6 o PPP L2TPv2 o UDP o IPv4 IPv6CP: capable of /64 interface ID assignment or uniqueness check RA /64 prefix /48 prefix /64 prefixes DHCPv6 PD DNS, etc RA DHCPv4/v6 DNS, etc ISP to Dual AF Router PD and Dual AF Router to Hosts Auto-Config Auto-Config IPv6 over IPv4 Softwire with L2TPv2: Case 3 – Host as Softwire Initiator LNS IPv4 CPE Dual AF Host IPv6 o PPP L2TPv2 o UDP o IPv4 IPv6CP: capable of /64 interface ID assignment or uniqueness check /64 prefix RA DNS, etc DHCPv4/v6 ISP to Dual AF Host Auto-Config IPv4 over IPv6 Softwire with L2TPv2: Case 1 – CPE as Softwire Initiator LNS Dual IPv6 AF CPE IPv4 o PPP L2TPv2 o UDP o IPv6 Private IPv4 IPCP: assigns global IPv4 address and DNS, etc DHCP addresses and DNS, etc. ISP to Dual AF CPE IP Dual AF CPE to Hosts IP Assignment and Auto-Config Assignment and Auto-Config IPv4 over IPv6 Softwire with L2TPv2: Case 2 – Router behind CPE as Softwire Initiator LNS IPv6 CPE Dual AF Router IPv4 o PPP L2TPv2 o UDP o IPv6 Private IPv4 IPCP: assigns global IPv4 address and DNS, etc DHCP addresses and DNS, etc. ISP to Dual AF Router IP Dual AF Router to Hosts IP Assignment and Auto-Config Assignment and Auto-Config IPv4 over IPv6 Softwire with L2TPv2: Case 3 – Host as Softwire Initiator LNS IPv6 CPE Dual AF Host IPv4 o PPP L2TPv2 o UDP o IPv6 IPCP: assigns global IPv4 address and DNS, etc ISP to Dual AF Host IP Assignment and Auto-Config IPv6 o L2TPv2 o IPv4 Today • NTT – http://www.ntt.com/release_e/news05/0011/1121.ht ml – http://www.networkworld.com/news/2005/122205- ntt-ipv6.html • Point6 – draft-toutain-softwire-point6box-00 • Cisco – http://www.cisco.com/en/US/products/ps6553/pro ducts_data_sheet09186a008011b68d.html Why move to L2TPv3? • Cons of L2TPv2 as compared to L2TPv3: – Weaker Tunnel Authentication mechanism which validates only the header portion of the control messages and covering only SCCRQ, SCCRP and SCCCN message types – No built-in data channel security. Must be bundled with IPSec to achieve security – 16-bits session Ids as compared to L2TPv3 32-bits session Ids Why move to L2TPv3? (Cont.) Cons of L2TPv2 as compared to L2TPv3: –Tunnel/Session Setup latency: L2TP: SCCRQ, SCCRP, SCCCN, ICRQ, ICRP, ICCN PPP LCP PPP CHAP (per-user authentication is optional) IPCP Since L2TPv3 offers the option to tunnel IP frames directly without PPP, using L2TPv3 can eliminate PPP overhead Why move to L2TPv3? (Cont.) Cons of L2TPv2 as compared to L2TPv3: • L2TPv2 Data Encapsulation – PPP over L2TPv2 over UDP – 20 Bytes IPv4 / IPv6 UDP (8 bytes) – Sequencing disabled – Length field present Flags & Ver Len (opt) Tunnel Id Session Id PPP PId & 0xFF03 Payload • L2TPv3 allows further encapsulation optimization by offering the option to run over IP (instead of mandating UDP) and to tunnel IP frames without PPP L2TPv3 for the Future 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 PPP IPv4 or IPv6 Header HDLC Frame UDP + L2TP Version (Optional) Relay Cookie (Up to 64 Bits, Optional) Ethernet Session ID (32 Bits) ATM (Cell Payload or Packet) MPLS IP L2TPv3 as Next Phase Softwires Solution PPP over L2TPv3 • L2TPv3 can provide the same softwires solution as described with PPP over L2TPv2 • Support for PPP tunneling for L2TPv3 – draft-ietf-l2tpext-l2tp-ppp-03.txt L2TPv3 as Next Phase Softwires Solution IP over L2TPv3 • L2TPv3 also offers a more optimal softwires solution with its capability to directly tunnel IP frames • IP Pseudowire support: – draft-ietf-l2tpext-pwe3-ip-01 • IP Pseudowire Type has the following advantages – Not necessary to negotiate PPP at session initiation – Not necessary to include PPP encap in data • Authentication is available at the tunnel level – Implies one session per tunnel • New AVPs to provide basic IPCP / IPv6CP Address assignment services are required L2TPv3 (RFC 3931) Advantages: Encap Optimization PPP over L2TPv3 over UDP IP over L2TPv3 over UDP IP over L2TPv3 over IP (Sequencing disabled) (Sequencing disabled) (Sequencing disabled) Without optional cookie – 18 bytes Without optional cookie – 16 Bytes Without optional cookie – 4 bytes With optional cookie – 26 Bytes With optional cookie – 24 bytes With optional cookie – 12 Bytes IPv4 / IPv6 IPv4 / IPv6 IPv4 / IPv6 UDP (8 bytes) UDP (8 bytes) Session Id Flags & Ver Flags & Ver Cookie (opt. to 8 bytes) Session Id Session Id Payload Cookie (opt. to 8 bytes) Cookie (opt. to 8 bytes) PPP Pld Payload Payload IPv6 over IPv4 Softwire with L2TPv3: Case 1 – CPE as Softwire Initiator LNS Dual IPv4 AF CPE IPv6 Payload L2TPv3 o IPv4 /64 Interface ID assignment or uniqueness check via new L2TPv3 AVPs RA /64 prefix DHCPv6 PD /48 prefix /64 prefixes DNS, etc RA DHCP DNS, etc ISP to Dual AF CPE PD and Dual AF CPE to Hosts Auto-Config Auto-Config IPv6 over IPv4 Softwire with L2TPv3: Case 2 – Router behind CPE as Softwire Initiator LNS IPv4 CPE Dual AF Router IPv6 Payload L2TPv3 o UDP o IPv4 /64 Interface ID assignment or uniqueness check via new L2TPv3 AVPs /64 prefix RA /48 prefix /64 prefixes DHCPv6 PD DNS, etc RA DHCP DNS, etc ISP to Dual AF Router PD and Dual AF Router to Hosts Auto-Config Auto-Config IPv6 over IPv4 Softwire with L2TPv3: Case 3 – Host as Softwire Initiator LNS IPv4 CPE Dual AF Host IPv6 Payload L2TPv3 o UDP o IPv4 /64 Interface ID assignment or uniqueness check via new L2TPv3 AVPs /64 prefix RA DNS, etc DHCPv4/v6 ISP to Dual AF Host Auto-Config IPv4 over IPv6 Softwire with L2TPv3: Case 1 – CPE as Softwire Initiator LNS Dual IPv6 AF CPE IPv4 Payload L2TPv3 o IPv6 Private IPv4 IPv4 Address Assignment and DNS DHCP addresses and via new L2TPv3 AVPs DNS, etc. ISP to Dual AF CPE IP Dual AF CPE to Hosts IP Assignment and Auto-Config Assignment and Auto-Config IPv4 over IPv6 Softwire with L2TPv3: Case 2 – Router behind CPE as Softwire Initiator LNS IPv6 CPE Dual AF Router IPv4 Payload L2TPv3 o IPv6 Private IPv4 IPv4 Address Assignment and DNS DHCP addresses and via new L2TPv3 AVPs DNS, etc.
Load more

Recommended publications
  • SIP Software for Avaya 1200 Series IP Deskphones-Administration
    SIP Software for Avaya 1200 Series IP Deskphones-Administration Release 4.4 NN43170-601 Issue 06.05 Standard July 2015 © 2015 Avaya Inc. list of Heritage Nortel Products located at http://support.avaya.com/ All Rights Reserved. LicenseInfo under the link “Heritage Nortel Products” or such successor site as designated by Avaya. For Heritage Nortel Notice Software, Avaya grants You a license to use Heritage Nortel While reasonable efforts have been made to ensure that the Software provided hereunder solely to the extent of the authorized information in this document is complete and accurate at the time of activation or authorized usage level, solely for the purpose specified printing, Avaya assumes no liability for any errors. Avaya reserves in the Documentation, and solely as embedded in, for execution on, the right to make changes and corrections to the information in this or for communication with Avaya equipment. Charges for Heritage document without the obligation to notify any person or organization Nortel Software may be based on extent of activation or use of such changes. authorized as specified in an order or invoice. Documentation disclaimer Copyright “Documentation” means information published by Avaya in varying Except where expressly stated otherwise, no use should be made of mediums which may include product information, operating materials on this site, the Documentation, Software, Hosted Service, instructions and performance specifications that Avaya may generally or hardware provided by Avaya. All content on this site, the make available to users of its products and Hosted Services. documentation, Hosted Service, and the product provided by Avaya Documentation does not include marketing materials.
    [Show full text]
  • Using PANA for Mobile Ipv6 Bootstrapping Julien Bournelle, Jean-Michel Combes, Maryline Laurent, Sondes Larafa
    Using PANA for mobile IPv6 bootstrapping Julien Bournelle, Jean-Michel Combes, Maryline Laurent, Sondes Larafa To cite this version: Julien Bournelle, Jean-Michel Combes, Maryline Laurent, Sondes Larafa. Using PANA for mobile IPv6 bootstrapping. NETWORKING 2007 : 6th international IFIP-TC6 networking conference on ad hoc and sensor networks, wireless networks, next generation Internet, May 2007, Atlanta, United States. pp.345 - 355, 10.1007/978-3-540-72606-7_30. hal-01328113 HAL Id: hal-01328113 https://hal.archives-ouvertes.fr/hal-01328113 Submitted on 7 Jun 2016 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Using PANA for Mobile IPv6 Bootstrapping Julien Bournelle1, Jean-Michel Combes2, Maryline Laurent-Maknavicius1, Sondes Larafa1 1 GET/INT, 9 rue Charles Fourier, 91011 Evry, France 2 France Telecom R&D, 38/40 rue du General Leclerc, 92784 Issy-Les-Moulineaux, France Abstract One of the current challenge of the Mo- 2 Mobile IPv6 Overview bile IPv6 Working Group at the IETF is to dynami- As it stands in [1], an IPv6 Mobile Node (MN) is cally assign to a Mobile Node its Home Agent, Home uniquely identi¯ed by its Home Address (HoA), and Address and to setup necessary security associations.
    [Show full text]
  • Spirent AION
    DATASHEET Spirent AION Spirent TestCenter Broadband Access Standard and Advanced Bundles, Carrier • Enhanced Realism—Spirent Ethernet Bundle TestCenter Access test solution Overview emulates real world broadband subscriber behaviors, Triple Play Spirent AION is a flexible delivery platform that enables users to achieve improved services, and failure scenarios deployment and provisioning for all their cloud and network testing needs. It is designed to deliver ultimate flexibility in how Spirent TestCenter platforms are • Improved Testing Capacity— purchased and utilized. accomplish more in less lab space The extended platform combines a wealth of industry-leading test solutions with a with the highest number of emulated flexible licensing architecture to support a wide range of next-generation solution- subscribers and user planes per port based domain applications. and port density AION offers a centralized management hub to help leverage software and hardware • Reduced Test Time—set up tests functionalities across all lab users and locations for a simplified management and quickly and easily to validate decision-making process: system performance in realistic, unstable environments rather than • Flexible purchasing options available via subscription, consumption-based, and perpetual plans, with the ability to license different bandwidth, scale, and protocol bundles. an environment optimized for pure performance • Flexible deployment options offered include cloud-delivery, on-prem, and laptop-hosted licensing services. • Detailed Analysis—Data
    [Show full text]
  • LANCOM Datasheet
    LANCOM Operating System (LCOS) 10.40 Top performance and efficiency for your SD-WAN A Next-generation SD-WAN – LANCOM High Scalability VPN (HSVPN) greatly improves efficiency as it requires fewer VPN tunnels A A fresh look & feel – WEBconfig has been completely redesigned for an intuitive and modern appearance A Multicast routing – new possibilities with multimedia applications in LANCOM infrastructures DATASHEET LANCOM Operating System General Feature Overview Firewall IPv4/IPv6 Stateful inspection, IP packet filter with port ranges, object-oriented rule definition. IPv4 Masking (NAT/PAT) of TCP, UDP, ICMP, FTP, PPTP, H.323, Net-Meeting, IRC and IPSec; DNS forwarding. Extended port forwarding and N:N mapping. Support for up to 256 contexts with individual IP networks, VLANs and interfaces, bandwidth management, QoS and VLAN prioritization for VoIP and VoWLAN Operating modes LAN protocols ARP, Proxy ARP, IPv4, ICMP, UDP, TCP, TFTP, RIP-1, RIP-2, DHCP, DNS, SNMP, HTTP, HTTPS, SSH, Telnet and SIP, BOOTP, NTP/SNTP, NetBIOS, RADIUS, TACAS+, LANCAPI, VRRP, STP/RSTP, IGMP, IPv6, DHCPv6, SLAAC, MLD, NDP, ICMPv6 WAN protocols (Ethernet) PPPoE, PPTP (PAC or PNS) and Plain Ethernet (with and without DHCP), RIP-1, RIP-2, IPv6CP, 6to4 Tunnel, 6in4 Tunnel, 6rd Tunnel, DHCPv6, SLAAC, L2TPv3 for Ethernet Pseudowires Multiprotocol router IPv4/IPv6 router, NAT/Reverse NAT (IP- masquerading), DHCPv4/DHCPv6 server, DHCPv4/DHCPv6 client, DHCPv4/DHCPv6 relay server, DNS server, PPPoE client / Multi-PPPoE, ML-PPP, PPTP (PAC and PNS), NetBIOS proxy, DynDNS client,
    [Show full text]
  • Technical Security Guideline on Deploying Ipv6
    Draft Recommendation ITU-T X.1037 (X.ipv6-secguide) Technical security guideline on deploying IPv6 Summary The Internet protocol version 6 (IPv6) is intended to provide many built-in benefits such as large address space, mobility, and quality of service (QoS), because it is a new protocol and operates in some different ways than Internet protocol version 4 (IPv4), both foreseeable and unforeseeable security issues will arise. Many new functions or requirements of IPv6, i.e., automatic configuration of interfaces, mandatory Internet protocol security (IPSec), mandatory multicast, multiple Internet protocol (IP) addresses and many new rules for routing, can be abused for compromising computer systems or networks. Considering the above circumstances, Recommendation ITU-T X.1037 provides a set of technical security guides for telecommunication organizations to implement and deploy IPv6 environment. The content of this Recommendation focuses on how to securely deploy network facilities for telecommunication organizations and how to ensure security operations for the IPv6 environment. Keywords ???? - 2 - CONTENTS 1 Scope ............................................................................................................................. 3 2 References ..................................................................................................................... 3 3 Definitions .................................................................................................................... 4 3.1 Terms defined elsewhere ...............................................................................
    [Show full text]
  • Junos® OS Ipv6 Neighbor Discovery User Guide Copyright © 2021 Juniper Networks, Inc
    Junos® OS IPv6 Neighbor Discovery User Guide Published 2021-09-23 ii Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Junos® OS IPv6 Neighbor Discovery User Guide Copyright © 2021 Juniper Networks, Inc. All rights reserved. The information in this document is current as of the date on the title page. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036. END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ("EULA") posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of that EULA. iii Table of Contents About This Guide | vii
    [Show full text]
  • 8544 Computer Networking Hardware Operations
    Computer Networking Hardware Operations III 8544/18 weeks Table of Contents Acknowledgments ................................................................................................................................... 2 Course Description .................................................................................................................................. 3 Task Essentials Table .............................................................................................................................. 3 Curriculum Framework ........................................................................................................................... 6 Exploring Basic Device Configuration ..................................................................................................... 6 Describing Switching Concepts ............................................................................................................... 7 Understanding Virtual Local Area Networks (VLANs) ............................................................................ 8 Troubleshooting Inter-VLAN Routing ..................................................................................................... 9 Describing Spanning Tree Protocol (STP) ............................................................................................. 10 Exploring EtherChannel ........................................................................................................................ 10 Describing Dynamic Host Configuration Protocol
    [Show full text]
  • Ipv6 Access Services: Dhcpv6 Relay Agent
    IPv6 Access Services: DHCPv6 Relay Agent A Dynamic Host Configuration Protocol for IPv6 (DHCPv6) relay agent, which may reside on the client's link, is used to relay messages between the client and the server. • Finding Feature Information, page 1 • Information About IPv6 Access Services: DHCPv6 Relay Agent, page 1 • How to Configure IPv6 Access Services: DHCPv6 Relay Agent, page 5 • Configuration Examples for IPv6 Access Services: DHCPv6 Relay Agent, page 6 • Additional References, page 6 • Feature Information for IPv6 Access Services: DHCPv6 Relay Agent, page 7 Finding Feature Information Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Information About IPv6 Access Services: DHCPv6 Relay Agent DHCPv6 Relay Agent A DHCPv6 relay agent, which may reside on the client’s link, is used to relay messages between the client and the server. The DHCPv6 relay agent operation is transparent to the client. A DHCPv6 client locates a DHCPv6 server using a reserved, link-scoped multicast address. For direct communication between the DHCPv6 client and the DHCPv6 server, both of them must be attached to the same link.
    [Show full text]
  • CERN Dhcpv6 Implementation
    CERN DHCPv6 implementation WLCG Workshop 2017 - Manchester 21st of June 2017 [email protected] Why DHCPv6 and not SLAAC CERN DHCP[v6] servers offer a lease only to registered MAC addresses, because of: - device tracking for - user’s own security - user traceability - user support - DNS and Firewall automation - static address assignment (optional) 2 DHCPv6 client-server exchange 1. The client sends a Solicit message to the All_DHCP_Relay_Agents_and_Servers multicast address, requesting the assignment of addresses and other configuration information 2. The server responds with a Reply message that contains the confirmed addresses and configuration. Each address assigned to the client has associated preferred and valid lifetime … 3a. Periodically, the client sends a Renew message to the server to request an extension of the lifetimes of an address 3b. The server sends a Reply message to the client with the new lifetimes, allowing the client to continue to use the address without interruption [RFC3315] 3 DHCPv6 Options - IPv6 address, OPTION_IAADDR [RFC3315] - DHCPv6 timers: - preferred-lifetime (time a valid address is preferred) - valid-lifetime (time an address remains in valid state) [RFC2462] - DNS servers, OPTION_DNS_SERVERS [RFC3646] Other options exist 4 DHCPv6 client-server exchange # tcpdump -i eth0 -vvv -n ip6 and port 547 3:52:22.644967 IP6 (hlim 60, next-header UDP (17) payload length: 106) 2001:db8:305:10::2.dhcpv6-server > 2001:db8:1000::9.dhcpv6-server: [udp sum ok] dhcp6 relay-fwd (linkaddr=2001:db8:221:5::1 peeraddr=fe80::16:3eff:fe01:b3a1
    [Show full text]
  • Basic Attacks and Mitigation Strategies
    Basic Attacks and Mitigation Strategies Christopher Werny <[email protected]> www.ernw.de Who am I ¬ Network geek, working as security researcher for ¬ Germany based ERNW GmbH Independent Deep technical knowledge Structured (assessment) approach Business reasonable recommendations We understand corporate ¬ Blog: www.insinuator.net ¬ Conference: www.troopers.de #2 www.ernw.de Agenda ¬ Refresher about Link-Layer Behavior of IPv6 ¬ Basic IPv6 Security Assumptions ¬ Attacks inside a Layer 2 Domain ¬ Mitigation Strategies ¬ Attacks from Outside ¬ Mitigation Strategies ¬ Conclusion www.ernw.de ICMPv6 ¬ ICMPv6 is the new version of ICMP. It was first specified in RFC 2462, latest in RFC 4443. ¬ ICMPv6 includes “traditional" ICMP functions, functionalities of IGMP (RFC 1112), IGMPv2 (RFC 2236) and extensions of the type "Multicast Listener Discovery” (MLD) for IPv6. ¬ Additionally ICMPv6 includes the Neighbor Discovery Protocol (RFC 2461, updated by RFC 4861). ¬ ICMPv6 is an integral part of every IPv6 implementation; every IPv6 stack must include ICMPv6. ¬ ICMPv6 has the next-header value 58. www.ernw.de Overall ICMPv6 Header Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Message Body + | | ¬ Type: specifies the type of the message and also describes the format of the message. ¬ Code: Using this field, whose interpretation depends on the type, other
    [Show full text]
  • Data-Over-Cable Service Interface Specifications Ipv4 and Ipv6
    Data-Over-Cable Service Interface Specifications IPv4 and IPv6 eRouter Specification CM-SP-eRouter-I18-160317 ISSUED Notice This DOCSIS® specification is the result of a cooperative effort undertaken at the direction of Cable Television Laboratories, Inc. for the benefit of the cable industry and its customers. You may download, copy, distribute, and reference the documents herein only for the purpose of developing products or services in accordance with such documents, and educational use. Except as granted by CableLabs® in a separate written license agreement, no license is granted to modify the documents herein (except via the Engineering Change process), or to use, copy, modify or distribute the documents for any other purpose. This document may contain references to other documents not owned or controlled by CableLabs. Use and understanding of this document may require access to such other documents. Designing, manufacturing, distributing, using, selling, or servicing products, or providing services, based on this document may require intellectual property licenses from third parties for technology referenced in this document. To the extent this document contains or refers to documents of third-parties, you agree to abide by the terms of any licenses associated with such third party documents, including open source licenses, if any. Cable Television Laboratories, Inc., 2006-2016 CM-SP-eRouter-I18-160317 Data-Over-Cable Service Interface Specifications DISCLAIMER This document is furnished on an "AS IS" basis and neither CableLabs nor its members provides any representation or warranty, express or implied, regarding the accuracy, completeness, noninfringement, or fitness for a particular purpose of this document, or any document referenced herein.
    [Show full text]
  • Privacy and Security of DHCP Unique Identifiers
    International Journal for Information Security Research (IJISR), Volume 2, Issue 2, June 2012 Privacy and Security of DHCP Unique Identifiers Stephen Groat1,2 Matthew Dunlop1,2 Randy Marchany1 Joseph Tront2 Information Technology Security Office and Lab1 Bradley Department of Electrical and Computer Engineering2 Virginia Polytechnic Institute and State University (Virginia Tech), Blacksburg, VA 24061, USA Abstract As protection against the current privacy weaknesses To make the transition from IPv4 to IPv6 easier, of StateLess Address AutoConfiguration (SLAAC) in the many network administrators are using StateLess Address Internet Protocol version 6 (IPv6), network administrat- AutoConfiguration (SLAAC) to configure addresses on ors may choose to deploy the new Dynamic Host their networks. SLAAC eases the administrative burden of Configuration Protocol for IPv6 (DHCPv6). Similar to managing the more than 1.8·1019 possible nodes on a the Dynamic Host Configuration Protocol (DHCP) for the single subnet. SLAAC allows for nodes to configure the Internet Protocol version 4 (IPv4), DHCPv6 uses a client- interface identifier (IID), or last 64 bits, of their address server model to manage addresses in networks, providing independently. While this method eases the burden on stateful address assignment. While DHCPv6 can be network administrators, the static configuration used by configured to assign randomly distributed addresses to many common IPv6 network implementations threatens clients, the DHCP Unique Identifier (DUID) was the privacy of users [6]. designed to identify uniquely identify clients to servers The static IID used in SLAAC is globally available and remains static to clients as they move between and exposes a host to geotemporal tracking and traffic different subnets and networks.
    [Show full text]