Ipv6 Network

Designing and Deploying a Secure IPv6 Network

Timothy Martin - @bckcntryskr Robert Barton - @MrRobbarto Eric Vyncke - @evyncke

TECIP6-2001 Cisco Webex Teams

Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space

• IPv6 Design Considerations

• IPv6 Routing Protocols

• IPv6 Translation Technologies

• IPv6 in IoT, A case study

• Securing the IPv6 Perimeter

• Conclusion

Tim Martin Solutions Specialist @bckcntryskr #2020 TECRST-2001 Hardening IPv6 Management Plane

• SSH, SNMPv3, Syslog, NTP, NetFlow v9

• Disable HTTP/HTTPS access if not needed

• RADIUS over IPv6

• IPv6 access-class for SSH VTY access

• Important: Harden the router, before enabling routing

ipv6 access-list V6ACCESS permit ipv6 2001:db8:10:10::1/128 any deny ipv6 any any log-input line vty 0 4 ipv6 access-class V6ACCESS in transport input ssh

• Enable IPv6 routing • ipv6 unicast-routing (ios) • no switchport (ios-xe) • IPv6 Next Hop • Link local addresses • Global address on interface not required • Topology & alignment with existing RP’s Management Routing • Router ID • Unique 32-bit number identifier  Switching Services

ipv6 route ::/0 gigabitethernet0/1 • Do you need to accept the full table ipv6 router eigrp 123 • Memory, processing, capital.. eigrp stub • Single router, single circuit • Take a default route ipv6 router ospf 1 router-id 3.3.3.3 • Dual router, private circuit area 2 stub • Use stub command from IGP

• Dual router, Internet circuit interface Fastethernet0/1 ipv6 address 2001:db8:46:67::a • Take default from provider bfd interval 222 min_rx 222 multiplier 3 • Bidirectional forwarding detection ! router bgp 65110 neighbor 2001:db8:46:67::b fail-over bfd

• Use a prefix length of /127 • Reserve the /64, configure the /127 • Nodes 1 & 2 are NOT in the same subnet

• Suppress RAs for global assigned addressing

• Disable ICMPv6 redirects interface FastEthernet0/1 • Don’t send ICMPv6 unreachable ipv6 address 2001:db8:46:67::a/127 • RFC 7404, Link local only ipv6 nd ra suppress no ipv6 redirects 2001:db8:46:67::/127 no ipv6 unreachables ::a ::b

• Link Local Next Hop ipv6 unicast-routing • Redistribution needs GUA or ULA !direct ipv6 route 2001:db8:1::/48 ethernet1/0 • Direct (interface) !recursive • Recursive (next hop) ipv6 route 2001:db8:5::/48 2001:db8:4::1 • Fully qualified (interface) (next hop) !fully qualified ipv6 route 2001:46::/32 ethernet0/0 fe80::9 • Default route ::/0 !default ipv6 route ::/0 ethernet0/2 fe80::2

TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 IPv6 Routing Protocols OSPFv3 ipv6 unicast-routing ! • OSPFv3 – IP 89 interface loopback0 • fe80::/64 Source → ff02::5, ff02::6 (DR’s) ipv6 address 2001:db8:1000::1/128 • Link-LSA (8) – Local Scope, NH ipv6 ospf 46 area 0 • Intra-Area-LSA (9) – Routers’ Prefixes ! • LSA’s Disconnect topology from prefixes interface ethernet 0/0 • Can converge quickly to a point of scale ipv6 address 2001:db8:50:31::1/64 • Initial database build takes time ipv6 ospf 46 area 0 ! ipv6 router ospf 46 router-id 4.6.4.6 passive-interface loopback0

LSPs* full mesh

TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 OSPFv3 AF Support router ospfv3 46 • router-id 4.6.4.6 Multiple AF’s (RFC5838) ! • Legacy IPv4 prefixes address-family ipv6 unicast • IPv6 prefixes passive-interface Loopback 0 • Transport over IPv6 exit-address-family ! • Common elements address-family ipv4 unicast • Neighbor table passive-interface Loopback 0 • Link State Data Base (LSDB) exit-address-family ! • Show command structure interface GigabitEthernet 0/2 ip address 192.168.4.1 255.255.255.0 • ip ospf (IPv4 over OSPFv2) ipv6 enable • ipv6 ospf (IPv6 over OSPFv3) ospfv3 46 ipv4 area 0 ospfv3 46 ipv6 area 0

sh ip route ospfv3

• AH for authentication (RFC4552) interface Ethernet0/0 ipv6 ospf 46 area 0 • Manual key process ipv6 ospf authentication ipsec spi 500 sha • ESP could be used for confidentiality 1234567890ABCDEF1234567890ABCDEF • Need a security license for IPsec • RFC7166 Authentication Trailers key chain AUTH • Anti-replay key 1 • HMAC-SHA-1, 256, 384, 512 key-string RFC cryptographic-algorithm hmac-sha-512 ! address-family ipv6 unicast authentication mode strict area 0 authentication key-chain AUTH

TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Classic EIGRP or EIGRPv6 ipv6 unicast-routing ! • EIGRP – IP 88 Interface ethernet 0/0 • fe80::/64 Source → ff02::a Destination ipv6 address 2001:db8:1000::1/128 • No shutdown for older versions ipv6 eigrp 46 ! • Apply the route process to interfaces interface ethernet 0/1 • Auto Summary disabled ipv6 address 2001:db8:50:31::1/64 ipv6 eigrp 46 • Transport & peering over IPv6 ! ipv6 router eigrp 46 no shutdown eigrp router-id 4.6.4.6

TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 EIGRP Named Mode router eigrp IPv6rocks ! • Name creates a virtual instance address-family ipv6 unicast autonomous-system 46 • Does not need to be common in domain ! af-interface Loopback0 • Address family configures protocol instance passive-interface • AS number must common within domain exit-af-interface ! • Auto Applied to all IPv6 enabled interfaces af-interface Ethernet0/0 exit-af-interface • No need to configure under the interfaces eigrp router-id 4.6.4.6 exit-address-family

Large-scale hub and spoke environments

• EIGRP supports HMAC-SHA-256

• To generate or validate messages, hash is constructed using: • Configured shared secret • Link Local address of sender • EIGRP packet prior to adding the IP header

! router eigrp IPv6rocks address-family ipv6 autonomous-system 46 af-interface ethernet 0/0 authentication mode hmac-sha-256 0 Cisco123 !

TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 IS-IS ipv6 unicast-routing ! interface ethernet 0/0 • Single topology mode ipv6 address 2001:db8:5000:31::1/64 • Single LSDB, single cost ipv6 router isis CISCO • Links must be congruent (dual stacked) isis circuit-type level-1 • Multi topology mode isis ipv6 metric 10000 isis authentication mode md5 • LSDB & cost per protocol • Flexible, transition mode available ! router isis CISCO • Authentication uses MD5 (TLV) net 49.0001.2222.2222.222.00 metric style wide ! A B C A B C A B C address-family ipv6 D E D E D E multi-topology Physical Topology IPv4 SPT IPv6 SPT SPs, Underlay’s

ipv6 unicast-routing • RIPng – UDP 521, 15 hops ! • fe80::/64 Source → ff02::9 Destination interface loopback 0 • Distance Vector, Hop Count (1-15) ipv6 address 2001:db8:1000::1/128 ipv6 rip CISCO enable • Split Horizon, Poison Reverse ! • Lightweight IPv6 only protocol interface ethernet 0/0 • Uses AH for authentication ipv6 address 2001:db8:5000:31::1/64 ipv6 rip CISCO enable ! ipv6 router rip CISCO Star topology, single path edge devices

• RFC 6296 - NPTv6 • Translators attached to internal network Internet • Unique Local Addressing (ULA) inside • Provider allocated addressing outside

• Swaps Left Most Bits of Address • Equal length Prefixes

• Small-to-Medium Enterprise 2001:db8:46::/48

interface GigabitEthernet0/0/0 fd07:18:4c::/48 nat66 inside interface GigabitEthernet0/0/1 nat66 outside ! nat66 prefix inside fd07:18:4c::/48 outside 2001:db8:46::/48

• Solve for Ingress & Egress separately Internet ISP B • Peer over IPv6 for IPv6 prefixes ISP A

• Controlling hop limit, accepting ~254 only

• MD5, AH possible, next-hop-self (fe80::)

• Prefix Size Filtering, /32 - /48

router bgp 200 bgp router-id 4.6.4.6 no bgp default ipv4-unicast neighbor 2001:db8:460:102::2 remote-as 2014 neighbor 2001:db8:460:102::2 ttl-security hops 1 neighbor 2001:db8:460:102::2 password cisco4646

• Equal load distribution • Advertise more specific /45 & /44 Ingress Internet • Non equal load distribution ISP A ISP B • Use AS path prepend, if accepted AS 64499 AS 64497 2001:db8:a1::/32 2001:db8:b1::/32 ipv6 prefix-list ISPAout seq 5 2001:db8:460::/44 ipv6 prefix-list ISPAout seq 10 2001:db8:460::/45 ! ipv6 prefix-list ISPBout seq 5 2001:db8:460::/44 ipv6 prefix-list ISPBout seq 10 2001:db8:468::/45 2001:db8:460::/44 Enterprise Domain neighbor 2001:db8::b1 route-map ISPBout out ! route-map ISPBout permit 10 set as-path prepend 64498 64498 64498 64498

• Accept the full table from provider A • Filter everything except the aggregate 2001::/18 Internet • Accept the full table from provider B ISP A ISP B • Use local-preference for ::/0 AS 64499 AS 64497 2001:db8:a1::/32 2001:db8:b1::/32 ipv6 prefix-list ISPAin seq 5 permit ::/0 ipv6 prefix-list ISPAin seq 10 permit 2001:0000::/18 le 32 neighbor 2001:db8::b1 prefix-list ISPBin seq 5 permit ::/0 neighbor 2001:db8::b1 route-map LOCAL in

! Egress 2001:db8:460::/44 Enterprise Domain ipv6 prefix-list ISPBin seq 5 permit ::/0 route-map LOCAL permit 10 set local-preference 200

• Firewalls are redundant and share state Internet • Common VLAN between the firewalls & routers ISP A ISP B

• Hot Standby Router Protocol (HSRP)

• Default routes on firewall to HSRP groups HSRP 1 ! Send first aggregate block to HSRP Group 1 HSRP 2 ipv6 route outside 2001:0000::/18 2001:db8:46::1 ! Send Second aggregate block to HSRP Group 2 VLAN 46 ipv6 route outside 2001:4000::/20 2001:db8:46::2 ipv6 route outside 2001:8000::/22 2001:db8:46::2 ipv6 route outside 2001:5000::/20 2001:db8:46::2 ipv6 route outside 2400:0000::/6 2001:db8:46::2 ipv6 route outside 2800:0000::/5 2001:db8:46::2

• IGP between edge routers & Layer 3 switch • EIGRP, OSPF, iBGP, IS-IS Internet • Edge routers redistribute ::/0 (or Prefixes) into IGP ISP A ISP B

• Layer 3 Switch has static route for PI address • Set to next-hop of the firewall ::/0 • Firewall has a default route • Pointed at the Layer 3 switch 2001:db8:46::/44

ip route outside ::/0 2001:db8:37::1

Internet • Internet connectivity is split across two data centers ISP A ISP B • Each firewall is active; state is not shared AS 64498 • Advertising the /44 out both could cause asymmetry • NAT solves this problem for the legacy protocol • More specific routes plus aggregate needed for IPv6 • IPv6 will require an iBGP peer link at Internet edge • Protects against failure • Provides better outbound load distribution • Alternatives exist, use with caution AS 65535 AS 65534 • GRE thru the DCI link Subnets Subnets X,Y,Z A,B,C • Layer 3 VPN service over ISP EIGRP 46

Internet • Create eBGP multihop link to the core routers ISP A ISP B

• Advertise default route over this link to core routers AS 64498

• Redistribute the default route into the IGP

• Increase the metric for the default route router bgp 65535 neighbor 2001:db8:460:66::2 remote-as 64498 ::/0 ::/0 neighbor 2001:db8:460:66::2 ebgp-multihop 255 ! router eigrp 46 AS 65535 AS 65534 redistribute bgp 65535 metric * * * * * route-map BGP-EIGRP ::/0 ! >M ipv6 prefix-list DEFAULT seq 5 permit ::/0 EIGRP 46 ! route-map BGP-to-EIGRP permit 10 match ip address prefix-list DEFAULT

Internet • Redistribute subnets from IGP into BGP ISP A ISP B • Use a route map with set command X,Y,Z MED AS 64498X,Y,Z >MED • Internet edge routers install prefixes • bgp always-compare-med

router bgp 65535 neighbor 2001:db8:460:66:2 remote-as 64498 neighbor 2001:db8:460:66:2 ebgp-multihop 255 redistribute eigrp 46 route-map MED ! AS 65535 AS 65534 route-map MED permit 10 match ipv6 prefix-list SUBS Subnets Subnets set metric 200 X,Y,Z X,Y,Z EIGRP 46 A,B,CA,B,C ! ipv6 prefix-list SUBS seq 10 permit 2001:db8:460::/45

• RFC 7381 enterprise IPv6 guidelines • Updated white paper – Cisco.com • Routed access, routed host, IPv6 only?

Access

Distribution Si

Core

Distribution

Access WAN Data Center Internet

• IPv6 Design Considerations

• IPv6 Routing Protocols

• IPv6 Translation Technologies

• IPv6 in IoT, A case study

• Securing the IPv6 Perimeter

• Conclusion

Robert Barton Distinguished Architect @MrRobbarto #6660 TECRST-2001

1. IPv4-only

2. IPv4-only + IPv6 via translation

3. Dual-stacked public frontend, IPv4 backend

4. Full dual-stack (including the backend)

5. Dual-stacked public frontend, IPv6 backend

6. IPv6-only + IPv4 via translation

7. IPv6-only (yay!)

Internet

v4 v6 Campus IP Core • Despite dual-stack, v6 4 native internal 6 FW apps/services are still not the norm v6 • NAT64 technologies are necessary! v4 4 DataCenters 6 v6 v4

ENG Labs

Campus Access Stateful vs. Stateless NAT64

Stateless NAT64 Stateful NAT64

1:1 Translation 1:n Translation

Assures end-to-end address Users address overloading (no address transparency transparency)

No state bindings created on the State bindings are created on every translation translation

Requires IPv4-translatable IPv6 No requirement on the nature of the address assignments IPv6 address assignment

Requires either manual or DHCPv6 Any mode of IPv6 address assignment address assignment (including SLAAC)

No conservation of IPv4 addresses Conserves IPv4 addresses

IPv6 addresses IPv4 addresses

nat64 v6v4 static 2620:175:F00:FFFF:10:79:232:52 10.79.232.52

nat64 v6v4 static 2620:175:F00:FFFF:10:79:232:53 10.79.232.53

nat64 v6v4 static 2620:175:F00:FFFF:10:79:232:150 10.79.232.150

nat64 v6v4 static 2620:175:F00:FFFF:10:79:232:151 10.79.232.151

nat64 v6v4 static 2620:175:F00:FFFF:10:79:232:152 10.79.232.152

• Provides access for an IPv6 host to an IPv4 address and visa-versa • Use is limited because it does nothing to reduce IPv4 address usage

IPv4 Network IPv6 Network IPv4 Network

IPv4 Host IPv4 Host

IPv6 Network

CPE IPv4/v6 Router MAP-T/E Border Router (stateless) • Stateless IPv4 to IPv6 NAT • Built for massive scale • Effectively an IPv4 tunneling technique

• Stateless IPv6 NAT solutions

MAP-T MAP-E Embeds the IPv4 address in Encapsulates v4 packet in v6 IPv6 address

payload payload payload payload transport or transport IPv4 transport transport IPv4 IPv6 IPv4 IPv6 IPv4

TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 Versio Traffic Class Flow Label Stateful NAT64 Overview Version IHL Type of Service Total Length n Identification Flags Fragment Offset Payload Length Next Header Hop Limit Ideal for IPv6 Networks Accessing IPv4 Time to Live Protocol Header Checksum

Source Address Source Address

Destination Address

Destination Address • RFC 6146 IPv6 IPv4 1 • Overload Address Mapping Network Internet

• TCP/UDP/ICMP Headers IPv4 IPv6 2* Internet Network • Form L4 Portion of State Tuple IPv6 IPv4 • No Multicast, IPSec, etc. 3 Internet Network

• MUST use DNS64 RFC 6147 IPv6 IPv4 5 • Synthesis DNS Records AAAA to A Network Network IPv4 IPv6 6* Network Network

IPv4 to IPv6 requires static NAT Source IPv6 3001::3001::c000:221 Dest. IPv6 2001:A00:B

Source IPv4 10.0.0.1 Dest. IPv4 10.0.0.100

Static NAT46 Network-Specific Prefix G0/0 3001::/96 G1/0

::B .254 2001::A00:0/64 10.0.0.0/24

IPv6 PC IPv4 Server 2001::A00:A/64 10.0.0.1 Dynamic NAT64

→ Source IPv6 2001::A00:B Dest. IPv6 3001::3001::c000:221

→Source IPv4 10.0.0.100 Dest. IPv4 10.0.0.1 IPv6 to IPv4 uses overload feature

• Multiplexes many IPv6 devices onto one IPv4 address

IPv6 host IPv6 destination Overload to IPv4 host to 3001::1/96 10.0.0.100

G0/0 2001::A00:B/64 G1/0 10.0.0.254/24 10.0.0.1/24 2001::A00:A/64 Interface G0/0 ipv6 address 2001::A00:A/64 nat64 enable

Interface G1/0 ip address 10.0.0.254 255.255.255.0 nat64 enable

nat64 prefix stateful 3001::1/96 nat64 v6v4 static 2001::A00/64 10.0.0.100

• NAT64 makes v4 services function as v6 (it’s a translation mechanism) • Uses an arbitrary /96 block from your address space for translation

• DNS64 makes v4 services appear as v6 • DNS64 proxies the DNS lookup from the v6 to v4 world and checks with the authoritative name server

• DNS64 then synthesises a AAAA-record from a v4 DNS A-record (as the IPv6-only host is asking for AAAA records)

Step 5 translates it to a AAAA Record Step 4 DNS Server responds A Record for IPv4Server

DNS46 Network-Specific Prefix 3001::/96 ::2 .1 2001:db8:122:344::/64 192.0.2.0/24

DNS Server IPv6 PC 192.168.90.101 2001:db8:122:344::6 AAAA Record DNS64

Step 1→ IPv6 PC queries AAAA Step 2 DNS responds “empty” Record for v4 Server AAAA Record Step 3→ Translator Sends A Record for v4Server

• No tunnelling, MTU, NAT or performance degrading technologies • Versatile, Scalable and High Performance • No Dependency on IPv4, runs in parallel on the same HW

• Dual Stack increases the overall complexity significantly • Everything (on the infrastructure level) needs to be maintained for both protocols • Routing Protocols • Security Policy • QoS • Etc.

• Is EVERYTHING ready? • RFCs:

• Network services • RFC 6586 - Experiences from an IPv6-Only

• Applications Network • • Operations and Management RFC 7755 - SIIT-DC: Stateless IP/ICMP Translation for IPv6 Data Center • Connectivity to non-IPv6 resources Environments

• NAT64/DNS64 • RFC 7756 - Explicit Address Mappings for Stateless IP/ICMP Translation

IPv6 IPv6 IPv6 IPv6 IPv6 IPv6 IPv6 IPv6 IPv6 IPv6 IPv6 IPv6 IPv6 IPv6

FWD FWD FWD FWD FWD FWD FWD FWD FWD FWD FWD FWD FWD FWD

Apps Service End Customer Access SP Core DC DC Edge DC Network Servers/ Services Processes s Point Edge Network: Edge Transport Edge Services VM

Where We Were (July 2016) Where We are now

Enterprises Enterprise Deployed products Few enterprises Dual stack migrating to single

stack

IPV6

IPV4 IPV6 IPV6 Network Policy Mgmt Policy Network Policy Mgmt Policy IPv6 Solution Testing San Jose building

IPV4 migrated to IPv6

500+ users 40~ applications

3 floors, 6 wiring closets 3 months 500+ switch ports, phased approach 120 Wireless APs - IT template

Priority Impact Level Service Application Parity Status High Medium Client CiscoTV/IPTV Yellow Medium High Client File transfer FTP, TFTP, SSH, SCP Yellow Low Low Client Anyconnect Yellow High High Client Jabber Green High High Client Webex Green High High Client Outlook Green Medium Medium Client VNC Green Low Low Client Remote Desktop Green Medium High Client Telepresence Green Low Low Client App Store Green Medium Medium Client IP Phone Yellow High High Client public web Green Medium Medium Client wwwin.cisco.com Green Low Low Client Proximity Red Low Low Client Google Docs Green Low Low Client skype Yellow Medium Low Client dropbox Yellow High Medium Client Cisco Print Green Client AnyConnect (SSL) through NAT64 Yellow Client Cisco DayCare Video Monitor Yellow High High Collab Spark Client Green High High Collab Spark Web Green High High Facilities CCTV, Badge, Phy Security Infra Yellow Medium Low Mgmt RCMD Mgmt Yellow Mgmt SNMP Green Mgmt Netflow Yellow Mgmt NTP Green Mgmt LDAP/AD Green High High Network IPv6 Multicast Red High Medium Network WaaS Yellow High Medium Network ACNS Yellow High Medium Network ACS Radius Yellow Medium Low Network dACLS/802.1x/ISE Red Network OSPFv3 routing, mult platforms Green Network NAT64 on ASR/CSR Green Network NAT64 on ASA Green example.cisco.comwww.cisco.com 192.0.2.10192.10.2.10 DNS64 / NAT64 Deployment v4 v4 host

ASR 1000ASR -1002-XX V4V4 NA NATT Pool pool NAT64/DNS64 /56 NAT/56 map pool pool holds it all together!

• BIND9 as DNS64 NAT makes every service • can be added to existing function as v6 • ASR1002-X NAT64 with HA DNS64 bind9 Bind9 server • Simple config and stable CorpCorporate DNS DNS nat64 prefix stateful 2001:X::/96 v6 nat64 v4 pool NAT64-IPv4 10.x.y.z 10.x.y.zz nat64 v6v4 list NAT64 pool NAT64- DNS makes every service IPv4 overload appear to be v6 redundancy 1 mapping-id 1 v6 only only host host

• Going IPv6 without a translation strategy is not feasible

• In order to ensure a smooth user experience, packets need to be translated from IPv6 to IPv4 to provide connectivity to v4-only resources.

• Dependencies are important (DNS, RADIUS, Syslog)

• Keep things as simple as possible • Routing, L2, addressing (use SLAAC)

Understand what people use the network for Prepare Users for IPv6 ➢ Functional groups/Visitors ➢ Build User Profiles ➢ Building Traffic analysis • Engineering Dev/Test(lab dependent) ➢ Identify Primary Applications: • Business/Finance/Mgmt • Collaboration • Product Mgmt and Marketing • Call/TP • Engineering Release Mgmt • Webex ➢ Run Workshops • Proximity • Periodic dry runs to enable building users • Business Apps for transition • Exchange/email • War rooms to address any • http/intranet/wiki issues/questions • Video/Cisco TV • VNC/Remote Desktop

Sensing

Ventilation Cloud Lighting Management BACnet and Analytics

Coax Experiences PBX

1995 2005 Late 2000s 2010 2015

Data IP Telephony IP Cameras Building Management IP Building Systems Using Systems on Network Low-Voltage PoE low-voltage PoE OpEx

▪ 4 Floors Challenge ▪ 1400 LED / IoT Lights • Build an innovative, energy-efficient workspace ▪ 2200 HVAC endpoints ▪ Distributed Deployment Digital Transformation Model • PoE-powered lighting with Cisco switches • Sensor-based access to workspaces • Analytics with fixture-level visibility Why IPv6? • Scale of lights to wired ports is ~6:1 • Address exhaustion of IPv4 is limitation to deployment

• UPOE and PoE+ • Perpetual PoE • Fast PoE Stateless DHCPv6: Address assignment • Fanless comes from SLAAC and DNS and other • CoAP protocol support options from the DHCP pool • Energy monitoring ipv6 unicast-routing . ipv6 dhcp pool STATELESS dns-server 2001:4860:4860::8888 domain-name smartbuilding.com . interface Vlan102 no ip address description IPv6-SLAAC ipv6 address 2001:db8:700:1::1/64 ipv6 dhcp server STATELESS

TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 62 TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 Constrained Application Protocol (CoAP)

▪ CoAP is a lightweight version of HTTP defined by IETF in the Applications Constrained RESTful Environments (CoRE) standard CoAP ▪ UDP based with small headers (<10 bytes) IPv6 ▪ Request / Response model (GET, POST, PUT, DELETE) ▪ Supports block transfer, proxy, caching, resource discovery 6LoWPAN MAC

Phy

coap://my-bright-light.com:5683/foo.xml

Transmit the command string over CoAP CON tid=0x47 POST /foo Retransmit using Exponential back Operation off until reply Centers

Client

coap://my-bright-light.com:5683/foo.xml

Transmit the command string over CoAP CON tid=0x47 POST /foo Retransmit using ACK tid=0x47 Exponential back Operation 200 “

SNMP, IPfix, IEC 61968 CIM Web Services/EXI IEEE DNS, NTP, ANSI C12.19/C12.22 IEC 61850 IEC 60870 DNP MODBUS

1888 App. App. Layer MQTT/CoAP SSH,… DLMS COSEM TCP/UDP

RPL IPv6 / IPv4 Addressing, Multicast, QoS, Security, 6TiSCH Network

Functionality 802.1x / EAP-TLS based Access Control Solution

6LoWPAN (RFC 4944) IETF RFC 2464 IETF RFC 5072 IETF RFC 5121 IEEE 802.15.4 IEEE 802.15.4e MAC enhancements MAC IEEE 802.15.4e MAC IEEE P1901.2 MAC IEEE 802.3 IEEE 802.16 IEEE 802.11 2G / 3G / LTE Comm. Network Layer Comm.Network IEEE 802.15.4 IEEE 802.15.4g IEEE P1901.2 Wi-Fi Ethernet WiMax

PHY / MAC / PHY Cellular

Functionality 2.4GHz DSSS (FSK, DSSS, OFDM) PHY

• IPv6 over Low Power Wireless Personal Area Networks (6LoWPAN) defines the transmission of IPv6 over IEEE 802.15.4 (RFC 4944)

• IEEE 802.15.4 has an MTU of only 127 bytes!

• Optional headers defined for 6LoWPAN include Mesh Addressing, Fragmentation, and Header Compression 802.15.4 Mesh Addressing Fragmentation IPv6 Header Header Header Header Compression IPv6 Payload

Fragments IPv6 packets to fit into 127 byte Shrinks IPv6 and 802.15.4 frames UDP headers

Transport Layer TCP/UDP IPv6 Network Layer IPv6 (MTU=1280 Bytes) 6LoWPAN Adaptation Layer Data Link CGR Layer 802.15.4

Physical Layer Wired/Wireless 802.15.4 Mesh (MTU=127 Bytes)

Transport TCP/UDP Layer

Network IPv6/IPv4 Layer

Adaptation Layer

Data Link Including 802.15.4g, 802.15.4e Layer

Physical Wired/Wireless Layer

• More than doubles the payload & increases efficiency from 41% to 84% 127 Byte IEEE 802.15.4 Frame 1B 40B 8B 53B 802.15.4 UDP IPv6 Header Payload FCS Header Header

6LoWPAN Header 6LoWPAN Without Header Compression

127 Byte IEEE 802.15.4 Frame 2B 4B 108B 802.15.4 UDP Payload FCS Header Header

6LoWPAN Header with 6LoWPAN With IPv6 and UDP Header Compression Compressed IPv6 Header

• 6LoWPAN was designed specifically to enable IPv6 over 802.15.4

• The IETF 6Lo Working Group (WG) is chartered to define IPv6 over various IoT links types

IoT Link Type or Technology IETF Standard or Draft Bluetooth Low Energy (BLE) RFC 7668: IPv6 over BLUETOOTH® Low Energy Digital Enhanced Cordless RFC 8105: Transmission of IPv6 Packets over Digital Enhanced Cordless Telecommunications (DECT) Ultra Telecommunications (DECT) Ultra Low Energy (ULE) Low Energy (ULE) Power Line Communication (PLC) draft-ietf-6lo-plc-00: Transmission of IPv6 Packets over PLC Networks Near Field Communication (NFC) draft-ietf-6lo-nfc: Transmission of IPv6 Packets over Near Field Communication (standard pending) BACnet RFC 8163: Transmission of IPv6 over Master-Slave/Token-Passing (MS/TP) Networks 802.15.4e TSCH (6tisch WG) RFC 8480: 6TiSCH Operation Sublayer (6top) Protocol (6P)

• Existing IP routing protocols are poorly suited for IoT RPL • lossy connections and will lose state too easily ICMP • Only consider link cost, not node type or other constraints • Lack of routing flexibility when different objective functions IPv6 are required IETF 6LoWPAN • RFC 6550 defines RPL: IPv6 Routing Protocol for Low-Power IEEE 802.15.4 MAC and Lossy Networks IEEE 802.15.4 PHY • RPL is a Distance Vector routing protocol used in route over scenarios RPL Protocol Stack

TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 75 RPL Definitions DODAG 0 Root • A Directed Acyclic Graph (DAG) flows in a single direction without encountering the same node again DAG 1 1 • A Destination Oriented DAG (DODAG) is the same as a DAG except that it flows to a root 2 • Rank defines a node’s position with 2 respect to other nodes and the root (value 2 of 0) • Rank increases in the Down direction and increases in the Up direction 3 • Rank is computed from the Objective Function (OF) defined for the DODAG 3 4

TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 76 RPL Tree DODAG Structure The Rank is a rough approximation of how “close” a node is to the Root and serves to avoid routing loops Dag Information Object IP (DIO) messages Infrastructure RPL Rank 0 (Root advertise upward routes of DODAG Tree) downward from root Cisco CGR Down Border Router RPL Rank 1

RPL Rank 2 DAG Advertisement Object (DAO) messages advertise 802.15.4 Wireless Mesh RPL Rank 3 routes to parents Up

CGR1000_JAD1843000D#show wpan 4/1 rpl tree ------WPAN RPL TREE FIGURE [4] ------

[2620:175:F00:100::1] (4/12) Rank 0 (CGR Router) \--- 2620:175:F00:100:5C71:CA79:791D:A52 \--- 2620:175:F00:100:787B:876E:8B52:2692 (4) \--- 2620:175:F00:100:4496:CCDD:DF26:907A \--- 2620:175:F00:100:5841:99F5:A721:33F Rank 1 \--- 2620:175:F00:100:58B8:CC09:85A2:529E \--- 2620:175:F00:100:FC6C:F5F2:5E2C:BC88 \--- 2620:175:F00:100:95A7:E3B8:E818:B349 \--- 2620:175:F00:100:C11B:F90E:C1F1:9C7 (4) Rank 2 \--- 2620:175:F00:100:25FC:C9D3:682C:3418 \--- 2620:175:F00:100:4D80:B8F2:4A1F:67C4 \--- 2620:175:F00:100:D06C:6C65:E465:97 \--- 2620:175:F00:100:E4E0:EE1F:BBD3:4A56

• An Objective Function (OF) defines how ETX Value metrics are used to select routes and establish a node’s Rank. 1 1 • Metrics include: • Expected Transmission (ETX) – how 2.5 reliable the link is • Hop Count • Latency • Node Energy (Avoid nodes with low power) 3 1.5

Battery-Powered Node

The goal is to choose the path Cisco CGR with the lowest ETX value Border Router 0 (DODAG Root) ETX Value ෍ 퐸푇푋 푅푎푛푘=푛

Left: 2 1 1 Path 퐸푇푋 = Middle: 3 Right: 2.5 3

1 1.5

The goal is to choose the path Cisco CGR with the lowest ETX value Border Router 0 (DODAG Root) ETX Value ෍ 퐸푇푋 푅푎푛푘=푛

Left: 2 1 1 Path 퐸푇푋 = Middle: 3 Right: 2.5 3

1 1.5 The left path has the lowest ETX!

IP WAN

CGR ETX Value (Primary Path)

1 2 1 ETX Value (Backup Path)

1 2 Starting Node 1 1 2 Battery Powered Node 1 1 1 2 1 2 1.5 1.5 1

DAG Where OF = Minimum ETX

IP WAN IP WAN

CGR CGR 1 2 1

1 2 1 1 2

1 1 1 2 1 2 1.5 1.5 1

DAG OF = Minimum ETX DAG OF = Energy Conservation

Alberta, Pacific Ocean Canada

Backhaul Backhaul

IPv6 Mesh Endpoints Network FAN RF Mesh Distribution Field Area Network (FAN) Automation

AMI Metering / Transformer Distribution EV Charging Direct Load Gas / Water Distributed SCADA Direct Connect HAN Gateway Monitoring Automation Infrastructure Control Meters Generation Network AMI Meters

Communications Board with Fiedl Area Network (FAN) radio

Register board: registers voltage/energy usage, stores load/voltage profile and contains ZigBee radio for Home Area Network (HAN)

Metrology board: processes voltage and current measurements and converts them to pulses

• VPN Backhaul Tunnels

• RPL Mesh Network

• Home Area Network (HAN)

Assigned Address Block Grid WAN Network 2021:ABCD:1000::/36 /40

CGR Loopbacks IPSec Tunnels /48 /48

RPL Mesh /40

Mesh 1 Mesh 2 Mesh 3 Mesh n /64 /64 /64 /64

Devices SCADA/DMS server & application Native Raw Socket or IP/Serial

SCADA Redirector SW

Mesh Domain

IP WAN

Street Light RPL Root (CGR)

Mesh Gateway Serial Interface Router (IR510) on RTU

IP WAN

CGR 1000 MAP-T MAP-T CPE Border Router

The IPv4 SCADA server An IED makes a terminates the connection connection into the Mesh The Connected Grid and accepts incoming network via the Cisco Router (CGR) forwards SCADA packets IR500 router (either the IPv6 packed from through Serial or the Mesh over a VPN Ethernet/IPv4) tunnel to the headend The MAP-T Border Router, translates the IPv6 packet back to the original IPv4 The MAP-T CPE Router (e.g. packet and sends it toward Cisco IR500 series router) the SCADA server NATs the connection into an IPv6 packet

IP WAN

CGR 1000 MAP-T MAP-T CPE Border Router 6LoWPAN

IPv6

Application Traffic (SCADA) Native IPv4 MAP-T Native IPv4

IP WAN

MAP-T MAP-T CPE CGR 1000 Border Relay 192.168.0.2 153.10.10.254 10.1.0.60 6LoWPAN/RPL IPv6

DNP3/IP or Modbus TCP or IEC 60870-5-104

Native IPv4 MAP-T Native IPv4 Outgoing communication: Dynamic NAT44 Private IPv4 Incoming communications: Static NAT44 address IPv4/IPv6 header on device NAT44 on translation IPv4 native DA GW IPv4/IPv6 routing Map IPv4 address & port to decision IPv6 prefix, then replace IPv4 IPv4 header with IPv6 header Source: 10.1.0.60 IPv4 Destination: Source: 10.1.0.60 IPv6 IPv4 153.10.10.254 Destination: Source: Source: 10.1.0.60 TCP 192.168.0.2 2610:d0:1200:cafe:a:100:3c00:0 Destination: Src Port: 20100 TCP Destination: 153.10.10.254 Dst Port: 18999 Src Port: 20100 2031:6f8:147e:1001:99:a0a:fe00:0 TCP Dst Port: 18999 TCP Src Port: 20100 Src Port: 20100 Dst Port: 18999 Dst Port: 18999 TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Case Study Conclusions Case Study: BC Hydro’s Conversion to IPv6

• IPv6 made the mesh flatter and faster • Before IPv6: Only 20% of meters were within 3 hops of CGR, 60% were 6+ levels deep. Max depth was 30 levels • After IPv6: ~60% of meters within 3 hops of CGR with max depth of 14 levels deep

Pre-IPv6 Post-IPv6 Ping (msec) – Difference Average Round Trip Difference application-layer between levels Time between levels ping (non-IP) (msec) (msec) CGR 2670

Rank 1 4000 1330 430.5

Rank 2 5000 1000 716.1 285.7

Rank 3 7330 2330 1074 357.5

Rank 4 8330 1000 1119 45.05

Rank 5 11330 3000

Average 1732 279.69

• Power generation and consumption must always be kept in balance • During periods of high power draw (peaking), energy consumption needs to be reduced to avoid brownouts • Demand Response allows control of high energy consumption devices on the grid • The DR device connected to water heater is connected to the FAN mesh (e.g. the meter on the home)

Eric Vyncke @evyncke TECRST-2001 Transitions... Security matters !

85 hours of supervised flying

And still Source: wikipedia learning while Many many years later at KHAF At my first job... having fun ☺

DECnet 1.100 Many IPv6 2001:41d0:8:e1a2::1 Ethernet AA-00-04-00-64-04 years... IPv6 sollicited mcast: ff02::1:ff00:1 Ethernet: 33-33-FF-00-00-01

Sometimes, newer means better and more secure

Sometimes, experience IS better and safer!

Source: Microsoft clip-art gallery

• Default subnets in IPv6 have 264 addresses • 10 Mpps = more than 50 000 years

Source: Microsoft clip-art gallery

• If using EUI-64 addresses, just scan 248 • Or even 224 if vendor OUI is known...

• Public servers will still need to be DNS reachable • More information collected by Google...

• Increased deployment/reliance on dynamic DNS

• More information will be in DNS Source: Microsoft clip-art gallery

• Using peer-to-peer clients gives IPv6 addresses of peers

• Harvest NTP client addresses by becoming a member of pool.ntp.org

• Administrators may adopt easy-to-remember addresses • ::1,::80,::F00D, ::C5C0, :ABBA:BABE or simply IPv4 last octet for dual-stack

• By compromising hosts in a network, an attacker can learn new addresses to scan

TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 107 Scanning Made Bad for CPU Remote Neighbor Cache Exhaustion (RFC 6583) Potential router CPU/memory attacks if aggressive scanning

• Router will do Neighbor Discovery ….And waste CPU and memory

NS: 2001:db8::3

NS: 2001:db8::2

NS: 2001:db8::1

NS: 2001:db8::3

NS: 2001:db8::2

NS: 2001:db8::1

NS: 2001:db8::3

NS: 2001:db8::2

NS: 2001:db8::1

2001:db8::/64

For Your Reference • Built-in rate limiter with options to tune it • Since 15.1(3)T: ipv6 nd cache interface-limit • Or IOS-XE 2.6: ipv6 nd resolution data limit • Destination-guard is part of First Hop Security • Priority given to refresh existing entries vs. discovering new ones

• Using a /64 on point-to-point links => a lot of addresses to scan! • Using /127 helps (RFC 6164) or even link-local address only (RFC 7404)

• Internet edge/presence: a target of choice • Ingress ACL permitting traffic to specific statically configured (virtual) IPv6 addresses only

• Using infrastructure ACL prevents this scanning • iACL: edge ACL denying packets addressed to your routers • Easy with IPv6 because new addressing scheme ☺ http://www.insinuator.net/2013/03/ipv6-neighbor-cache-exhaustion-attacks-risk-assessment-mitigation-strategies-part-1

• IPv6 originally mandated the implementation of IPsec (but not its use)

• Now, RFC 6434 “IPsec SHOULD be supported by all IPv6 nodes”

• Some organizations still believe that IPsec should be used to secure all flows... • Need to trust endpoints and end-users because the network cannot secure the traffic: no IPS, no ACL, no firewall • Network telemetry is blinded: NetFlow of little use • Network services hindered: what about QoS or AVC ?

Recommendation: do not use IPsec end to end within an administrative domain.

Suggestion: Reserve IPsec for residential or hostile environment or high profile targets EXACTLY as for IPv4

• Network Prefix Translation, NPTv6, RFC 6296, • 1:1 stateless prefix translation allowing all inbound/outbound packets. • Main use case: multi-homing (see first section)

• Else, IETF has not specified any N:1 stateful translation (aka overload NAT or NAPT) for IPv6

• Do not confuse stateful firewall and NAPT* even if they are often co-located

• Nowadays, NAPT (for IPv4) does not help security • Host OS are way more resilient than in 2000 • Hosts are mobile and cannot always be behind your ‘controlled NAPT’ • Malware are not injected from ‘outside’ but are fetched from the ‘inside’ by visiting weird sites or installing any trojanized application

NAPT = Network Address and Port Translation

TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 111 “By looking at the IP addresses in the Torpig headers we are able to determine that 144,236 (78.9%) of the infected machines were behind a NAT, VPN, proxy, or ﬁrewall. We identiﬁed these hosts by using the non- publicly routable IP addresses listed in RFC 1918: 10/8, 192.168/16, and 172.16-172.31/16”

Stone-Gross et al., “Your Botnet is My Botnet: Analysis of a Botnet Takeover”, 2009 http://www.cs.ucsb.edu/~rgilbert/pubs/torpig_ccs09.pdf

“Early 2017, a multi-stage Windows Trojan containing code to scan for vulnerable IoT devices and inject them with Mirai bot code was discovered. The number of IoT devices which were previously safely hidden inside corporate perimeters, vastly exceeds those directly accessible from the Internet, allowing for the creation of botnets with unprecedented reach and scale.”

“The call is coming from inside the house! Are you ready for the next evolution in DDoS attacks?” Steinthor Bjanarson, Arbor Networks, DEFCON 25

• Payment Card Industry Data Security Standard (latest revision November 2013): • Requirement 1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties. • Note: Methods to obscure IP addressing may include, but are not limited to: Network Address Translation (NAT) ... • the controls used to meet this requirement may be different for IPv4 networks than for IPv6 networks.

• ➔ how to comply with PCI DSS • Application proxies or SOCKS • Strict data plane filtering with ACL • Strict routing plane filtering with BGP route-maps

• Cisco IPv6 design for PCI with IPv6 • http://www.cisco.com/en/US/docs/solutions/Enterprise/Compliance/Compliance_DG/PCI_20_DG.pdf

ICMP Message Type ICMPv4 ICMPv6 • Significant changes Connectivity Checks ✓ ✓ Informational/Error • More relied upon ✓ ✓ Messaging Fragmentation Needed ✓ ✓ Notification Address Assignment ✓ Address Resolution ✓ Router Discovery ✓ Multicast Group Management ✓ Mobile IPv6 Support ✓

=> ICMP policy on firewalls needs to change

Border Firewall Policy Internal Server A

Internet

ICMPv4 ICMPv4 Action Src Dst Name Type Code

Permit Any A 0 0 Echo Reply

Permit Any A 8 0 Echo Request

Dst. Unreachable— Permit Any A 3 0 Net Unreachable Dst. Unreachable— Permit Any A 3 4 Frag. Needed Time Exceeded— Permit Any A 11 0 TTL Exceeded

Internet

ICMPv6 ICMPv6 Action Src Dst Name Type Code

Permit Any A 128 0 Echo Reply Needed for Teredo traffic Permit Any A 129 0 Echo Request

Permit Any A 1 0 Unreachable

Permit Any A 2 0 Packet Too Big

Time Exceeded— Permit Any A 3 0 HL Exceeded

Permit Any A 4 0 Parameter Problem

Internal Server A Firewall B Internet

ICMPv6 ICMPv6 Action Src Dst Name Type Code

Permit Any B 2 0 Packet too Big For locally generated traffic by Permit Any B 4 0 Parameter Problem the device

Permit Any B 130–132 0 Multicast Listener

Neighbor Solicitation Permit Any B 135/136 0 and Advertisement

Deny Any Any

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa- 20160525-ipv6 (May 2015)

• RFC 4890 is a little too open

• RFC 4861 (Neighbor Discovery) • Hop Limit MUST be 255 • Source should be link-local, unspecified or global address belonging to the link and not "any"

TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 120 IPv6 Attacks with Strong IPv4 Similarities Good news IPv4 IPS signatures can • Sniffing be re-used • IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4 • Application layer attacks • The majority of vulnerabilities on the Internet today are at the application layer, something that IPSec will do nothing to prevent • Rogue devices • Rogue devices will be as easy to insert into an IPv6 network as in IPv4 • Man-in-the-Middle Attacks (MITM) • Without strong mutual authentication, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4 • Flooding • Flooding attacks are identical between IPv4 and IPv6

• Can match on • Upper layers: TCP, UDP, SCTP port numbers, ICMPv6 code and type • TCP flags SYN, ACK, FIN, PUSH, URG, RST • Traffic class (only six bits/8) = DSCP, Flow label (0-0xFFFFF)

• IPv6 extension headers • routing matches any RH, routing-type matches specific RH • mobility matches any MH, mobility-type matches specific MH • dest-option matches any destination options • auth matches AH • hbh matches hop-by-hop (since 15.2(3)T) • fragments keyword matches • Non-initial fragments (same as IPv4) • undetermined-transport keyword does not match • TCP/UDP/SCTP and ports are in the fragment • ICMP and type and code are in the fragment • Everything else matches (including OSPFv3, …) • Only for deny ACE Check your platform & release as your mileage can vary…

• Implicit entries exist at the end of each IPv6 ACL to allow neighbor discovery:

... permit icmp any any nd-na permit icmp any any nd-ns

• This is different on IOS XE (i.e. ASR1k) : no default permit of ND / NA Packets

• The beginner’s mistake is to add a deny log at the end of IPv6 ACL . . . ! Now log all denied packets deny ipv6 any any log ! Heu . . . I forget about these implicit lines permit icmp any any nd-na permit icmp any any nd-ns Check behavior of deny ipv6 any any different IOS based on hitchikers’ guide Solution, explicitly add the implicit ACE BRKRST-3304 . . . ! Now log all denied packets permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any log

• Since version 7.0 ! (April 2005)

• IPv6 header security checks (length & order)

• Management access via IPv6: Telnet, SSH, HTTPS, ASDM

• Routed & transparent mode, fail-over

• v6 App inspection includes: DNS,FTP, HTTP, ICMP, SIP, SMTP, and IPSec pass- through

• IPv6 support for site-to-site VPN tunnels was added in 8.3 (IKEv1 in ASA 8.3.1, and IKEv2 in ASA 8.4.1)

• Selective permit/deny of extension headers (ASA 8.4.2)

• OSPFv3, DHCPv6 relay, stateful NAT64/46/66, mixed mode objects (ASA 9.0)

• interface GigabitEthernet1/1 Allow ASA to process packet with hop nameif outside limit of 0 (Follow RFC 8200) security-level 0 ipv6 address dhcp default • CSCvi46759 ipv6 enable ipv6 nd suppress-ra • Fixing some bugs in the same shot (DHCP ipv6 dhcp client pd hint ::/48 packets sent with HL=0 by some CMTS  ) ipv6 dhcp client pd ISP

interface GigabitEthernet1/2 nameif inside • Alas, general-prefix cannot be used in security-level 100 ipv6 address ISP ::1/64 ACL... ipv6 address autoconfig ipv6 enable !

Check with

# show ipv6 general-prefix

policy-map type inspect ipv6 inspect_ipv6_fc_pmap parameters verify-header type verify-header order match header esp log match header fragment drop match header ah log match header destination-option log match header hop-by-hop drop log match header routing-type eq 2 log match header routing-type eq 3 drop match header routing-type eq 4 drop log

Botnet member or open relay from Germany • Spammers are also using IPv6 of course... • Probably even without knowing it!

Nov 14 00:44:18 ks postfix/smtpd[22843]: connect from unknown[2a01:4f8:d16:4351::2] Nov 14 00:44:18 ks postfix/smtpd[22843]: A5CDC155: client=unknown[2a01:4f8:d16:4351::2] Nov 14 00:44:18 ks postfix/cleanup[22847]: A5CDC155: message- id= Nov 14 00:44:18 ks postfix/qmgr[3578]: A5CDC155: from=, size=27742, nrcpt=1 (queue active) • So, we need to fight IPv6 spam! • Content filtering: nothing has changed • Sender authentication (DKIM, SPF, DMARC) works with IPv6 • Sender reputation works with Cisco Senderbase / Talos

No geolocation yet though (albeit Maxmind supports IPv6)

Not a lot of data yet... PLEASE HELP

Per-User ACL Downloadable ACL

ACL ACL

-- ACL rules defined on RADIUS Server -- ACLACL onon thethe RADIUSRADIUS ServerServer -- Cisco AVP, limited by 4000 characters -- CiscoCisco AVP,AVP, nono limitlimit onon ACLACL sizesize -- Centralised policy management -- CentralisedCentralised policypolicy managementmanagement

IPv4YES IPv4YES Cisco AVP: “ip:inacl#1=permit ip any any” Cisco AVP: "#ACSACL#-IP-ACL_NAME- ”

IPv6YES IPv6YES Cisco AVP: “ipv6:inacl#1=permit ipv6 any Cisco AVP: "#ACSACL#Not Applicable-IPv6-ACL_NAME- any” ”

• ASA Firewall (Since version 7.0 released 2005) • FirePower Threat Defence (FTD) no

• Extension header filtering and inspection (ASA 8.4.2) IPv6 inspection support on the GUI (FlexConfig), no management over • Dual-stack ACL & object grouping (ASA 9.0) IPV6 • Email Security Appliance (ESA) IPv6 support since 7.6.1 (May 2012) • FirePower Device Manager (FDM) no IPv6 support • Web Security Appliance (WSA) with explicit and transparent proxy • Cisco Umbrella, answers AAAA but cannot manage policy for IPv6 • FirePower NGIPS provides Decoder for network IPv4 & IPv6 Packets

• Cisco Threat Defense / StealthWatch: mostly forever including SMC

• ISE 2.2 added IPv6 support, more w/ 2.6 Meraki growing IPv6 Support

• Scapy is a open source packet forgery tool built on Python

• Powerful albeit complex to understand and to use: evyncke@host1:~# scapy Welcome to Scapy (2.1.0) >>> target="2001:db8:23:0:60de:29ff:fe15:2” >>> packet=IPv6(dst=target)/ICMPv6EchoRequest(id=0x1234, seq=RandShort(), data="ERIC") >>> sr1(packet) Begin emission: Finished to send 1 packets. Received 2 packets, got 1 answers, remaining 0 packets >

• Variable can be assigned a value with “=“

• Packets are built with the concatenation operator “/”

• Headers are instantiated with default values (such as source address, checksum, next header, length, ...) all can be overwritten

• Packet can be displayed in various format: ls(), packet.show()

• Packet can be sent by • send(): simply send it • sr1(): send it and wait for one reply >>> target="2001:db8:23:0:60de:29ff:fe15:2” >>> packet=IPv6(dst=target)/ICMPv6EchoRequest(id=0x1234, seq=RandShort(), data="ERIC")

• Unlimited size of header chain (spec-wise) can make filtering difficult

• Potential DoS with poor IPv6 stack implementations • More boundary conditions to exploit • Can I overrun buffers with a lot of extension headers? • Mitigation: a firewall such as ASA/FTD which can filter on headers

Perfectly Valid IPv6 Packet According to the Sniffer

Header Should Only Appear Once Destination Header Which Should DestinationOccur at Most Options Twice Header Should Be the Last

http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html

• Finding the layer 4 information is not trivial in IPv6 • Skip all known extension header • Until either known layer 4 header found => MATCH • Or unknown extension header/layer 4 header found... => NO MATCH

IPv6 hdr HopByHop Routing AH TCP data

IPv6 hdr HopByHop Routing AH Unknown L4 ???

Next Header = 44 IPv6 Basic Header Fragment Header Fragment Header

Fragment Header Next Header Reserved Fragment Offset Identification Fragment Data

• In IPv6 fragmentation is done only by the end system • Tunnel end-points are end systems => Fragmentation / re-assembly can happen inside the network

• Reassembly done by end system like in IPv4

• RFC 5722/8200: overlapping fragments => MUST drop the packet. Most OS implement it since 2012

• Attackers can still fragment in intermediate system on purpose

• ==> a great obfuscation tool

• Great evasion techniques • Some firewalls do not process fragments except for the first one • Some firewalls cannot detect overlapping fragments with different content • IPv4 tools like whisker, fragrout, etc. • Makes firewall and network intrusion detection harder • Used mostly in DoSing hosts, but can be used for attacks that compromise the host • Send a fragment to force states (buffers, timers) in OS • See also: http://insecure.org/stf/secnet_ids/secnet_ids.html 1998!

• Layer 4 information could be in 2nd fragment

• But, stateless firewalls could not find it if a previous extension header is fragmented IPv6 hdr HopByHop Routing Fragment1 Destination …

IPv6 hdr HopByHop Routing Fragment2 … Destination TCP Data

Layer 4 header is in 2nd fragment, Stateless filters have no clue where to find it!

• RFC 6980: “nodes MUST silently ignore NDP … if packets include a fragmentation header” • RFC 7112: “A host that receives a First Fragment that does not satisfy… SHOULD discard the packet” • RFC 8200: “If the first fragment does not include all headers through an Upper-Layer header, then that fragment should be discarded”

>>> packet=IPv6(dst=dst)/IPv6ExtHdrDestOpt(options=PadN(optdata='A'*20)) /TCP(sport=sport,dport=22,flags="S", seq=100) >>> frag1=IPv6(dst=dst)/IPv6ExtHdrFragment(nh=60, id=0xabbababe, m=1, offset=0)/str(packet)[40:48] >>> frag2=IPv6(dst=dst)/IPv6ExtHdrFragment(nh=60, id=0xabbababe, m=0, offset=1)/str(packet)[48:84] >>> send(frag1) >>> send(frag2)

IP6 (hlim 64, next-header Fragment (44) payload length: 16) 2001:...:1 > 2001:...:2: frag (0xabbababe:0|8) [|DSTOPT] 0x0000: 6000 0000 0010 2c40 2001 0db8 0001 0000 `.....,@...... 0x0010: 60de 29ff fe15 0001 2001 0db8 0023 0000 `.)...... #.. 0x0020: 60de 29ff fe15 0002 3c00 0001 abba babe `.).....<...... 0x0030: 0602 0114 4141 4141 ....AAAA

IP6 (hlim 64, next-header Fragment (44) payload length: 44) 2001:...:1 > 2001:...:2: frag (0xabbababe:8|36) 0x0000: 6000 0000 002c 2c40 2001 0db8 0001 0000 `....,,@...... 0x0010: 60de 29ff fe15 0001 2001 0db8 0023 0000 `.)...... #.. 0x0020: 60de 29ff fe15 0002 3c00 0008 abba babe `.).....<...... 0x0030: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0x0040: 47b3 0016 0000 0064 0000 0000 5002 2000 G...... d....P... 0x0050: da35 0000

ipv6 access-list NO_SSH deny tcp any any eq 22 log permit ipv6 any any

IP6 (hlim 62, next-header Fragment (44) payload length: 16) 2001:..:1 > 2001:..:2: frag (0xabbababe:0|8) [|DSTOPT] IP6 (hlim 62, next-header Fragment (44) payload length: 44) 2001:..:1 > 2001:..:2: frag (0xabbababe:8|36)

SSH accepts connection and replies IP6 (hlim 64, next-header TCP (6) payload length: 24) 2001:...:2.22 > 2001:...:1.18355: Flags [S.], cksum 0x138c (correct), seq 621319016, ack 101, win 5760, options [mss 1440], length 0

• Matching against the first fragment non-deterministic: • layer 4 header might not be there but in a later fragment Need for stateful inspection

• fragment keyword matches • Non-initial fragments (same as IPv4), permitted by default • undetermined-transport keyword does not match • If non-initial fragment • Or if TCP/UDP/SCTP and ports are in the 1st fragment • Or if ICMP and type and code are in the 1st fragment • Everything else matches (including OSPFv3, RSVP, GRE, ESP, EIGRP, PIM …) • Only for deny ACE

ipv6 access-list NO_SSH2 deny ipv6 any any undetermined-transport log deny tcp any any eq 22 log permit ipv6 any any

%IPV6_ACL-6-ACCESSLOGSP: list NO_SSH2/10 denied tcp 2001:...:1 -> 2001:...:2, 1 packet

1st fragment is not received..

IP6 (hlim 62, next-header Fragment (44) payload length: 44) 2001:..:1 > 2001:..:2: frag (0xabbababe:8|36)

Reassembly fails after time-out, connection is never established

• The lack of fast wirespeed stateless ACL is a bad news of course

• IETF made 1st IPv6 fragment without layer-4 invalid and it SHOULD be dropped by receiving host and MAY be dropped by routers • RFC 7112 (born as draft-ietf-6man-oversized-header-chain) • RFC 8200 (the new IPv6 standard)

• Use of undetermined-transport is strongly recommended

• ASA/FTD always drops such initial fragment

• If not supported, consider • Bidirectional traffic (TCP, ...): block on the other direction using the source port • On an intermediate router: permit TCP, ICMP, UDP, ... Hence blocking everything else (including 1st fragment without layer-4)

• White list approach for your traffic • Only allow the REQUIRED extension headers (and types), for example: • Fragmentation header • Routing header type 2 & destination option (when using mobile IPv6) • IPsec ☺ AH and ESP • And layer 4: ICMPv6, UDP, TCP, GRE, ... • If your firewall is capable: • Drop 1st fragment without layer-4 header • Drop routing header type 0 • Drop/ignore hop-by-hop

• See also draft-ietf-opsec-ipv6-eh-filtering Source: Tony Webster, Flickr

• End users SHOULD filter packets with extension headers

• But, what are your ISP and its transit provider doing to your packets?

Source: Paul Townsend, Flickr

• RFC 7872 • About 20-40% of packets with Extension Header are dropped over the Internet • New study to be done before IETF-104

2) Sending RA with 1) I want IPv6, prefix for auto- send RA configuration

3) 3) 3) 3) Yahoo! Yahoo! Yahoo! Yahoo! IPv6 ☺ IPv6 ☺ IPv6 ☺ IPv6 ☺

IPv4 protection: IPv4 protection: IPv4 Protection: iptables Packet filter Security center

4) Default protection… IPv6 Protection: IPv6 Protection: IPv6 Protection: No ip6tables ✗ Packet filter ✔ Security center ✔

Before Mac OS X 10.7, ipfw was IPv4 only….

Internet

2) Sending RA with 1) I want IPv6, “no auto-config” send RA

3) Yahoo! 3) No 3) No 3) No Static IPv6 IPv6 IPv6 IPv6 SLAAC SLAAC SLAAC address

IPv4 protection: IPv4 protection: IPv4 Protection: iptables Packet filter Security center

• Finding all hosts: • Address enumeration does not work for IPv6 • Need to rely on DNS or NDP caches or NetFlow

• Vulnerability scanning • IPv4 global address, IPv6 global address(es) (if any), IPv6 link-local address • Some services are single stack only (currently mostly IPv4 but who knows...) • Personal firewall rules could be different between IPv4/IPv6

• IPv6 vulnerability scanning MUST be done for IPv4 & IPv6 even in an IPv4-only network • IPv6 link-local addresses are active by default

• Most IPv4/IPv6 transition mechanisms have no authentication built in

• => an IPv4 attacker can inject IPv6 traffic if spoofing on IPv4 and IPv6 addresses

IPv6 ACLs Are Ineffective since IPv4 & IPv6 are spoofed Tunnel termination forwards the Inner IPv6 Packet IPv4 IPv6 Public IPv4 Internet IPv6 Network IPv6 Network

IPv6 in IPv4

Tunnel Tunnel Server B Server A Termination Termination

• Similar to IPv4 telemetry

• SNMP MIB • Not always available yet on Cisco gears

• Flexible Netflow for IPv6 • Available in : 12.4(20)T, 12.2(33)SRE • Public domain tools: nfsen, nfdump, nfcpad… • Cisco Threat Defense

• Model Driven Telemetry (YANG, OpenConfig, gRPC, ....)

IP FWD IP ICMP TCP UDP (ROUTES) Original IPv4 only 2096 2011 2012 2013 Protocol Version rfc2096-update rfc2011-update Independent (PVI) = = 4292 4293 = IP-MIB rfc2012- rfc2013- update update = = 4022 4113

IPv4/IPv6 stats can be monitored from CLI “show interface accounting” on most platforms

TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 158 Using SNMP to Read IPv4/IPv6 Neighbors Cache evyncke@charly:~$ snmpwalk -c secret -v 1 udp6:[2001:db8::1] -m IP-MIB ipNetToPhysicalPhysAddress IP-MIB::ipNetToPhysicalPhysAddress.1.ipv4."192.168.0.2" = STRING: 0:13:c4:43:cf:e IP-MIB::ipNetToPhysicalPhysAddress.1.ipv4."192.168.0.3" = STRING: 0:23:48:2f:93:24 IP-MIB::ipNetToPhysicalPhysAddress.1.ipv4."192.168.0.4" = STRING: 0:80:c8:e0:d4:be ... IP-MIB::ipNetToPhysicalPhysAddress.2.ipv6."2a:02:05:78:85:00:01:01:02:07:e9:ff:fe:f2:a0:c6" = STRING: 0:7:e9:f2:a0:c6 IP-MIB::ipNetToPhysicalPhysAddress.2.ipv6."2a:02:05:78:85:00:01:01:02:20:4a:ff:fe:bf:ff:5f" = STRING: 0:20:4a:bf:ff:5f IP-MIB::ipNetToPhysicalPhysAddress.2.ipv6."2a:02:05:78:85:00:01:01:30:56:da:9d:23:91:5e:ea" = STRING: 78:ca:39:e2:43:3 ... evyncke@charly:~$ snmptable -c secret -v 1 udp6:[2001:db8::1] -Ci -m IP-MIB ipNetToPhysicalTable

IPv6 Routing Transport Destination AS IP (Source or Destination Port TCP Flag: ACK Payload Size Destination) Peer AS Source Port TCP Flag: CWR Prefix (Source or Packet Section Traffic Index ICMP Code TCP Flag: ECE Destination) (Header) Forwarding ICMP Type TCP Flag: FIN Status Mask (Source or Packet Section IGMP Type TCP Flag: PSH Destination) (Payload) Is-Multicast TCP ACK Number TCP Flag: RST Minimum-Mask IGP Next Hop (Source or DSCP BGP Next Hop TCP Header Length TCP Flag: SYN Destination) TCP Sequence Flow TCP Flag: URG Protocol Extension Number Sampler ID UDP Message Traffic Class Hop-Limit TCP Window-Size Direction Length Flow Label Length TCP Source Port UDP Source Port Option Header Next-header Interface TCP Destination UDP Destination Header Length Version Input Port Port Payload Length Output TCP Urgent Pointer

Bits 11-31 Bit 10 Bit 9 Bit 8 Bit 7 Bit 6 Bit 5 Bit 4 Bit 3 Bit 2 Bit 1 Bit 0 Res ESP AH PAY DST HOP Res UNK FRA0 RH FRA1 Res ▪ FRA1: Fragment header – not first fragment ▪ RH: Routing header ▪ FRA0: Fragment header – First fragment ▪ UNK: Unknown Layer 4 header (compressed, encrypted, not supported) ▪ HOP: Hop-by-hop extension header ▪ DST: Destination Options extension header ▪ PAY: Payload compression header ▪ AH: Authentication header ▪ ESP: Encapsulating Security Payload header ▪ Res: Reserved

TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 161 Flexible NetFlow: Exporter, Record and Monitor flow exporter FLOW-EXPORTER destination 2001:db8::1 <<< IPv6 is supported transport udp 9995 flow record FLOW-RECORD match ipv6 source address <<< key fields match ipv6 destination address match ipv6 protocol collect counter bytes <<< non key fields collect counter packets collect datalink mac source address input <<< can also collect MAC addresses ;-) flow monitor FLOW-MONITOR ; record netflow ipv6 original-output <<< for traditional NetFlow records record FLOW-RECORD exporter FLOW-EXPORTER statistics packet protocol statistics packet size interface GigEthernet0/15 ipv6 flow monitor FLOW-MONITOR output

• Scanning an IPv6 network is impossible (address space too large)

• How can we run a security audit?

• Easy • Get all IPv6 addresses from Netflow • Note: scanning link-local addresses requires layer-2 adjacency, i.e.

• ping6 ff02::1

module: ietf-ip . . . +--rw ipv6! +--rw enabled? boolean • The next generation of +--rw forwarding? boolean +--rw mtu? uint32 SNMP :-) +--rw address* [ip] | +--rw ip inet:ipv6-address-no-zone • interfaces- | +--rw prefix-length uint8 state/interface/statistics from | +--ro origin? ip-address-origin | +--ro status? enumeration ietf-interfaces@2018-02- +--rw neighbor* [ip] 20.yang [RFC8343] counters | +--rw ip inet:ipv6-address-no-zone | +--rw link-layer-address yang:phys-address about the interface statistics | +--ro origin? neighbor-origin | +--ro is-router? empty • ipv6/neighbor from ietf- | +--ro state? enumeration [email protected] [RFC8344] the mapping between IPv6 addresses and the MAC address (i.e. the Neighbor Cache) https://yangcatalog.org/

• Every host can have multiple IPv6 addresses simultaneously • Need to do correlation! • Ensure that your Security Information and Event Management (SIEM) supports IPv6 • Usually, a customer is identified by its /48 ☺

• Every IPv6 address can be written in multiple ways • 2001:0DB8:0BAD::0DAD • 2001:DB8:BAD:0:0:0:0:DAD • 2001:db8:bad::dad (this is the canonical RFC 5952 format) • => Grep cannot be used anymore to sieve log files…

• See also RFC 7721 “Security and Privacy Considerations for IPv6 Address Generation Mechanisms”

• Easy if EUI-64 format as MAC is embedded • 2001:db8::0226:bbff:fe4e:9434 • (need to toggle bit 0x20 in the first MAC byte = U/L)

• Is 00:26:bb:4e:94:34

• DHCPv6 address or prefix… the client DHCP Unique ID (DUID) can be • MAC address: trivial • Time + MAC address: simply take the last 6 bytes • Vendor number + any number: no luck… next slide can help • No guarantee of course that DUID includes the real MAC address.

# show ipv6 dhcp binding Client: FE80::225:9CFF:FEDC:7548 DUID: 000100010000000A00259CDC7548 Username : unassigned Interface : FastEthernet0/0 IA PD: IA ID 0x0000007B, T1 302400, T2 483840 Prefix: 2001:DB8:612::/48 preferred lifetime 3600, valid lifetime 3600 expires at Nov 26 2010 01:22 PM (369)

• Not so attractive  • Only supported in Windows, Mac OS/X, iOS • Not in Linux (default installation), not in Android… • Windows does not place the used MAC address in DUID but any MAC address of the PC • See also: https://knowledge.zomers.eu/misc/Pages/How-to-reset-the-IPv6-DUID-in- Windows.aspx

# show ipv6 dhcp binding Client: FE80::FDFA:CB28:10A9:6DD0 DUID: 0001000110DB0EA6001E33814DEE Actual MAC address: Username : unassigned 0022.5f43.6522 IA NA: IA ID 0x1000225F, T1 300, T2 480 Address: 2001:DB8::D09A:95CA:6918:967 preferred lifetime 600, valid lifetime 600 expires at Oct 27 2010 05:02 PM (554 seconds)

• Interesting attribute: Acct-Session-Id to map username to IPv6 addresses • Can be sent at the begin and end of connections • Can also be sent periodically to capture privacy addresses • Not available through GUI, must use CLI to configure config wlan radius_server acct framed-ipv6 both [email protected] Acct-Session-Id=xyz Acct-Status-Type=Start Framed- IP-Address=192.0.2.1 Framed-IPv6-Address=fe80::cafe [email protected] Acct-Session-Id=xyz Acct-Status-Type=Alive Framed- IP-Address=192.0.2.1 Framed-IPv6-Address=fe80::cafe Framed-IPv6- Address=2001:db8::cafe Framed-IPv6-Address=2001:db8::babe [email protected] Acct-Session-Id=xyz Acct-Status-Type=Stop Framed-IP- Address=192.0.2.1

• Last resort… look in the live NDP cache (CLI, SNMP, MDT telemetry)

#show ipv6 neighbors 2001:DB8::6DD0 IPv6 Address Age Link-layer Addr State Interface

2001:DB8::6DD0 8 0022.5f43.6522 STALE Fa0/1

• If no more in cache, then you should have scanned and saved the cache… • EEM can be your friend

• First-Hop Security can generate a syslog event on each new binding

ipv6 neighbor binding logging

• No traffic sniffing

• No traffic injection

• No service theft

Public Network Site 2 Site Remote Access

▪ 6in4/GRE Tunnels Protected by ▪ SSL VPN Client AnyConnect IPsec IPv4 ▪ DMVPN 12.4(20)T ▪ FlexVPN ▪ IPsec VTI 12.4(6)T ▪ AnyConnect 3.1 & ASA 9.0 IPv6 ▪ DMVPN 15.2(1)T ▪ FlexVPN

Hub Spoke interface Tunnel0 interface Tunnel0 ipv6 address 2001:db8:100::1/64 ipv6 address 2001:db8:100::11/64 ipv6 eigrp 1 ipv6 eigrp 1 no ipv6 split-horizon eigrp 1 ipv6 nhrp map multicast 172.17.0.1 no ipv6 next-hop-self eigrp 1 ipv6 nhrp map 2001:db8:100::1/128 172.17.0.1 ipv6 nhrp map multicast dynamic ipv6 nhrp network-id 100006 ipv6 nhrp network-id 100006 ipv6 nhrp holdtime 300 ipv6 nhrp holdtime 300 ipv6 nhrp nhs 2001:db8:100::1 tunnel source Serial2/0 tunnel source Serial1/0 tunnel mode gre multipoint tunnel mode gre multipoint tunnel protection ipsec profile vpnprof tunnel protection ipsec profile vpnprof ! ! interface Ethernet0/0 interface Ethernet0/0 ipv6 address 2001:db8:0::1/64 ipv6 address 2001:db8:1::1/64 ipv6 eigrp 1 ipv6 eigrp 1 ! ! interface Serial2/0 interface Serial1/0 ip address 172.17.0.1 255.255.255.252 ip address 172.16.1.1 255.255.255.252 ! ! ipv6 router eigrp 1 ipv6 router eigrp 1 no shutdown no shutdown All combinations of IPv4 and IPv6 are allowed

• IPv4/IPv6 FlexVPN over IPv4 or IPv6 are allowed (IPv6 over IPv4 shown)

2001:db8:beef::/64 2001:db8:cafe::/64

172.16.1.1 172.16.2.1

interface Tunnel0 interface Tunnel0 ipv6 address fe80::1 link-local ipv6 address fe80::2 link-local ipv6 ospf 1 area 0 ipv6 ospf 1 area 0 tunnel source FastEthernet0/0 tunnel source FastEthernet0/0 tunnel destination 172.16.2.1 tunnel destination 172.16.1.1 tunnel protection ipsec profile default tunnel protection ipsec profile default

interface FastEthernet0/1 interface FastEthernet0/1 ipv6 address 2001:db8:cafe::1/64 ipv6 address 2001:db8:beef::1/64 ipv6 ospf 1 area 0 ipv6 ospf 1 area 0

interface FastEthernet0/0 interface FastEthernet0/0 ip address 172.16.1.1 255.255.255.0 ip address 172.16.2.1 255.255.255.0

• All inside hosts have a globally unique IPv6 address

• Routing-wise, remote sites could communicate over the Internet • Even OUTSIDE of VPN tunnels

• Ensure routes point into the tunnel (FlexVPN, DMVPN)

• Drop packets from the Internet having Source and Destination from your prefix

TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 176 Secure RA IPv* over IPv* Public Network: AnyConnect SSL VPN Client & ASA IPv6/IPv4 Intranet AnyConnect supports native IPv4/6 connectivity • Connecting via IPv4/6 Internet to ASA IPv4/6 Transport • SSL Tunneling IPv6 in IPv6 , IPv4 in IPv4, IPv6 Network in IPv4, IPv4 in IPv6 • No support for DHCPv6 yet • Mobile does not support IPv6 transport

See also: http://blog.webernetz.net/2014/01/18/cisco-anyconnect-ipv6-access-through-ipv4-vpn-tunnel/

Do not plan to attend BRKSEC-3200 as there are a lot of similar contents

• RFC 4022: Management Information Base for TCP

• RFC 4113: Management Information Base for UDP

• RFC 4291: IP Version 6 Addressing Architecture

• RFC 4293: Management Information Base for IP

• RFC 4381: Analysis of the Security of BGP/MPLS IP Virtual Private Networks (VPNs)

• RFC 5722: Handling of Overlapping IPv6 Fragments

• RFC 5952: A Recommendation for IPv6 Address Text Representation

• RFC 6324: Routing Loop Attack Using IPv6 Automatic Tunnels

• RFC 6888: Common Requirements for Carrier-Grade NATs (CGNs)

• RFC 6980: Security Implications of IPv6 Fragmentation with IPv6 Neighbor Discovery

• RFC 7112: Implications of Oversized IPv6 Header Chains

• RFC 7404: Using Only Link-Local Addressing inside an IPv6 Network

• RFC 7721: Security and Privacy Considerations for IPv6 Address Generation Mechanisms

• RFC 7872: Observations on the Dropping of Packets with IPv6 Extension Headers in the Real World

• RFC 8200: Internet Protocol, Version 6 (IPv6) Specification

• RFC 8305: Happy Eyeballs Version 2: Better Connectivity Using Concurrency

• RFC 8343: A YANG Data Model for Interface Management

• RFC 8344: A YANG Data Model for IP Management

TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 181 Tuesday Opening Keynote 09:00 LTRIPV-2494 Wednesday Thursday Lab: IPv6 adoption in 09:00 LABSPG-3122 9:00 next-gen SP networks Lab: Advanced IPv6 Routing and services lab

Tuesday BRKIP6-2191 BRKRST-2619 Wednesday BRKSEC-3200 Friday The Protocol 11:00 IPv6 Deployment: 11:00 Advanced IPv6 Security Threats and 11:30 Developing an IPv6 Mitigation addressing Plan and Deploying Ipv6

LABSPG-3122 Tuesday BRKRST-3304 Friday Lab: Advanced IPv6 14:30 BRKIP6-2223 Thursday IPv6 for the World of IOT 14:45 Hitchhiker guide to 11:30 Routing and services Troubleshooting lab Thursday Guest Keynote 17:00

Cisco Live Thursday Celebration 18:30 IPv6 IPv6 IPv6 Track www.ciscolive.com/emea/learn/technology© 2020 Cisco and/or its affiliates. All rights reserved. Cisco- tracksPublic .html Complete your online session • Please complete your session survey survey after each session. Your feedback is very important.

• Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live t-shirt.

• All surveys can be taken in the Cisco Events Mobile App or by logging in to the Content Catalog on ciscolive.com/emea.

Cisco Live sessions will be available for viewing on demand after the event at ciscolive.com.

Demos in the Walk-In Labs Cisco Showcase

Meet the Engineer Related sessions 1:1 meetings