TECIP6-2166 Cast of Many Implement & Deploy Ipv6

An Immersive Journey Into IPv6

TECIP6-2166 Cast of Many Implement & Deploy IPv6

• IPv6 on Host OS’s (1030 – 1100)

• Break (1100 – 1115)

• IPv6 on Host OS’s (1115 – 1145)

• IPv6 Planning & Operations (1145 – 1315)

• Lunch (1315 – 1415)

• IPv6 Planning & Operations (1415 – 1530)

• IPv6 Musings from the Fish Bowl (1530 – 1615)

• Break (1615 – 1630)

• IPv6 Access & Perimeter Security (1630 – 1815)

• Conclusion & Panel (1815 – 1830) IPv6 Protocol Basics

Kateel Vijayananda TECRST-2166 Kateel Vijayananda

Kateel Vijayananda Solutions Architect [email protected]

• IPv6 Unicast Address Formats

• ICMPv6

• IPv6 Interface ID Assignments

• IPv6 Multicast Addressing • Neighbor Discovery Protocol IPv6 Unicast Address Formats So How Big Is The IPv6 Address Space? 340,282,366,920,938,463,463,374,607,431,768,211,456 340 undecillion, 282 decillion, 366 nonillion, 920 octillion, 938 septillion, 463 sextillion, 463 quintillion, 374 quadrillion, 607 trillion, 431 billion, 768 million, 211 thousand, 456

• Lot’s of talk about how big, it’s BIG, do NOT worry about waste

• Theoretical vs. Practical, split the 128 bits in half

• 64 bits will define the network topology, 64 bits define the interface ID

18,446,744,073,709,600,000 IPv6 addresses /64 (31,536,000 seconds/yr. * 10,000,000 IPv6 addresses/second)

IPv6 Address Family

Multicast Unicast Anycast

Assigned Solicited Node Well Temp Known Unique Local Link Local Global Special Embedded *IPv6 does not use broadcast addressing

TECIP6-2166 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Hexadecimal, it’s really not that difficult • Widely used in computing and programming • Hex is a base 16 numerical system • Typically expressed by 0x, i.e. 0x34

• Every nibble is a Hex character • 4 bits have 16 combinations • Easier than high school algebra

100s | 10’s | 1’s 256’s |16’s | 1’s 0 5 2 3 4 1 7 2 a c 5 8 9 2 4 d

• IPv6 addresses are 128 bits long (32 hex characters) • 8 groups (words, quad’s) of 16 bits separated by (:) • Network or topology portion is the prefix • Includes the “subnet” 2001:0db8:0100:1111:0000:0000:0000:0001

Global Route Prefix Subnet ID Interface ID 2001 : 0db8 : 0100 : 1111 : 0000 : 0000 : 0000 : 0001

16 bits 16 bits 16 bits 16 bits 16 bits 16 bits 16 bits 16 bits Network Portion Interface ID

• Leading 0’s can be omitted

• The double colon (::) can appear only once Full Format 2001:0db8:0000: 00a4 :0000:0000:0000:1e2a

Abbreviated Formats 2001:db8:0: a4 :0:0:0:1e2a

2001:db8:0: a4 ::1e2a

Link-Local – Non routable exists on single layer 2 domain (fe80::/10) fe80:0000:0000:0000: xxxx:xxxx:xxxx:xxxx : Unique-Local – Routable within administrative domain (fc00::/7) fc00:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx fd00:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx Global – Routable across the Internet (2000::/3) 2000:NNNN:NNNN: SSSS: HHHH:HHHH:HHHH:HHHH 3fff:NNNN:NNNN: SSSS: HHHH:HHHH:HHHH:HHHH

TECIP6-2166 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Global Address Assignment PA PI 2000::/3 2000::/3 • Addressing Plan, Site Count IANA • IPv4 Allocation, Multi-homed ISP Registries • 1 - 12 sites, a /44 assignment /12 /12 ARIN • 13 - 192 sites, a /40 assignment • 193 - 3,072 sites, a /36 assignment /32 ISP Org • 3,073 - 49,152 sites, a /32 assignment /32 /48

EntityLevel FourSubordinate /48 /48 • Recommended Allocations • Consumer, SMB /56 /60 /64 • Municipal Government, Enterprise, Single AS /40 /44 /48 • State Governments, Universities (LIR) /32 /36 /40

Destination Source Ethernet Ethernet 0x0800 IPv4 Header and Payload Address Address

Destination Source Ethernet Ethernet 0x86DD IPv6 Header and Payload Address Address

• IPv6 has a specific Ethernet Protocol ID • IPv6 relies heavily on Multicast 33 33 xx xx xx xx

0 = Universel/unique 0000 00IL 1 = Local/not unique

I bit = Local Admin, L bit = Multicast/Broadcast

TECIP6-2166 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 IPv4 and IPv6 Header Comparison IPv4 Header (20-60 Bytes) IPv6 Header (40 Bytes) Type of Version IHL Total Length Traffic Service Version Flow Label Class Identification Flags Offset Next Payload Length Hop Limit Time to Live Protocol Header Checksum Header Source Address Destination Address Source Address Options Padding

• Length is constant in IPv6 Destination Address

• Fragmentation occurs in Extension Header (44)

• Options occur in Extension Headers (0,60)

TECIP6-2166 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Extension Headers (~ Layer 3.5) Extension Header * Type • EH are daisy chained, processed in order Hop-by-Hop Options 0 • Length is variable, must be on 8 byte boundary Destination Options 60 Routing Header 43 Fragment Header 44 Authentication Header 51 ESP Header 50 Destination Options 60 Mobility Header 135 Experimental 253,254 No Next Header 59

IPv6 Header Hop-by-Hop Destination Opt TCP Header Payload

• Fragmentation EH is applied on the source • Destination Option is the only EH allowed to appear more than once

Extension Header Type Hop-by-Hop Options Process by every router, must appear first Routing Header List or routers to cross Destination Options Processed by routers listed in 43 Fragment Header Processed by destination Authentication Header Authenticate packet after reassembly ESP Header Cipher the content of remaining information Destination Options Process only by destination

• RFC 6438 • ECMP & LAG , typically 2 tuple {src, dst IP} • Efficiency over searching the header chain • Frags, ICMP & Crypto may causes problems

• RFC 7098 L3/4 • Flow label for Server Load Balancing Load Balancer • Flow label is efficient, fixed position of header • 2 or 3 tuple {src, dst IP, flow label}

• Setting the Flow Label • Set by host must not be changed in transit • First hop router may set if host cannot

IPv6 • IPv4 Compatible IPv6 Network • 0:0:0:0:0:0.A.B.C.D/96 Internet

• 0:0:0:0:0:0.192.168.30.1 IPv4 • ::c0a8:1e01 • Used by IPv6 aware devices, now deprecated

• IPv4 Mapped • 0:0:0:0:0:ffff.A.B.C.D/96 • 0:0:0:0:0:ffff.192.168.30.1 • ::ffff:c0a8:1e01 • Used in automatic tunneling by device with no IPv6 knowledge

• Loopback • 0:0:0:0:0:0:0:1=> ::1

• Unspecified address • 0:0:0:0:0:0:0:0=> 0::0 => :: => ::/128

• Documentation Prefix • 2001:0db8::/32

• Discard Prefix • 0100::/64

• 6to4 Automatic Tunneling • 2002::/16

• Default Route • ::/0

Covers ICMP (v4) features: Error control, Administration, …

Transports ND messages: NS, NA, RS, RA Transports MLD messages: Queries, Reports, …

ICMP Message Type ICMPv4 ICMPv6 Connectivity Checks X X Informational/Error Messaging X X Fragmentation Needed Notification X X Address Assignment X Address Resolution X Router Discovery X Multicast Group Management X Mobile IPv6 Support X

• Significant changes • More relied upon • => ICMP policy on firewalls needs to change

• Internet Control Message Protocol version 6 is a fundamental component to IPv6 – not an overlay like IPv4

• Combines several IPv4 functions • ICMPv4, IGMP and ARP

• Message types are similar to ICMPv4 • Destination unreachable (type 1) • Packet too big (type 2) • Time exceeded (type 3) • Parameter problem (type 4) • Echo request/reply (type 128 and 129)

• Message type specific for ICMPv6 • NDP Protocol

• Destination Unreachable, type (1) • Packet Too Big, type (2) • Time Exceeded, type (3) • Parameter Problem, type (4)

IPv6 NH = 58

Type Code Checksum Data

• Type – (1-127) = Error Messages • Code – More Granularity within the Type • Checksum – Computed over the entire ICMPv6 & pseudo header • Data - Original IPv6 Header, First 8 bytes of ULP, fill to Min MTU (1280)

• Neighbor discovery, router discovery, Type (133-137) • Multicast Listener Discovery (MLD), Type (130-132, 143) • Diagnostics using Ping or Traceroute, Type (128, 129)

IPv6 NH = 58

Type Code Checksum Data

• Type – (128-255) = Informational Messages • Code – More Granularity within the Type • Checksum – Computed over the entire ICMPv6 & pseudo header • Data – Message format based on each type of informational message

Next Header Reserved Fragment Offset Res M

Identification

Destination Source Link MTU 1500 MTU 1400 MTU 1280 MTU 1500

Packet, MTU=1500

ICMPv6 Packet Too Big, Use MTU=1400

2 Packets | EH type 44 | Payload=1380,120

ICMPv6 Type 2 PTB, Use MTU=1280

2 Packets | EH type 44 | Payload=1260, 240

Similar to IPv4 New in IPv6

Manually configured StateLess Address Auto Configuration SLAAC EUI64

Assigned via DHCPv6 SLAAC Privacy Extensions

OUI Device Identifier 00 90 27 17 fc 0f

00 90 27 17 fc 0f ff fe

00 90 27 ff fe 17 fc 0f

1 = Universel/unique 0000 00U0 U= 0 = Local/not unique Recommendation: Good for IoT devices U bit must be flipped RFC 2373 02 90 27 ff fe 17 fc 0f

/32 /48 /64 2001 DB8 0000 1234 Random Generated Interface ID

• Generated on unique 802 using MD5, then stored for next iteration • Enabled by default in Windows, Android, iOS, Mac OS/X, Linux • Temporary or Ephemeral addresses for client application (web browser)

Recommendation: Good for the mobile user, but not for your organization/corporate networks (Troubleshooting and accountability)

• RID = hash (Prefix, Net_Iface, DAD_Counter, secret_key) • Generate IID’s that are Stable/Constant for Each Network Interface • IID’s Change As Hosts Move From One Network to Another

/32 /48 /64 2001 DB8 0000 1234 Random ID

Implementation of the RID is left to the OS Vendor and MAY differ between Client and Server

TECIP6-2166 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 DHCPv6 SOLICIT (any servers) ADVERTISE (want this address) • Source – fe80::1234, Destination - ff02::1:2 REQUEST (I want that address) • Client UDP 546, Server UDP 547 REPLY (It’s yours) • Original Multicast Encapsulated in Unicast (Relay) • DUID – Different from v4, used to identify clients • ipv6 dhcp relay destination 2001:db8::feed:1

DHCPv6 Relay

DHCPv6 Solicit DHCPv6 Server 2001:db8::feed:1

• Prefix ff00::/8

8-bit 4-bit 4-bit 112-bit 1111 1111 0 R P T Scope Variable format

Flags Scope 1 Node O Reserved 2 Link R = 0 No embedded RP 3 Realm R = 1 Embedded RP 4 Admin P = 0 Without Prefix P = 1 Address based on Prefix 5 Site T = 0 Well Known Address (IANA assigned) 8 Organization T = 1 Temporary address (local assigned) E Global

• FF02, is a permanent address and has link scope

• Link Operations, Routing Protocols, Streaming Services

Address Scope Meaning ff02::1 Link-Local All Nodes

ff02::2 Link-Local All Routers

ff02::5 Link-Local OSPFv3 Routers

ff02::6 Link-Local OSPFv3 DR Routers

ff02::9 Link-Local RIPng

ff02::A Link-Local EIGRP

Every IPv6 Multicast address (layer 3), MUST map to a corresponding Ethernet address (layer 2)

IPv6 Temporary ff3e:0040:2001:0db8:cafe:0001:11d7:4cd3 Multicast Address

Corresponding Ethernet Address 33 33 11 D7 4C D3 IPv6 Well Known ff02:0000:0000:0000:0000:0000:0000:0001 Multicast Address

Corresponding Ethernet Address 33 33 00 00 00 01

• MLD uses LL source addresses • Hop Limit = 1 MLD snooping

• MLD packets use “Router Alert” in HBH • Destination is not the routers interface

• 3 msg types: Query, Report, Done

• MLDv1 = (*,G) shared, MLDv2 = (S,G) source

Message ICMPv6 MLD IGMP Function Type Type

MLDv1 (RFC2710) IGMPv2 (RFC 2236) Listener Query 130 Used to find out if there are any multicast listeners Listener Report 131 Response to a query, joins a group Listener Done 132 Sent by node to report it has stopped listening

MLDv2 (RFC 3810) IGMPv3 (RFC 3376) Listener Query 130 Used to find out if there are any multicast listeners Listener Report 143 Enhanced reporting, multiple groups and sources © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Neighbor Discovery Protocol (NDP) NDP defined in RFC 4861 NUD DAD • Always uses Link Local (fe80::/64) as its source RS RA • Hop Limit must be set to 255 NDP • Generalized TTL Security Mechanism Redirects NS NA • Neighbor discovery messages IPv4 IPv6 • Router solicitation (ICMPv6 type 133) ARP Request Neighbor Solicitation • Router advertisement (ICMPv6 type 134) • Neighbor solicitation (ICMPv6 type 135) Broadcast Solicited Node Multicast • Neighbor advertisement (ICMPv6 type 136) ARP Reply Neighbor Advertisement • Redirect (ICMPv6 type 137)

Unicast Unicast

• Router solicitations (RS) are sent by nodes at boot up

• Routers forward packets as well as provide provisioning services

RS RA

RS RA ICMP Type 133 ICMP Type 134 IPv6 Source fe80::a IPv6 Source fe80::2 IPv6 Destination ff02::2 IPv6 Destination fe80::a Opt. 1 SLLA SRC Link Layer Address Data Options, subnet prefix, lifetime, autoconfig flag

TECIP6-2166 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 RA Provisioning Type: 134 (RA) • M-Flag – Stateful DHCPv6 to acquire IPv6 address Code: 0 • O-Flag – Stateless DHCPv6 in addition to SLAAC Checksum: 0xff78 [correct] Cur hop limit: 64 • Preference Bits – Low, Med, High ∞ Flags: 0x84 1… …. = Managed (M flag) • Router Lifetime – Must be >0 for Default .0.. …. = Not other (O flag) ..0. …. = Not Home (H flag) • Options - Prefix Information, Length, Flags …0 1… = Router pref: High Router lifetime: (s)1800 • L bit – Only way a host get a On Link Prefix Reachable time: (ms) 3600000 Retrans timer: (ms) 1000 • A bit – Set to 0 for DHCP to work properly ICMPv6 Option 3 (Prefix Info) Prefix length: 64 ∞ Flags: 0x80 1… …. = On link (L Bit) RA .1.. …. = No Auto (A Bit) Prefix: 2001:0db8:4646:1234::/64

• ICMPv6 – Type, Code, Checksum, Data

• Data – Body of the Message Type (Required)

• Option 1 – Source MAC, Option 5 – MTU

• Option 3 – Prefix and Host Provisioning

• Option 25 – Recursive DNS Servers, DNS Search List

type = 134 code = 0 checksum hop limit M|O|H|pref router lifetime reachable time RA retransmit timer options (variable)

TECIP6-2166 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 Solicited-Node Multicast Address • Every unicast address MUST build solicited-node multicast • Solicited-node multicast consists of • ff02::1:ff/104 {lower 24 bits from IPv6 Unicast}

fe80 0000 0000 0000 1234 5678 9abc fc0f

ff02 0000 0000 0000 0000 0001 ffbc fc0f

Every layer 3 IPv6 Multicast address Must map to the corresponding 33 33 FF BC FC 0F layer 2 Multicast address

• ARP replacement, Map’s L3 to L2.

• Node B will add node A to it’s neighbor cache during this process w/o sending NS

A B NS NA DfG W

ICMP Type 135 NS ICMP Type 136 NA IPv6 Source fe80::a IPv6 Source fe80::b IPv6 Destination ff02::1:ff00:b IPv6 Destination fe80::a Hop Limit 255 Target Address 2001:db8:1:46::b Target Address 2001:db8:1:46::b Option 2 TLLA B’s Link Layer Address Query What is B link layer address? *Flags R = Router Opt. 1 SLLA A’s Link Layer Address S = Response to Solicitation O = Override cache information

R1#sh ipv6 int e0 Ethernet0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::200:CFF:FE3A:8B18 Global unicast address(es): 2001:DB8:0:1234::1 subnet is 2001:DB8:0:1234::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FF3A:8B18 Solicited-Node Multicast Address* MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND router advertisements are sent every 200 seconds *If EUI format is used then the 1rst solicited node mcast addr is used for both the LL & GU

Neighbors are only considered “reachable” for 30-seconds. “Stale” indicates that, we MAY need to send a NS packet.

• Unspecified Source (::), No Option 1 SLLA

• Probing the Local Link to Verify Address Uniqueness

• An NA Indicates Address in Use, Administrative Intervention Required

A B C NS

NA ICMP Type 135 NS IPv6 Source UNSPEC = :: ICMP Type 136 NA IPv6 Dest. A Solicited Node Multicast IPv6 Source fe80::a ff02::1:ff00:a IPv6 Dest. ff02::1 Query Anyone Using “a” Flags S = 0 O = 1 Node A can start using address A

• Cannot be used if destination is multicast

• Hosts should not send redirects, Should be turned off on routed links

• IPv6 Hosts Don’t Use Bitwise Masking, TLLA Avoids ND Round A B R2

Redirect 137 Redirect Packet IPv6 Source fe80::2 Packet IPv6 Dest. 2001:db8:4646:1::b IPv6 Source 2001:db8:4646:1::b ICMPv6 Type 137 IPv6 Dest. 2001:db8:4646:1::a Target Addr. 2001:db8:4636:1::a ULP variable Opt. 2 TLLA 001C.2D3E.00AA

• IPv6 Unicast Address Formats

• ICMPv6

• IPv6 Interface ID Assignments

• IPv6 Multicast Addressing

• Neighbor Discovery Protocol

• IPv6 on Host OS’s (1030 – 1100)

• Break (1100 – 1115)

• IPv6 on Host OS’s (1115 – 1145)

• IPv6 Planning & Operations (1145 – 1315)

• Lunch (1315 – 1415)

• IPv6 Planning & Operations (1415 – 1530)

• IPv6 Musings from the Fish Bowl (1530 – 1615)

• Break (1615 – 1630)

• IPv6 Access & Perimeter Security (1630 – 1815)

• Conclusion & Panel (1815 – 1830) An Immersive Journey Into IPv6

Tim Martin TECIP6-2166 CCIE #2020

@bckcntryskr Agenda

• IPv6 & Host OS’s

• Host Timers & Caches

• Windows

• Mac OSX • Linux

• Chrome

• Mobile OS’s Host Timers & Caches Address, Which Address?

• Link Local (fe80::/10) is required for any device with IPv6 enabled • At least 2 addresses per interface for global connectivity • Majority of access layer devices will have LL as their Default Gateway

DfG W

Host Addresses Router Addresses Ethernet B8:E8:56:1A:2B:3C Ethernet 00:00:0C:3A:8B:18 IPv6 Link Local fe80::bae8:56ff:fe1a:2b3c IPv6 Link Local fe80::0200:0cff:fe3a:8b18 IPv6 Global 2001:db8:1:46:1b2:c:3:4e5 IPv6 Global 2001:db8:1:46::1 Default Gwy. fe80::0200:0cff:fe3a:8b18 RA Prefix 2001:db8:1:46::/64

C:\Documents and Settings\>netsh netsh>interface ipv6 netsh interface ipv6>show address Querying active state... Interface 5: Local Area Connection Addr Type DAD State Valid Life Pref. Life Address ------Public Preferred 29d23h58m25s 6d23h58m25s 2001:db8:4646:1:4f02:8a49:41ad:a136 Temporary Preferred 6d21h48m47s 21h46m 2001:db8:4646:1:bd86:eac2:f5f1:39c1 Link Preferred infinite infinite fe80::4f02:8a49:41ad:a136 netsh interface ipv6>show route Querying active state... Publish Type Met Prefix Idx Gateway/Interface Name ------no Autoconf 8 2001:db8:4646:1::/64 5 Local Area Connection no Autoconf 256 ::/0 5 fe80::20d:bdff:fe87:f6f9

• Tentative – Address in verification process (DAD) • Preferred – Address can be used for communication • Valid – Address can be used, may be Preferred or Deprecated • Deprecated – Address can be used on existing connections • Invalid – Address is not available for use

Valid 2001:db8:460:bd::/64

Tentative Preferred Deprecated Invalid Preferred Lifetime Valid Lifetime 2001:db8:460:bd:: (2001:db8:460:bd::)

• Maintained for each interface connected on a host • Host uses the PL & DRL to work out the destination for outbound packet • Then it saves the result in the DC, layer 3 mapping to next hop • Hosts use neighbor discovery to get the link address and update the NC

Prefix List (PL) Destination Cache Neighbor Cache Default Router List (DC) (NC) (DRL)

• Prefix List – contains on link prefixes (L bit) and validation timers • Default Router List – must be a neighbor usable to the host (Pref bits) • Destination Cache – resolves next hop IPv6 address and MTU

Prefix List (PL) Valid Timer Destination Cache (DC) Neighbor PMTU

fe80::/10 ∞ fe80::34:1 fe80::34:1 1500 2001:db8:4646:34::/64 322486 2001:db8:4646:34::1 2001:db8:4646:34::1 9000

Default Router List (DRL) Preference 2001:db8:4646:555::22 fe80::34:1 1500 fe80::34:1 H 2001:db8:4646:717::98 fe80::34:1 1500 fe80::34:11 M 2001:db8:4646:34::38 2001:db8:4646:34::38 9000

• Mapping of the neighbors IPv6 address to its link layer address • Includes the status of the “R” flag in the returned NAs • Must not create a new entry for “gratuitous” NA • Though such an NA can update an existing entry

Neighbor Link Layer Is Router State fe80::34:1 00-00-0C-83-5C-3E 1 Reachable 2001:db8:4646:34::1 00-00-0C-83-5C-3E 0 Stale 2001:db8:4646:34::38 04-48-9A-16-37-FB 0 Stale ff02::1 33-33-00-00-00-01 0 ~

• Incomplete – Pending address resolution, NS message outstanding • Reachable – Recently used mapping, Can be refreshed by ULP • Stale – Not currently communicating, waiting for next queued packet • Delay –Using stale binding, awaiting (ULP) return traffic • Probe – Sending Unicast NS to node (after Delay timer, 3x1 sec) NS No Entry Incomplete NA

time expired Reachable NA ULP send packet Stale Delay Probe

• IPv6 over IPv4, but which IPv6 first.. • Scope = Local, ULA, Global • State = Preferred over Deprecated • Interface = Assigned vs. another • Type = Temporary over Public

Public Preferred 2001:db8:4646:1:4f02:8a34:bead:a136 Idx Temporary Preferred 2001:db8:4646:1:bd86:ea49:41f1:39c1 Idx Link Preferred fe80::4f02:8a34:bead:a136

TECIP6-2166 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65 Dual Stack OS Considerations • In a dual stack case, an application can: • Query DNS for IPv4 and/or IPv6 records • Parallel or serial connection request • Give IPv6 300ms Head Start RFC 6555 Happy Eyeballs DNS Server 192.168.0.3

IPv4

IPv6 www IN A 192.168.0.3 2001:db8:4646:1::1 www IN AAAA 2001:db8:4646:1::1

• IPv6 is enabled by default and is preferred in Windows • Since Windows Vista and Server 2008 • Microsoft considers turning off IPv6 to be an unsupported configuration

• All current software solutions from Microsoft can run on IPv6 only • With little to no modification

Application Layer

Transport Layer (TCP/UDP)

IPv6 IPv4

Network Interface Layer

• Probes for IPv4 and IPv6 connectivity • Every time a network event occurs • Cache of already known networks • For 30 days unless an interface status changes

• Need to spoof NCSI in lab environment IPv4 IPv6 DNS query to dns.msftncsi.com 131.107.255.255 2a02:26f0:122::215:f622 HTTP GET http://www.msftncsi.com/ncsi.txt http://ipv6.msftncsi.com/ncsi.txt

Content of ncsi.txt Microsoft NCSI Microsoft NCSI

• Ambiguity exists when using link-local addresses • Particularly when a host has 2 or more interfaces • Link local is required and of the same scope • Zone ID is used to link neighbors table to a specific interface

%13 fe80::cd87:5dd6:cf39:dd08%12 Source: ©ErikSvoboda fe80::80d4:29c9:2b3c:a0e2

C:\ >ipconfig

Tunnel adapter ISATAP Adapter  Used within administrative domain (IP41) Media State : Media disconnected ::0:5efe:w.x.y.z/96 – Private v4 Connection DNS Suffix : foo.com ::200:5efe:w.x.y.z/96 – Global v4 Tunnel adapter Teredo Adapter Media State : Media disconnected  Used with RFC 1918 address’s (UDP3544) Connection-specific DNS Suffix : 2001:0:{srvr v4}:{flags}:{udp}:{nat v4}

Tunnel adapter 6TO4 Adapter:  Used with global IPv4 address’s (IP41) Media State : Media disconnected Connection-specific DNS Suffix : 2002::w.x.y.z

• RFC 4429 – Optimistic DAD • OS starts using the IPv6 address immediately • Assuming it’s good (RS) • DAD process still happens to confirm uniqueness • What happens when a node is using an address? • NA sent to ff02::1, Solicited flag = 0

DAD RS NA

• Windows Server 2012 default to IPv6 for the cluster failover link • Using link-local IPv6 addresses • Clustering in a cloud service that does not support IPv6 • You must convert the failover heartbeat link to IPv4

• Pay attention when you convert cluster • Physical to virtual cluster, will not convert the failover link

• IPv6 support in some form in the OSX v10.2 • Older versions likely have unpredictable behavior

Source: Apple • IPv6 support was “limited” until OSX 10.7 • DHCPv6 client • SLAAC private addressing

Source: Apple

• Relatively solid support from OSX 10.9.2 • Kernel fix finally addresses ICMPv6 rate limiting El Capitan

Source: Apple

• Considered “hampering” eyeballs in the past • Approximately 50% of the time • Apple applications uses multiple methods • getaddrinfo (Chrome, Firefox) • CFSocketStream (Safari) • El Capitan now gives IPv6 a 25ms head start • Send TCP SYN over IPv6 if expected and seen first • If A record seen first, start 25ms timer • If AAAA comes before timer “fires”, send TCP SYN over IPv6 Source: ©adynue • If only an A record is received, then TCP SYN sent is sent to IPv4 address

2001:db8:4646:1::/64

2001:db8:4646:1:: (2001:db8:4646:1::)

• Effect of the Router Advertisement from previous slide • Preferred & valid lifetimes • DNS server information tmartin# ifconfig -L en0: flags=8863 mtu 1500 ether b8:e8:56:19:f3:8a inet6 fe80::bae8:56ff:fe19:f38a%en0 prefixlen 64 scopeid 0x4 inet6 2001:db8:46:1:bae8:56ff:fe19:f38a prefixlen 64 autoconf pltime 267 vltime 267 inet6 2001:db8:46:1:883e:b6a2:863:e31b prefixlen 64 autoconf temp pltime 267 vltime 267 nd6 options=1

• Provides cloud based file and screen sharing services

• IPv6 must be enabled, Unique Local Addressing (ULA) is used

• NAT traversal using Port Map Protocol (typically not allowed)

• IPSec for integrity, Kerberos for authentication

IPv4 Header UDP Header ESP Header IPv6 Header © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public IPv6 on Linux Linux Networking • Linux has had IPv6 support since Kernel version 2.6.12 (2005) • Older versions will likely have unpredictable behavior • DHCPv6 client support is version dependent • Edit /etc/dhcp/dhclient.conf to modify DHCPv6 client • IPv6 temporary addresses are enabled by default • Client support for RDNSS not enabled by default

• Load and install rdnssd daemon Source: ©Jaroslav Machacek • There is no specific OS build support for happy eyeballs • Applications may implement and use RFC 6555

Source: ©adynue

• Check for an IPv6 address • ip -6 addr show dev eth0 • Check for your IPv6 address • ifconfig eth0 | grep “inet6 addr:” • Check for IPv6 neighbors • ip -6 neigh show

• Ping6 2001:db8:4:6::c001:d00d

• Zone id embedded in Link Local • fe80:1::200:cd32:56ef:291d • Contextual only, removed before transmitting

• Edit the network interface file # vi /etc/network/interfaces

iface eth0 inet6 static address 2001:0db8:4646:0001:0000:0000:0000:0387 netmask 64 gateway 2001:0db8:4646:0001:0000:0000:0000:0001

• Type from CLI linux# ifconfig eth0 inet6 add 2001:db8:46:2::c001:d00d/64 linux# route –A inet6 add default gw 2001:db8:46:2::1

• Ubuntu – Turning on Privacy Addressing • Enable IPv6 Privacy Extensions, prefer temporary over public net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2 admin$ sudo sysctl –a | grep tempaddr net .ipv6 .conf .all .use_tempaddr = 2 net .ipv6 .conf .default .use_tempaddr = 2 net .ipv6 .conf .eth0 .use_tempaddr = 2 • Ubuntu - Turning off privacy addressing • Disable IPv6 Privacy Extensions, default net.ipv6.conf.all.use_tempaddr = 0 net.ipv6.conf.default.use_tempaddr = 0 • If = 1, then prefer public over temporary

• Chrome//system • Ifconfig

• DHCPv6 is supported • RDNSS is supported 2001:db8:4646:1:6001:db69:8ecb:1429

2001:db8:4646:1::cafe

Source: Google

• Nearly 50% of all mobile devices (~3.7 billion) globally • IPv6 capable by the year 2020 • Mobile providers are working hard to remove CGN

• On Wi-Fi networks, SLAAC must be enabled for an Android handset or tablet to obtain an IPv6 address • Android supports RFC 6106 so it can learn the IPv6 address of the DNS resolver via an RA • Some limitations due to lack of support for DHCPv6 client • Fair phone being the exception

• Legacy applications using embedded literals in their code • RFC6877 464xLAT, “fixes” broken code for now Handset Carrier Network Internet

Legacy Edge Application Services IPv4 4 IPv6 4 CLAT only PLAT 6 6

Intelligent IPv6 Application

• As of iOS 9, all iPhone/iPad apps will support native IPv6! • Use the networking frameworks (i.e. “NSURLSession”) • Avoid use of IPv4-specific APIs • Avoid hard-coded IP addresses

“If your application doesn’t work properly with IPv6, it will simply not function on those networks, those carriers and for those customers.”

Source: Apple - Sebastien Marineau VP Core OS

Code: MARTIN60 Offer: 60% off ISBN: 9780134655512

• IPv6 on Host OS’s (1030 – 1100)

• Break (1100 – 1115)

• IPv6 on Host OS’s (1115 – 1145)

• IPv6 Planning & Operations (1145 – 1315)

• Lunch (1315 – 1415)

• IPv6 Planning & Operations (1415 – 1530)

• IPv6 Musings from the Fish Bowl (1530 – 1615)

• Break (1615 – 1630)

• IPv6 Access & Perimeter Security (1630 – 1815)

• Conclusion & Panel (1815 – 1830) IPv6 Planning & Operations

Sander Steffann

TECRST-2166 Sander Steffann

• IPv6 Consultant • Several ISPs, major Dutch bank, government

• RIPE Address Policy WG co-chair

• Author of • SURFnet IPv6 Addressing Plan manual • RIPE 501, 554 & 631 • RFC 7059 & 7756

• Developer of • DHCPKit • NAT64Check

• IPv6 Design Considerations

• IPv6 Address Planning

• IPv6 Address Exercise

• IPv6 Campus Considerations • IPv6 Operations

• IPv6 on the Internet Edge Design Considerations The Scope of IPv6 Deployment BRKRST-2301

• Planning and coordination is required

• Network engineers & operators • Security engineers • Application developers • Desktop / Server engineers • Web hosting / content developers • Business development managers • …

• Preferred Method, Versatile, Scalable and Highest Performance

• No Dependency on IPv4, runs in parallel on the same HW

• No tunnelling, MTU, NAT or performance degrading technologies

• Does require IPv6 support on all devices

Access Distribution Core Aggregation Access Layer Layer Layer Layer (DC) Layer (DC)

IPv6/IPv4 Dual-stack Hosts

IPv6/IPv4 Dual-stack Server

• Should we use both on the same link at Layer 3?

• Routing protocols OSPFv3, EIGRP combined or separate?

• Fate sharing between the data and control planes per protocol

Internet IPv4 & IPv6

OSPFv3 IPv4 & IPv6 2001:db8:1:1::/64 2001:db8:6:6::/64 EIGRP 198.51.100.0/24 192.168.4.0/24

• IPv4-only

• IPv4-only + IPv6 via translation

• Dual-stacked public frontend, IPv4 backend

• Full dual-stack

• Dual-stacked public frontend, IPv6 backend

• IPv6-only + IPv4 via translation

• IPv6-only

• IPv4-only

• IPv4-only + IPv6 via translation

• Dual-stacked public frontend, IPv4 backend

• Full dual-stack

• Dual-stacked public frontend, IPv6 backend

• IPv6-only + IPv4 via translation

• IPv6-only

Not everybody has IPv6 yet

• IPv4-only

• IPv4-only + IPv6 via translation

• Dual-stacked public frontend, IPv4 backend

• Full dual-stack

• Dual-stacked public frontend, IPv6 backend

• IPv6-only + IPv4 via translation

• IPv6-only

• Is EVERYTHING ready? • RFCs are out there • Network services • RFC 6586 - Experiences from an • Applications IPv6-Only Network • Operations and Management • RFC 7755 - SIIT-DC: Stateless IP/ICMP Translation for IPv6 Data • Connectivity to non-IPv6 resources Center Environments • NAT64/DNS64 • RFC 7756 - Explicit Address Mappings for Stateless IP/ICMP Translation

IPv6 IPv6 IPv6 IPv6 IPv6 IPv6 IPv6 IPv6 IPv6 IPv6 IPv6 IPv6 IPv6 IPv6

FWD FWD FWD FWD FWD FWD FWD FWD FWD FWD FWD FWD FWD FWD

Apps Service End Customer Access SP Core DC DC Edge DC Network Servers/ Services Processes s Point Edge Network: Edge Transport Edge Services VM

The internet is changing Your business needs IPv6 Your own ICT needs IPv6

• This is most common one • Customers • Applications / projects

• Do you track user’s IP? • Business partners • Monitoring your external- • For marketing? • Suppliers facing service (web, mail • For security? etc.) • External ICT suppliers • ISPs deploy more NAT • Cloud services • Maybe no need today… • Does this affect you? • how much preparation time do you need? • Long-running sessions will become less stable • how long in advance will you know? • This affects VPNs as well

The internet is changing Your business needs IPv6 Your own ICT needs IPv6

• Tracks user’s IP for • Customers will benefit • Not needed today security profiling from better fraud • Will know when needed up • Raise flag when detection to 6 months in advance transferring large amounts • Implementation will take from unknown IP • Business partners might more than 2 years • With NAT user’s IP isn’t need IPv6 in the future their own anymore: shared • Need to monitor our IPv6 • Cloud integration will be website and DNS • Transactions over IPv4 easier with IPv6, cheaper internet will become more • Start preparing! vulnerable to fraud

• Start with external-facing services • Start with core • DNS • Core router • Web • Security devices • Mail • Add internet connectivity • Maybe only up to the load-balancer • Connect networks • Clients • Servers Goal: provide good service to IPv6 Goal: provide IPv6 for internal users on the internet applications and services

• Helps you to get your head around IPv6 deployment • Structure - Services • Hierarchy - Security

• Puts structure in place • Like belts and braces

• First real “toe in the cold water” • In terms of deployment • Makes the “jump” easier

• Well thought-through addressing plan can ease network operations and troubleshooting • Your NOC will appreciate it

• Assess how the existing Better visibility into IPv4 address space is used how the existing Can better answer Address space is when IPv6 is critical • Useful information for used • IPv6 integration • IPv4 address consolidation • Reclaiming unused address space

• Use existing tools • IPAM • ARP tables • Routing tables • DHCP logs

• Length of prefix and bits to work with • Clear addressing for different parts • Enterprises usually multiple /48 of the network • Highly dependent on RIR policy • WAN/Core, Campus, branch, DC, • SPs should get /29 (≥ 35 bits) Internet Edge etc.

• Avoid breaking the nibble boundary • Different Locations/Services

• Think of # of prefixes at each level • Encoding of information

• Templates will be your friends • Ease of aggregation

• IP Address Management Tools • Leaving space for growth

• Do I Get PI or PA? • PI space is great for organizations who want to multi-home to different SPs • PA from your ISP if you are single homed or you plan to NAT/Proxy everything with IPv6 (not likely) • Become an LIR and get your own PA space

• Options for international organizations • Get one large global block (can be PI or PA) from local RIR and subnet out per region • Get a separate block (probably PI) from each of the RIRs you have presence in

• Smaller organizations use the PI path • Getting assignments across regional registries provides “insurance” against changing policies

• Multinational organizations use the LIR path • Essentially becoming their own ISP • Get a /29, no questions asked • RIPE policies don’t distinguish between ISP and enterprise, so get same freedom that an ISP has

• Both provide • Traffic Engineering

• Link Local Address • Unique Local Address • Always present on each link • No replacement for global addresses • Normally, first 64 bits are fixed • Unless in a closed system • Would need IPv6-to-IPv6 Network Prefix • The Interface Identifier can be Translation (NPTv6) on Internet Edge modified • Possible for infrastructure addressing • Encoding external identifiers for troubleshooting • Possibly side-by-side with global • VLAN number, Router IDs, IPv4 address addresses etc. • Possible to leverage for IGP routing • Global Unicast Address • Vast number of prefixes Link-Local Address • Manage just one address space Unique Local Address Global Address • Strongly recommended

• Automatic Prefix Generation (RFC 4193) non sequential /48, M&A challenges

• To be avoided in most cases, draft-ietf-v6ops-ula-usage-recommendations-00

• Caution with older OS’s (RFC 3484) using ULA & IPv4

• Multiple policies to maintain (ACL, QoS, Routing, etc..)

Global Internet 2001:db8:cafe::/48

Corporate Backbone Branch 2

ULA Space fd9c:58ed:7d73::/48 Global – 2001:db8:cafe::/48 fd9c:58ed:7d73:3000::/64 fd9c:58ed:7d73::2::/64 2001:db8:cafe:3000::/64

• Links can have multiple prefixes: • Every link (point-to-point, VLAN) has link-local addresses • Links can have global addresses • Links can have ULA addresses

• Multiple global and ULA prefixes per link is possible • Can be useful for renumbering to have multiple prefixes active at the same time • But do you really want that during normal operation???

• Keep it simple!

• Anywhere a host exists: /64 Hosts • RFC 7421: /64 is here to stay /64 Core /64 or /127 • Point to Point: /127 • Should not use all 0’s or 1’s in the host portion Pt 2 Pt /127 • Nodes :1 & :2 are not in the same subnet Servers • Reserve the /64, /64 Loopback WAN configure /127 with :a & :b /128 • RFC 6164: /127 cache exhaust

• Loopback or Anycast: /128

• Topology hiding, Interfaces cannot be seen by off link devices

• Reduces routing table prefix count, less configuration

• Need to use ULA or GUA for generating ICMPv6 messages

• What about DNS?, Traceroute, WAN Connections, etc..

• RFC7404 – Details pros and cons

ULA/GUA Internet fe80::/64 ULA/GUA

fe80::/64 ULA/GUA WAN/MAN ULA/GUA fe80::/64 ULA/GUA

• Use only Link-Local on links between routers? • Easy to configure, smaller attack surface, harder to debug

• Use global addresses for systems and ULA for infrastructure? • Smaller attack surface, complex addressing, confusing to ops, causes ICMP problems

• Use both global addresses and ULA side-by-side for everything? • Complex to configure and maintain, unpredictable behaviour, (almost) no benefits

• Use global addresses everywhere? • Use IPv6 as designed: This is the best choice in most cases!

Manual Stateless Stateful DHCPv6

Pros Address is stable Scales well Well understood process Controlled assignment Time to deploy Controlled assignment Well understood process Widely implemented Time to deploy

Cons Does not scale No control on assignment process Implementation in OS Time to deploy Not well understood Must design for HA Lack of management Unpredictable (privacy extensions)

• The choice of assignment depends on the existing processes and the adaptability of that process • Remember that the methods are not mutually exclusive - all three can be used • Regardless of choice must still control the stateless address assignment of addresses

• Diverse Translation Options • Where should NAT be applied? • NAT-PT • NPT or NAT66 • Original specification, deprecated • Multi-homing ??? • NPTv6 • NAT66 • Stateless translation • Address hiding / Like IPv4 / Security ??? • Only manipulate the prefix • NAT64 • NAT66 • Build IPv6-only client networks • Stateful translation • Still provide a way to reach the IPv4-world • Not specified in RFC • SIIT • NAT64 + DNS64 • Make IPv4 servers reachable over IPv6 • Translation from IPv6-only to IPv4 • MTU problems • Stateful translation • Cannot be the final state • SIIT / SIIT-DC • Must move towards full IPv6 integration • Stateless translation between IPv4 & IPv6 • SIIT-DC • Make IPv6-only hosts reachable over IPv4

• Operations may not understand what you do

• Avoid the zero compression “gotcha” • 2001:db8::/32 • 2001:db8:0000::/48 • 2001:db8:0000::/52 • 2001:db8::

• Same goes for host based subnets • 2001:db8:1020:0000::/64 could look like 2001:db8:1020::

• Useful place for zero compression: • Router loopback addresses • 2001:db8::5/128

/56 Interconnects 256x /64 P2P links /127 per P2P link

/56 Loopbacks 256x /64 Loopbacks /128 per Loopback

/52 Infrastructure /56 reserve

/48 location /56 reserve

/52 Desktops ...

/52 Wireless • Follow the logical flow – How many subnets in each location? /52 etc. – What does sit under infrastructure? – How many point-to-point links? – Where is the reserve?

/56 Interconnects 256x /64 P2P links /127 per P2P link

• Always/56 Loopbacks make256x /one64 Loopb agroupcks /1for28 pe r Linfrastructureoopback /52 Infrastructure • /56Easier reserve to protect and monitor

/48 location • /56Using reserve group number 0 gives shorter addresses

/52 Desktops • Other... grouping ideas: • Organizational division (group by responsibility) /52 Wireless • Type of use (group by expected traffic) /52 etc. • Security boundary (group by firewall policy) • Whatever makes sense in your network! • Further reading • https://www.ripe.net/support/training/material/IPv6-for-LIRs-Training-Course/ Preparing-an-IPv6-Addressing-Plan.pdf

1. Keep it SIMPLE • 2001:420:1234:0100:/56 2001:420:1234:0200:/56 You don’t want to spend weeks explaining it! 2001:420:1234:0300:/56 2001:420:1234:0400:/56 2001:420:1234:0500:/56 … 2. Embed information to help operations • To help troubleshooting and operation of the network • Examples: location, country, firewall zone, VLAN, IPv4 addresses

3. Plan for expansion (build in reserve) • Cater for future growth, mergers & acquisitions, new locations 2001:420:1234::/48 • Reserved vs. assigned

4. Exploit hierarchy / aggregation • Good aggregation is essential, just one address block (per location) • Ensures scalability and stability

• Food and consumables conglomerate

• Has presence throughout Europe • Currently set up in w/ 19 regional offices • Plans are to expand to 37 regional offices

• They also have a sister company (ACME ISP) which is providing telecommunications services throughout Europe

• ACME has grown organically through a policy of acquisitions and mergers over the past few years.

• Use of private (RFC 1918) and/or illegal IPv4 address blocks, NAT is widely used. This is negatively impacting the behaviour of some enterprise applications and increasing maintenance cost.

• ACME has decided to strategically deploy IPv6 within the ACME Enterprise network. This will enable applications and services to be moved from IPv4 to IPv6 on a case-by-case basis.

• For its WAN connectivity, ACME enterprise uses the MPLS VPN service offered by ACME ISP.

• ACME ISP is a RIPE NCC member (an LIR) and has been allocated a /19 IPv6 address block. ACME Enterprise has been provided 2001:db8::/32 from its ISP. ACME ISP will be interconnecting all the IPv6 locations of the ACME enterprise network.

• The most important requirements for the IPv6 addressing design are for it to be highly hierarchical, uniform and scalable. This will greatly simplify the design, operation and troubleshooting of the network.

• As a general rule, ACME would like to use byte (8-bit)-boundaries between the different higher-level hierarchies of the IPv6 addressing. (HINT!!!)

• At the first level, the addressing scheme needs to support at least 37 regional offices (HINT!!!). Also some address blocks should be reserved for future growth in the larger countries.

• At the second level (within each region), there are a number of campus locations. It is at this level that connectivity into the ACME ISP network is provided. The largest region has about 40 campus locations. (HINT!!!)

• At the third level (within each campus location), the number of buildings within each campus (4-6 maximum). Therefore, allocating these blocks on a byte boundary is deemed as overkill. A nibble (4-bit) boundary will suffice here. (HINT!!!)

• A separate “virtual building” address block needs to be set aside for network infrastructure addressing within that campus location.

• At the forth level (within each building), individual IPv6 subnets need to be assigned to individual VLANs.

• An additional requirement is to divide up the network infrastructure block in ranges for loopback, link and network services addressing.

• Design an IPv6 address plan for ACME enterprise applying with what you have learned in this session and the mentioned HINTS.

• Work top-down through the address plan.

• Focus first on the end-system addressing.

• Think about the network infrastructure addressing

• There are multiple acceptable solutions, it’s more important to think about the problem and apply the methodology.

TECIP6-2166 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 134 ACME Enterprise IPv6 Addressing Exercise Global Prefix: 2001:db8::/32 # of address block First address block allocation w/in allocation w/in Last address block Adress Scope Prefix Length higher level higher level w/in higher level

Region

Campus Location

Building

End-System

Network Infrastructure

Loopbacks

Links

Network Services

• Dual Stack peering • Business Partners • Are your partners using IPv6? • Tunnel brokers as backup plan • How will they connect to your • Address plans/Prefix-lengths services? • How will you connect to their services? • To translate or not • Branch Office Connectivity • User experience • How are branch offices connecting? • All things being equal IPv6 wins

• Challenges Arise • Upstream Address Filters • Asymmetric Routing ISP-A ASP-B • Default GW & NH Selection • Provider Allocated • Primary Provider & ASP Stream • SOHO Tunnelling, VPN

• Medium to Large Enterprise • Provider Independent • BGP

• Need WCCPv2 for IPv6 support

• Configure separate group instances for dual stack operation

ipv6 wccp 91 redirect-list lookat6 ! Internet interface vlan10 ipv6 address 2001:db8:babe:10::1/64 ipv6 wccp 91 redirect in ! ipv6 access-list lookat6 permit tcp 2001:db8:babe:10::/64 any eq www permit tcp 2001:db8:babe:10::/64 any eq 443

2001:db8:babe:10::/64

• Most design elements should be the same Edge Router • SLB64/Proxy/NAT64 for IPv4-only apps

Outer Switch

Security Services Enterprise Core

Inner switching/ DMZ/Server Farm SLB/Proxy/ Compute Internal Enterprise

Web, Email, Other

• Virtual IP (VIP), SNAT Pool ISP-A ISP-B • Publish Appropriate AAAA Record

• IPv6 to IPv4, Similar to NAT64

• OS/App dictate design parameters

• Rapid Time to Deploy Dual Stack

IPv4 Only

UCS Servers Servers WWW

• By default source IP of client requests that are logged will be NAT’ed address

• Want to log the real source address

• Make changes to Apache LogFormat/CustomLog to get full use of XFF

cisco@ie-web-01:/$ tail -f /var/log/apache2/access.log 10.140.19.250 - - [25/Oct/2011:11:41:03 -0600] "GET / HTTP/1.1" 304 Bad 210 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)”

Hypertext Transfer Protocol GET / HTTP/1.1\r\n x-forwarded 2001:db8:ea5e:1:49fa:b11a:aaf8:91a5\r\n Good

TECIP6-2166 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 143 Internet Edge Design Summary Model Benefit Challenge Dual Stack • No tunneling • Requires IPv6 support in all L3 aware platforms and • No translation software • No dependency on IPv4 • Best performance, scale, HA • Native visibility into IPv6 traffic SLB64 • Allows for IPv6 to IPv4-only server access • Still requires IPv6 from ISP to north-facing side of SLB • Removes immediate need to dual stack entire server farm • Potential cost of new SLB • Higher performance and HA over software-only reverse • Does not support every application type or protocol today proxies • Performance may not match dual stack design depending • Leverage existing SLB platform on traffic load • Non-disruptive to IPv4 applications • Maintain IPv6 source address visibility using XFF Stateful NAT64 • Allows for IPv6 to IPv4-only server access • Potential cost of new HW to support NAT64 • Removes immediate need to dual stack entire server farm • Does not support every app or protocol in the ALG function • Higher performance and HA over software-only reverse of the NAT64 feature proxies • Performance may not match dual stack • Non-disruptive to IPv4 applications • NetFlow can be used for sourceIPv6 address logging but • No hardware change needed if already using platform that may not work with existing web analytics and logging supports NAT64 tools.

• Enable IPv6 routing • “ipv6 unicast-routing” • “no switchport”

• IPv6 Next Hop • Link local addresses

• Router ID • Unique 32-bit number that identifies the router • Happens to be written in dotted decimal notation  Management Routing • Resource Utilization Switching Services

• One SPF calculation • Multiple SPF calculations

• IPv4 and IPv6 routing share fate • IPv4 and IPv6 independent

• Examples: • Examples: • EIGRP for both IPv4 and IPv6 • EIGRP for IPv4 + OSPFv3 for IPv6 • OSPFv3 for both IPv4 and IPv6 • OSPFv2 for IPv4 + OSPFv3 for IPv6 • IS-IS with single topology • IS-IS with multi-topology

• Suppress RA’s for global assigned addressing

• Disable ICMPv6 redirects

• Don’t send ICMPv6 “unreachables” • ICMPv4 Fragmentation-Needed is an “unreachable” • ICMPv6 Packet-too-Big is a separate ICMP code and unaffected

interface FastEthernet0/1 ipv6 address 2001:DB8:66:67::2/64 ipv6 nd ra suppress no ipv6 redirects no ipv6 unreachable

• Many similarities with HSRP for IPv4 from design perspective (odd/even prefix) HSRP HSRP Active Standby • Changes occur in Neighbour Advertisement, Router Advertisement, Redirects

• Virtual MAC derived from HSRP group number and virtual IPv6 LLA interface FastEthernet0/1 • Protocol layers: ipv6 address 2001:DB8:66:67::2/64 standby version 2 • Layer 2 - 0005.73A0.0000-0F0F  3333.0000.0066 standby 2 ipv6 autoconfig • Layer 3 – fe80::/64  ff02::66 standby 2 timers msec 250 msec 800 • Layer 4 – UDP port 2029 (HSRPv6) standby 2 preempt Unix Host with GW of VIP standby 2 preempt delay minimum 180 unixhost# route -A inet6 | grep ::/0 | grep eth2 ::/0 fe80::5:73ff:fea0:1 standby 2 authentication cisco

• Modification to NA, default GW is announced via RA using vMAC

• AVG assigns vMAC’s and responds to NDP, directing hosts to the AVF’s

• Protocol layers: interface fastethernet0/0 ipv6 address 2001:db8::/64 eui-64 • Layer 2 – 0007.B4xx.xx08  3333.0000.0066 glbp 8 ipv6 2001:db8::D38:C677:2925:8 • Layer 3 – fe80::/64  ff02::0100:5e00:66 glbp 8 priority 110 • Layer 4 – UDP port 3222 (GLBPv6) glbp 8 preempt glbp 8 load-balancing weighted glbp 8 weighting 110 lower 95 upper 105 glbp 8 authentication md5 key-string 7 XYZ

• Sub second failover possible, multi vendor interoperation

• Active/Standby design, Load Balancing via VLAN’s

• Protocol layers: • Layer 2 – 0000.5E00.02xx 3333.0000.0012 • Layer 3 – fe80::/64  ff02::12 fhrp version vrrp v3 • Layer 4 – IP protocol 112 ! interface fastethernet0/0 ipv6 address 2001:db8::/64 eui-64 vrrp 4 address-family ipv6 vrrp 4 address fe80::1 primary

TECIP6-2166 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 151 class-map match-any Critical_Data QoS CLI match dscp af21 class-map match-any Voice • Class maps can match both IPv4 and IPv6 traffic match dscp ef class-map match-all Scavenger • Can be broken into “ip” and “ipv6” matching match dscp cs1 class-map match-any Bulk_Data • Design principles still the same match dscp af11 • Mark at the edge ! policy-map DISTRIBUTION • Trust boundaries still apply class Voice • Queue sizing priority percent 10 class Critical_Data bandwidth percent 25 random-detect dscp-based Data class Bulk_Data Voice bandwidth percent 4 random-detect dscp-based class Scavenger Video bandwidth percent 1 Internet class class-default bandwidth percent 25 random-detect

• WLC version 8.x increases support of IPv6

• CAPWAP, SNMP, NTP, Radius, Syslog, CDP, WebAuth

• Interface groups, same SSID over multiple VLAN’s

• IPv6 binding table supports FHS & ND Multicast suppression

• Radio is a shared media • Hosts must “awaken” to see if Multicast is for them • Multicast packets are not acknowledged or retransmitted • AP transmits bcast/mcast frames at the lowest possible rate • Broadcast/Multicast up to 10x more time in air • IEEE 802.11a mcast: 6 Mbps, ucast up to 54 Mbps • IEEE 802.11n mcast: 15 Mbps, ucast up to 150 Mbps

• 802.11 Header: • Protected Frame Field delineates acknowledged frames

• Scaling 802.11 multicast reliability issues

• NDP process is multicast “chatty”, Unicasting reduces the effect

• Caching allows the Controller to “proxy” the NA, based on gleaning

00:24:56:75:44:33 2001:db8:0:20::2 00:24:56:11:93:28 2001:db8:0:20::4 2

(Unicast NA) 4 (NS)

• Scaling the mobility access environment

• NDP process is multicast “chatty”, consumes airtime

• Rate limit RA’s from the legitimate router

• Inspect the RS, convert the responding RA to L2 Unicast

Periodic (RA’s)

Triggered (RA)

• Address Planning • Troubleshooting • IPv4-IPv6 interaction • Introduction of extended IP services • DHCPv6, DNSv6, IPAM • Requires support in • Instrumentation (MIB , NetFlow • Managing security infrastructures records, etc.) • Firewall, IDS, AAA • NMS tools and systems • Instrumentation • NetFlow, IP SLA, SNMP MIB, CLI

• Dual Stack Interfaces and reporting • MRTG reporting combined v4 and V6 traffic statistics.

• Application Performance monitoring is a great differentiator for IPv6

• Exporting: NetFlow version 9 • Advantages: extensibility • Integrate new technologies quicker (MPLS, IPv6, BGP NH, etc.) • Integrate new aggregations quicker • Note: for now, the template definitions are fixed

• Metering: Flexible NetFlow • Advantages: cache and export content flexibility • User selection of flow keys • User definition of the records

• Anycast Address for Client Access to DHCP/DNS

• Uses the same address in multiple locations DDI1 • Global Unicast Address (GUA) for Service Uptime 2001:db8:aa::21

• DDI server injects /128 via OSPF DDI2 2001:db8:aa::21 Command & I pick DNS1 2001:db8:aa:: closest metric Cost 10 DDI3 Control 2001:db8:aa::21 2001:db8:aa::21 2001:db8:aa:: GUA Cost 30

2001:db8:aa:: DDI4 Cost 20 2001:db8:aa::21

• How do hosts re-act to auto-configuration?

• Are devices taking both a static and auto-configuration ? • Understand so that security Policy is not affected?

• Should IPv6 RA’s be disabled how do devices re-act to that?

• Does application being used implement SAS (Source address selection) algorithm correctly?

• How do devices re-act with A and AAAA DNS records? A record AAAA record • What happens if IPv4 is disabled? ARP request • What happens if IPv6 is impaired? RA DHCP reply DNS reply

• Create base line template that should be run as part of all IPv6 solution testing. • Hosts/Servers/End Systems • Routers/Switches • Firewalls/IPS

• Template should consist of basic IPv6 RFC 2460 functionality. • IPv6 Ready Logo • USGv6 • RIPE-554

• IPv6 troubleshooting tools for mobile devices (iOS & Android)

IPv6 toolkit HE.net Netalyzr LanDroid Netstat

• IPv4 or IPv6 is transparent to a user since names are used to connect to web sites or other hosts • http://www.google.com will take us to Google TCP UDP

• Typically an end user will notice issues if all of the following are true: • IPv6 is enabled on the desktop IPv4 IPv6 • The DNS query returns an IPv6 AAAA record • IPv6 is preferred over IPv4 0x86dd • There are connectivity problems over IPv6 0x0800 Data Link (Ethernet)

• When a desktop connects to a web site:

1. Resolve the DNS name to an IP address. • If there is an AAAA record and IPv6 is enabled and preferred on the host, it will use IPv6 • If there are issues with IPv6 connectivity further in the network, the connection may not work

2. The host will wait for IPv6 to time out before falling back to IPv4 (this is ~30 sec for windows): bad user experience

• Basic troubleshooting using ping, traceroute, ipconfig should help isolate the issue

• Instead of waiting for IPv6 to time (this is ~30 sec for windows) a “smarter” algorithm is used: Happy Eyeballs (RFC 6555) • Waits for a very short time to see if IPv6 works • If no confirmation within 200ms: • Try to open IPv4 connection in parallel • Use whichever connection works, close the other

• No bad user experience anymore!

• But IPv6 problems may stay unnoticed… • Needs a more active stance from network and server admins

• Requirements for IPv6 support hardware • Requirements for "host" equipment • Requirements for consumer grade "Layer 2 switch" equipment • Requirements for enterprise/ISP grade "Layer 2 switch" equipment • Requirements for "router or Layer 3 switch" equipment • Requirements for "network security equipment” • Requirements for CPE equipment • Requirements for mobile devices • Requirements for load balancers

• Requirements for IPv6 support in software

• Skill requirements of the systems integrator: Declaration of IPv6 competence

• IPv6 on Host OS’s (1030 – 1100)

• Break (1100 – 1115)

• IPv6 on Host OS’s (1115 – 1145)

• IPv6 Planning & Operations (1145 – 1315)

• Lunch (1315 – 1415)

• IPv6 Planning & Operations (1415 – 1530)

• IPv6 Musings from the Fish Bowl (1530 – 1615)

• Break (1615 – 1630)

• IPv6 Access & Perimeter Security (1630 – 1815)

• Conclusion & Panel (1815 – 1830) IPv6 Musings from the Fish Bowl

Fish TECRST-2166 CCIE #2639, CCDE#2009:14 IPv6 Musings from the Fish Bowl

• Part 1 of 7: Understanding IPv6: The Journey Begins

• Part 2 of 7: Understanding IPv6: Link-Local ‘Magic’

• Part 3 of 7: Understanding IPv6: A Sniffer Full Of 3s

• Part 4 of 7: Understanding IPv6: What Is Solicited-Node Multicast?

• Part 5 of 7: Understanding IPv6: Prepping For Solicited-Node Multicast

• Part 6 of 7: Understanding IPv6: The Ping Before Solicited-Node Multicast

• Part 7 of 7: Understanding IPv6: Solicited-Node Multicast In Action

http://www.networkingwithfish.com/ipv6/

• Show a Magic Trick • Explain How the Magic Trick works

• Resolving the destination MAC The Magic Trick The Magic Trick

FF02::5 FF02::5

FE80::2237:6ff:fecf:67e4 FE80::2237:6ff:fecf:67e4 FF02::5 FE80::5a0a:20ff:feeb:91e4

FE80::5a0a:20ff:feeb:91e4

FF02::5

• Multicast • Local: They are local to the wire they are on. • Common interest: If a router wants to participate in EIGRP, it already knows the local multicast address (IPv4/IPv6) to start to listen to and the corresponding MAC address. • Join: “Join” just by just deciding to listen to a local multicast address and then, by extension, to the corresponding MAC address for that multicast IP address.

Exists in IPv4 & IPv6

• Multicast • Local: They are local to the wire they are on. • Common interest: If a router wants to participate in EIGRP, it already knows the local multicast address (IPv6) to start to listen to and the corresponding MAC address. • Join: “Join” just by just deciding to listen to a local multicast address and then, by extension, to the corresponding MAC address for that multicast IP address.

FE80::2237:6ff:fecf:67e4

FE80::5a0a:20ff:feeb:91e4

FE80::2237:6ff:fecf:67e4 FE80::5a0a:20ff:feeb:91e4

“In the Internet Protocol Version 6 (IPv6), the address block fe80::/10 has been reserved for link-local unicast addressing. The actual link local addresses are assigned with the prefix fe80::/64. They may be assigned by automatic (stateless) or stateful (e.g. manual) mechanisms.

Unlike IPv4, IPv6 requires a link-local address to be assigned to every network interface on which the IPv6 protocol is enabled, even when one or more routable addresses are also assigned. Consequently, IPv6 hosts usually have more than one IPv6 address assigned to each of their IPv6-enabled network interfaces.

The link-local address is required for IPv6 sublayer operations of the Neighbor Discovery Protocol, as well as for some other IPv6-based protocols, like DHCPv6.” Wikipedia https://en.wikipedia.org/wiki/Link-local_address#IPv6

10.10.10.2 How Does this Work without Broadcast and ARP? Resolving Destination MAC Address

Snippets from RFC4291 section 2.7

• A node is required to compute and join (on the appropriate interface) the associated solicited-node multicast addresses for all unicast and anycast addresses that have been configured for the node's interfaces (manually or automatically).

• Solicited-Node Address: FF02:0:0:0:0:1:FFXX:XXXX

• Solicited-node multicast address are computed as a function of a node's unicast and anycast addresses.

• For example, the solicited-node multicast address corresponding to the IPv6 address 4037::01:800:200E:8C6C is FF02::1:FF0E:8C6C.

Solicited-Node Address: FF02:0:0:0:0:1:FFXX:XXXX

Snippets from RFC4291 section 2.7

• Solicited-node multicast address are computed as a function of a node's unicast and anycast addresses.

• For example, the solicited-node multicast address corresponding to the IPv6 address 4037::01:800:200E:8C6C is FF02::1:FF0E:8C6C.

A node is • required to compute and join the associated • Solicited-Node Multicast address for all unicast addresses

RFC4291 section 2.7.1: A node is required to compute and join (on the appropriate interface) the associated Solicited-Node multicast addresses for all unicast and anycast addresses that have been configured for the node's interfaces (manually or automatically).

A node is • required to compute and join the associated • Solicited-Node Multicast address for all unicast addresses

• IPv6 Protocol Basics (0900 – 1030)

• IPv6 on Host OS’s (1030 – 1100)

• Break (1100 – 1115)

• IPv6 on Host OS’s (1115 – 1145)

• IPv6 Planning & Operations (1145 – 1315)

• Lunch (1315 – 1415)

• IPv6 Planning & Operations (1415 – 1530)

• IPv6 Musings from the Fish Bowl (1530 – 1615)

• Break (1615 – 1630)

• IPv6 Access & Perimeter Security (1630 – 1815)

• Conclusion & Panel (1815 – 1830) Introduction to IPv6 Security

Eric Vyncke, Distinguished Engineer @evyncke TECIP6-2166 Roadmap For IPv6 Security Sessions BRKSEC-2003 Introduction to IPv6 Security: Threats and Mitigation www.ciscolive.com BRKSPG-2603 How to Securely Operate an IPv6 Network BRKSEC-3003 BRKSEC-3200 www.ciscolive.com Advanced IPv6 Security in Advanced IPv6 Security: Operation the LAN Threats and Mitigation

Architecture and design

LTRSEC-3004 Advanced IOS BRKSEC-3054: IOS FlexVPN BRKIP6-2002 IPv6 for the World IPSec VPN with FlexVPN hands- Remote Access, IoT and Site-to-Site of IoT Dual-stack on Lab advanced Crypto VPN Designs Products

• Debunking IPv6 Security Myths

• Shared Issues by IPv4 and IPv6

• Specific Issues for IPv6 • Extension headers, IPsec everywhere, tunnels, dual-stack • Forensincs

• Enforcing a Security Policy in IPv6 • ACL, firewalls, IPS, Content security • Secure IPv6 transport over public network • Summary IPv6 Security Myths… IPv6 Myths: Better, Faster, More Secure

Sometimes, newer means better and more secure

Sometimes, experience IS better and safer!

Source: Microsoft clip-art gallery

• Default subnets in IPv6 have 264 addresses • 10 Mpps = more than 50 000 years

Source: Microsoft clip-art gallery

• If using EUI-64 addresses, just scan 248 • Or even 224 if vendor OUI is known...

• Public servers will still need to be DNS reachable • More information collected by Google...

• Increased deployment/reliance on dynamic DNS • More information will be in DNS

• Using peer-to-peer clients gives IPv6 addresses of peers Source: Microsoft clip-art gallery

• Harvest NTP client addresses by becoming a member of pool.ntp.org

• Administrators may adopt easy-to-remember addresses • ::1,::80,::F00D, ::C5C0, :ABBA:BABE or simply IPv4 last octet for dual-stack

• By compromising hosts in a network, an attacker can learn new addresses to scan

• Potential router CPU/memory attacks if aggressive scanning • Router will do Neighbor Discovery... And waste CPU and memory

• Local router DoS with NS/RS/… NS: 2001:db8::3

NS: 2001:db8::2

NS: 2001:db8::1

NS: 2001:db8::3

NS: 2001:db8::2

NS: 2001:db8::1

NS: 2001:db8::3

NS: 2001:db8::2

NS: 2001:db8::1

2001:db8::/64

• Built-in rate limiter with options to tune it • Since 15.1(3)T: ipv6 nd cache interface-limit • Or IOS-XE 2.6: ipv6 nd resolution data limit • Destination-guard is part of First Hop Security • Priority given to refresh existing entries vs. discovering new ones

• Using a /64 on point-to-point links => a lot of addresses to scan! • Using /127 could help (RFC 6164)

• Internet edge/presence: a target of choice • Ingress ACL permitting traffic to specific statically configured (virtual) IPv6 addresses only

• Using infrastructure ACL prevents this scanning • iACL: edge ACL denying packets addressed to your routers • Easy with IPv6 because new addressing scheme 

http://www.insinuator.net/2013/03/ipv6-neighbor-cache-exhaustion-attacks-risk-assessment-mitigation-strategies-part-1

• IPv6 originally mandated the implementation of IPsec (but not its use)

• Now, RFC 6434 “IPsec SHOULD be supported by all IPv6 nodes”

• Some organizations still believe that IPsec should be used to secure all flows... • Need to trust endpoints and end-users because the network cannot secure the traffic: no IPS, no ACL, no firewall • Network telemetry is blinded: NetFlow of little use • Network services hindered: what about QoS or AVC ?

Recommendation: do not use IPsec end to end within an administrative domain.

Suggestion: Reserve IPsec for residential or hostile environment or high profile targets EXACTLY as for IPv4

• Bogon filtering (data plane & BGP route-map): http://www.cymru.com/Bogons/ipv6.txt • Anti-spoofing = uRPF

Inter-Networking Device with uRPF Enabled IPv6 Intranet X IPv6 Intranet/Internet IPv6 Unallocated No Route to SrcAddr => Drop Source Address

• Router Advertisements (RA) contains: RA w/o Any Authentication - Prefix to be used by hosts Gives Exactly Same Level - Data-link layer address of the router of Security as DHCPv4 - Miscellaneous options: MTU, DHCPv6 use, … (None)

MITM DoS

1. RS 2. RA 2. RA

1. RS: 2. RA: •Data = Query: please send RA •Data= options, prefix, lifetime, A+M+O flags

Security Mechanisms Built into Discovery Protocol = None A B Last Come is Used

=> Very similar to ARP Src = A Dst = Solicited-node multicast of B Attack Tool from THC: ICMP type = 135 Parasite6 Data = link-layer address of A Answer to all NS, Claiming Query: what is your link address? to Be All Systems in the Src = B LAN... Dst = A ICMP type = 136 A and B Can Now Exchange Data = link-layer address of B Packets on This Link

Mitigation BRKSEC- 3003 • GOOD NEWS: First-Hop-Security for IPv6 is available • First phase (Port ACL & RA Guard) available since Summer 2010 • Second phase (NDP & DHCP snooping) available since Summer 2011 • Third phase (Source Guard, Destination Guard) available since Summer 2013 • http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6- first_hop_security.html • (kind of) GOOD NEWS: Secure Neighbor Discovery • SeND = NDP + crypto • IOS 12.4(24)T • But not in Windows 7, 2008, 2012 and 8, Mac OS/X, iOS, Android • Other GOOD NEWS: • Private VLAN works with IPv6 • Port security works with IPv6 • IEEE 801.X works with IPv6 (except downloadable ACL)

Mitigating Rogue RA: Host Isolation RA • Prevent Node-Node Layer-2 communication by using: Promiscuous Port • Private VLANs (PVLAN) where nodes (isolated port) can only contact the official router RA (promiscuous port) • WLAN in ‘AP Isolation Mode’ Isolated Port • 1 VLAN per host (SP access network with

Broadband Network Gateway) RA R • Link-local multicast (RA, DHCP request, A etc.) sent only to the local official router: no harm RA • Side effect: breaks Duplicate Address Detection (DAD)

• Port ACL blocks all ICMPv6 RA from hosts interface FastEthernet0/2 RA ipv6 traffic-filter ACCESS_PORT in access-group mode prefer port ROUTER Device-role • RAguard lite (12.2(33)SXI4 & 12.2(54)SG ) RA also dropping all RA received on this port interface FastEthernet0/2 HOST ipv6 nd raguard Device-role

access-group mode prefer port RA • (12.2(50)SY, 15.0(2)SE) R RAguard A ipv6 nd raguard policy HOST device-role host ipv6 nd raguard policy ROUTER device-role router ipv6 nd raguard attach-policy HOST vlan 100 interface FastEthernet0/0 RA ipv6 nd raguard attach-policy ROUTER

• Significant changes ICMP Message Type ICMPv4 ICMPv6 • More relied upon Connectivity Checks X X Informational/Error X X Messaging Fragmentation Needed X X Notification Address Assignment X Address Resolution X Router Discovery X Multicast Group Management X Mobile IPv6 Support X • => ICMP policy on firewalls needs to change

Internal Server A

Internet

ICMPv4 ICMPv4 Action Src Dst Name Type Code

Permit Any A 0 0 Echo Reply

Permit Any A 8 0 Echo Request

Dst. Unreachable— Permit Any A 3 0 Net Unreachable Dst. Unreachable— Permit Any A 3 4 Frag. Needed Time Exceeded— Permit Any A 11 0 TTL Exceeded

Internal Server A

Internet

ICMPv6 ICMPv6 Action Src Dst Name Type Code

Permit Any A 128 0 Echo Reply Needed for Teredo traffic Permit Any A 129 0 Echo Request

Permit Any A 1 0 Unreachable

Permit Any A 2 0 Packet Too Big

Time Exceeded— Permit Any A 3 0 HL Exceeded

Permit Any A 4 0 Parameter Problem

Internal Server A Firewall B Internet

ICMPv6 ICMPv6 Action Src Dst Name Type Code

Permit Any B 2 0 Packet too Big For locally generated Permit Any B 4 0 Parameter Problem by the device Permit Any B 130–132 0 Multicast Listener

Neighbor Solicitation Permit Any B 135/136 0 and Advertisement

Deny Any Any

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa- 20160525-ipv6 (May 2015)

• RFC 4890 is a little too open

• RFC 4861 (Neighbor Discovery) • Hop Limit MUST be 255 • Source should be link-local, unspecified or global address belonging to the link and not "any"

• BGP, ISIS, EIGRP no change: • An MD5 authentication of the routing update

• OSPFv3 has changed and pulled MD5 authentication from the protocol and instead rely on transport mode IPsec (for authentication and confidentiality) • But see RFC 6506 7166 (but not widely implemented yet)

• IPv6 routing attack best practices • Use traditional authentication mechanisms on BGP and IS-IS • Use IPsec to secure protocols such as OSPFv3

interface Ethernet0/0 ipv6 ospf 1 area 0 ipv6 ospf authentication ipsec spi 500 md5 1234567890ABCDEF1234567890ABCDEF

interface Ethernet0/0 ipv6 authentication mode eigrp 100 md5 ipv6 authentication key-chain eigrp 100 MYCHAIN

key chain MYCHAIN key 1 key-string 1234567890ABCDEF1234567890ABCDEF accept-lifetime local 12:00:00 Dec 31 2011 12:00:00 Jan 1 2012 send-lifetime local 00:00:00 Jan 1 2012 23:59:59 Dec 31 2013

No crypto maps, no ISAKMP: transport mode with static session keys

• Sniffing • IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4 • Application layer attacks • The majority of vulnerabilities on the Internet today are at the application layer, something that IPSec will do nothing to prevent • Rogue devices • Rogue devices will be as easy to insert into an IPv6 network as in IPv4 • Man-in-the-Middle Attacks (MITM) • Without strong mutual authentication, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4 • Flooding • Flooding attacks are identical between IPv4 and IPv6

TECIP6-2166 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 252 IPv6 Attacks with Strong IPv4 Similarities Good news IPv4 IPS • Sniffing signatures can be • IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4 re-used • Application layer attacks • The majority of vulnerabilities on the Internet today are at the application layer, something that IPSec will do nothing to prevent • Rogue devices • Rogue devices will be as easy to insert into an IPv6 network as in IPv4 • Man-in-the-Middle Attacks (MITM) • Without strong mutual authentication, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4 • Flooding • Flooding attacks are identical between IPv4 and IPv6

/23 /32 /48 /64

2001 Interface ID

• Temporary addresses for IPv6 host client application, e.g. web browser • Inhibit device/user tracking • Random 64 bit interface ID, then run Duplicate Address Detection before using it • Rate of change based on local policy • Enabled by default in Windows, Android, iOS 4.3, Mac OS/X 10.7 Recommendation: Use Privacy Extensions for External Communication but not for Internal Networks (Troubleshooting and Attack Trace Back)

• Alternatively disabling stateless auto-configuration and force DHCPv6 • Send Router Advertisements with • all prefixes with A-bit set to 0 (disable SLAAC) • M-bit set to 1 to force stateful DHCPv6

interface fastEthernet 0/0 ipv6 nd prefix default no-autoconfig ipv6 dhcp server . . . (or relay) ipv6 nd managed-config-flag

• Use DHCP to a specific pool + ingress ACL allowing only this pool

• Unlimited size of header chain (spec-wise) can make filtering difficult • Potential DoS with poor IPv6 stack implementations • More boundary conditions to exploit • Can I overrun buffers with a lot of extension headers? • Mitigation: a firewall such as ASA which can filter on headers

Perfectly Valid IPv6 Packet According to the Sniffer

http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html

Perfectly Valid IPv6 Packet According to the Sniffer

Header Should Only Appear Once

http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html

Perfectly Valid IPv6 Packet According to the Sniffer

Destination Header Which Should Occur at Most Twice

http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html

Perfectly Valid IPv6 Packet According to the Sniffer

Destination Options Header Should Be the Last

http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html

• Finding the layer 4 information is not trivial in IPv6 • Skip all known extension header • Until either known layer 4 header found => MATCH • Or unknown extension header/layer 4 header found... => NO MATCH

IPv6 hdr HopByHop Routing AH TCP data

IPv6 hdr HopByHop Routing AH Unknown L4 ???

• In IPv6 fragmentation is done only by the end system • Tunnel end-points are end systems => Fragmentation / re-assembly can happen inside the network

• Reassembly done by end system like in IPv4

• RFC 5722: overlapping fragments => MUST drop the packet. Most OS implement it in 2012

• Attackers can still fragment in intermediate system on purpose ==> a great obfuscation tool Next Header = IPv6 Basic Header 44 Fragment Header Fragment Header

Fragment Header Next Header Reserved Fragment Offset Identification Fragment Data

Fragmentation Matters! BRKSEC-3200 • Extension headers chain can be so large than it must be fragmented! • RFC 3128 is not applicable to IPv6 • Layer 4 information could be in 2nd fragment

IPv6 hdr HopByHop Routing Fragment1 Destination

IPv6 hdr HopByHop Routing Fragment2 TCP Data

Layer 4 header is in 2nd fragment

• Layer 4 information could be in 2nd fragment • But, stateless firewalls could not find it if a previous extension header is fragmented • RFC 3128 is not applicable to IPv6 but • RFC 6980 ‘nodes MUST silently ignore NDP ... if packets include a fragmentation header’ ;-) • RFC 7112 ‘A host that receives a First Fragment that does not satisfy ... SHOULD discard the packet’ ;-)

IPv6 hdr HopByHop Routing Fragment1 Destination …

IPv6 hdr HopByHop Routing Fragment2 … Destination TCP Data

Layer 4 header is in 2nd fragment, Stateless filters have no clue where to find it!

• This makes matching against the first fragment non-deterministic: • layer 4 header might not be there but in a later fragment  Need for stateful inspection RFC 7112 router MAY • fragment keyword matches drop those packets ;-) • Non-initial fragments (same as IPv4)

• undetermined-transport keyword does not match • If non-initial fragment • Or if TCP/UDP/SCTP and ports are in the fragment • Or if ICMP and type and code are in the fragment • Everything else matches (including OSPFv3, RSVP, GRE, ESP, EIGRP, PIM …) • Only for deny ACE

• Network Prefix Translation, RFC 6296, • 1:1 stateless prefix translation allowing all inbound/outbound packets. • Main use case: multi-homing

• Else, IETF has not specified any N:1 stateful translation (aka overload NAT or NAPT) for IPv6

• Do not confuse stateful firewall and NAPT* even if they are often co-located

• Nowadays, NAPT (for IPv4) does not help security • Host OS are way more resilient than in 2000 • Hosts are mobile and cannot always be behind your ‘controlled NAPT’ • Malware are not injected from ‘outside’ but are fetched from the ‘inside’ by visiting weird sites or installing any trojanized application

NAPT = Network Address and Port Translation

• Payment Card Industry Data Security Standard (latest revision November 2013): • Requirement 1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties. • Note: Methods to obscure IP addressing may include, but are not limited to: Network Address Translation (NAT) ... • the controls used to meet this requirement may be different for IPv4 networks than for IPv6 networks.

•  how to comply with PCI DSS • Application proxies or SOCKS • Strict data plane filtering with ACL • Strict routing plane filtering with BGP route-maps

• Cisco IPv6 design for PCI with IPv6 • http://www.cisco.com/en/US/docs/solutions/Enterprise/Compliance/Compliance_DG/PCI_20_DG.pdf

• 16+ methods, possibly in combination

• Dual stack • Consider security for both protocols • Cross v4/v6 abuse • Resiliency (shared resources) • Tunnels • Bypass firewalls (protocol 41 or UDP) • Can cause asymmetric traffic (hence breaking stateful firewalls)

• Host security on a dual-stack device • Applications can be subject to attack on both IPv6 and IPv4 • Fate sharing: as secure as the least secure stack...

• Host security controls should block and inspect traffic from both IP versions • Host intrusion prevention, personal firewalls, VPN clients, etc.

IPv4 IPsecVPN with No Split Tunneling

IPsec VPN Client on dual-stack host IPv6 HDR IPv6 Exploit

Does the IPsec Client Stop an Inbound IPv6 Exploit?

• Your host: • IPv4 is protected by your favorite personal firewall... • IPv6 is enabled by default (Windows7 & 8.x , Linux, Mac OS/X, ...) • Your network: • Does not run IPv6 • Your assumption: • I’m safe • Reality • You are not safe • Attacker sends Router Advertisements • Your host configures silently to IPv6 • You are now under IPv6 attack => Probably time to think about IPv6 in your network

• Finding all hosts: • Address enumeration does not work for IPv6 • Need to rely on DNS or NDP caches or NetFlow

• Vulnerability scanning • IPv4 global address, IPv6 global address(es) (if any), IPv6 link-local address • Some services are single stack only (currently mostly IPv4 but who knows...) • Personal firewall rules could be different between IPv4/IPv6

• IPv6 vulnerability scanning MUST be done for IPv4 & IPv6 even in an IPv4- only network • IPv6 link-local addresses are active by default

• Rogue tunnels by naïve users: • Sure, block IP protocol 41 and UDP/3544, UDP/3074 • In Windows:

netsh interface 6to4 set state state=disabled undoonstop=disabled netsh interface isatap set state state=disabled netsh interface teredo set state type=disabled • Really rogue tunnels (covert channels) • No easy way... • Teredo will run over a different UDP port of course • Network devices can be your friend (more to come) • Deploying native IPv6 (including IPv6 firewalls and IPS) is probably a better alternative • Or disable IPv6 on Windows through registry • HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\DisabledComponents • But Microsoft does not test any Windows application with IPv6 disabled

• Using AVC with NBAR2 with ISR G2 Routers • Using NETFLOW with IPv6 on Routers & Switches

• Using NGIPS

• Using NGFW

• Every host can have multiple IPv6 addresses simultaneously • Need to do correlation! • Alas, no Security Information and Event Management (SIEM) supports IPv6 • Usually, a customer is identified by its /48 

• Every IPv6 address can be written in multiple ways • 2001:0DB8:0BAD::0DAD • 2001:DB8:BAD:0:0:0:0:DAD • 2001:db8:bad::dad (this is the canonical RFC 5952 format) • => Grep cannot be used anymore to sieve log files…

• Easy if EUI-64 format as MAC is embedded • 2001:db8::0226:bbff:fe4e:9434 • (need to toggle bit 0x20 in the first MAC byte = U/L)

• Is 00:26:bb:4e:94:34

• DHCPv6 address or prefix… the client DHCP Unique ID (DUID) can be • MAC address: trivial • Time + MAC address: simply take the last 6 bytes • Vendor number + any number: no luck… next slide can help • No guarantee of course that DUID includes the real MAC address.

# show ipv6 dhcp binding Client: FE80::225:9CFF:FEDC:7548 DUID: 000100010000000A00259CDC7548 Username : unassigned Interface : FastEthernet0/0 IA PD: IA ID 0x0000007B, T1 302400, T2 483840 Prefix: 2001:DB8:612::/48 preferred lifetime 3600, valid lifetime 3600 expires at Nov 26 2010 01:22 PM (369)

• Not so attractive 

• Only supported in Windows Vista, and Windows 7, Max OS/X Lion • Not in Linux (default installation), …

• Windows Vista does not place the used MAC address in DUID but any MAC address of the PC

• See also: https://knowledge.zomers.eu/misc/Pages/How-to-reset-the-IPv6-DUID-in- Windows.aspx # show ipv6 dhcp binding Client: FE80::FDFA:CB28:10A9:6DD0 DUID: 0001000110DB0EA6001E33814DEE Actual MAC address: Username : unassigned 0022.5f43.6522 IA NA: IA ID 0x1000225F, T1 300, T2 480 Address: 2001:DB8::D09A:95CA:6918:967 preferred lifetime 600, valid lifetime 600 expires at Oct 27 2010 05:02 PM (554 seconds)

• Interesting attribute: Acct-Session-Id to map username to IPv6 addresses

• Can be sent at the begin and end of connections

• Can also be sent periodically to capture privacy addresses

• Not available through GUI, must use CLI to configure [email protected] Acct-Session-Id=xyz Acct-Status-Type=Start Framed-IP-Address=192.0.2.1 Framed-IPv6-Address=fe80::cafe

[email protected] Acct-Session-Id=xyz Acct-Status-Type=Alive Framed-IP-Address=192.0.2.1 Framed-IPv6-Address=fe80::cafe Framed-IPv6- Address=2001:db8::cafe Framed-IPv6-Address=2001:db8::babe

[email protected] Acct-Session-Id=xyz Acct-Status-Type=Stop Framed- IP-Address=192.0.2.1

• Last resort… look in the live NDP cache (CLI or SNMP)

#show ipv6 neighbors 2001:DB8::6DD0 IPv6 Address Age Link-layer Addr State Interface

2001:DB8::6DD0 8 0022.5f43.6522 STALE Fa0/1

• If no more in cache, then you should have scanned and saved the cache…

• EEM can be your friend

• First-Hop Security phase II can generate a syslog event on each new binding • ipv6 neighbor binding logging

• Can match on • Upper layers: TCP, UDP, SCTP port numbers, ICMPv6 code and type • TCP flags SYN, ACK, FIN, PUSH, URG, RST • Traffic class (only six bits/8) = DSCP, Flow label (0-0xFFFFF)

• IPv6 extension headers • routing matches any RH, routing-type matches specific RH • mobility matches any MH, mobility-type matches specific MH • dest-option matches any destination options • auth matches AH • hbh matches hop-by-hop (since 15.2(3)T)

• fragments keyword matches • Non-initial fragments (same as IPv4)

• undetermined-transport keyword does not match • TCP/UDP/SCTP and ports are in the fragment • ICMP and type and code are in the fragment • Everything else matches (including OSPFv3, …) • Only for deny ACE

Check your platform & release as your mileage can vary…

• Implicit entries exist at the end of each IPv6 ACL to allow neighbor discovery:

... permit icmp any any nd-na permit icmp any any nd-ns

• This is different on IOS XE (i.e. ASR1k) : no default permit of ND / NA Packets

• The beginner’s mistake is to add a deny log at the end of IPv6 ACL . . . ! Now log all denied packets deny ipv6 any any log ! Heu . . . I forget about these implicit lines permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any Solution, explicitly add the implicit ACE

. . . ! Now log all denied packets permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any log

ipv6 access-list VTY permit ipv6 2001:db8:0:1::/64 any line vty 0 4 ipv6 access-class VTY in

MUST BE DONE before ‘ipv6 enable’ on any interface!

• The ‘management-interface’ command of ‘control-plane host’ is IPv4 only => use ACL • In IOS-XR, the command is ‘access-class VTY ingress’, the IPv4 and IPv6 ACL must have the same name

ipv6 access-list NOC_ACL permit ipv6 2001:db8:0:1::/64 any snmp-server group NOC v3 priv access ipv6 NOC_ACL Snmp-server user ERIC NOC v3 auth sha-1 vyncke access ipv6 NOC_ACL

• Beware there is no equivalent for HTTP => use ACL • The ‘management-interface’ command of ‘control-plane host’ is IPv4 only => use ACL • In IOS-XR, the command is ‘access-class VTY ingress’, the IPv4 and IPv6 ACL must have the same name

• Test done in 2016 on 25K routers

• SSH is more open in IPv6 (9%) than IPv4 (4%)

• Telnet is more open in IPv6 (6%) than in IPv4 (3%)

https://www.ietf.org/proceedings/95/slides/slides-95-maprg-0.pdf (Mark Allman)

• Against DoS with NDP, Hop-by-Hop, Hop Limit Expiration...

• Software routers (ISR, 7200): works with CoPPr (CEF exceptions)

policy-map COPPr class ICMP6_CLASS police 8000 class OSPF_CLASS police 200000 class class-default police 8000 ! control-plane cef-exception service-policy input COPPr

• Since version 7.0 (April 2005)

• IPv6 header security checks (length & order)

• Management access via IPv6: Telnet, SSH, HTTPS, ASDM

• Routed & transparent mode, fail-over

• v6 App inspection includes: DNS,FTP, HTTP, ICMP, SIP, SMTP, and IPSec pass-through

• IPv6 support for site-to-site VPN tunnels was added in 8.3 (IKEv1 in ASA 8.3.1, and IKEv2 in ASA 8.4.1)

• Selective permit/deny of extension headers (added in ASA 8.4.2)

• OSPFv3, DHCPv6 relay, stateful NAT64/46/66, mixed mode objects (ASA 9.0)

• Still missing: Fist Hop Security, Protocol Version Independent MIBs, traceroute6

. NetFlow supports IPv6 fields & counters . Detection & Analysis of IPv6 Traffic to find

- unknown IPv6 Routers - unknown IPv6 Hosts - tunneled traffic - malware on Dual Stack Hosts

. FIREsight passive network discovery correlates Events & Host IP . Very easy to find out the sender / destination in Dual Stacked environments!

BRKSEC-3771 . Client can be IPv4, IPv6 or Dual-Stacked . Explicit and transparent mode (WCCP) are supported . Easy Access for Clients in IPv4 networks to IPv6 Websites

Web Security Appliance Internet Web server IPv6

IPv4

Internet ASA 5500 Firewall

• ASA Firewall (Since version 7.0 released 2005) • FTD no IPv6 inspection support on • Extension header filtering and inspection (ASA the GUI 8.4.2) • Dual-stack ACL & object grouping (ASA 9.0) • FDM no IPv6 support

• Email Security Appliance (ESA) IPv6 • Cisco Cloud Web Security (ScanSafe) support since 7.6.1 (May 2012) no IPv6

• Web Security Appliance (WSA) with explicit • Cisco Umbrella, answers AAAA but and transparent proxy cannot manage policy your IPv6 • FIREpower NGIPS provides Decoder for network IPv4 & IPv6 Packets • ISE does not support IPv6 (no IPv6 • Cisco Thread Defense / StealthWatch: ACL, no IPv6 transport) mostly forever including SMC

Meraki growing IPv6 Support

• No traffic sniffing

• No traffic injection

• No service theft

Public Network Site 2 Site Remote Access

. 6in4/GRE Tunnels Protected by . ISATAP Protected by IPsec RA IPsec IPv4 . DMVPN 12.4(20)T . SSL VPN Client AnyConnect . FlexVPN . IPsec VTI 12.4(6)T . SSL VPN Client AnyConnect 3.1 & ASA 9.0 IPv6 . DMVPN 15.2(1)T . FlexVPN

• IPv6 packets over DMVPN IPv4/IPv6 tunnels • In IOS release 12.4(20)T (2008) • In IOS-XE release 3.5 (2011) • IPv6 and/or IPv4 data packets over same GRE tunnel

• Complete set of NHRP commands • network-id, holdtime, authentication, map, etc.

• NHRP registers two addresses • Link-local for routing protocol (Automatic or Manual) • Global for packet forwarding

• FlexVPN (= DMVPN phase 4) integrates site-2-site and remote access in a single unified CLI and supports dual-stack or IPv6-only

TECIP6-2166 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 299 For Your DMVPN for IPv6 Configuration Reference Hub Spoke interface Tunnel0 interface Tunnel0 ipv6 address 2001:db8:100::1/64 ipv6 address 2001:db8:100::11/64 ipv6 eigrp 1 ipv6 eigrp 1 no ipv6 split-horizon eigrp 1 ipv6 nhrp map multicast 172.17.0.1 no ipv6 next-hop-self eigrp 1 ipv6 nhrp map 2001:db8:100::1/128 172.17.0.1 ipv6 nhrp map multicast dynamic ipv6 nhrp network-id 100006 ipv6 nhrp network-id 100006 ipv6 nhrp holdtime 300 ipv6 nhrp holdtime 300 ipv6 nhrp nhs 2001:db8:100::1 tunnel source Serial2/0 tunnel source Serial1/0 tunnel mode gre multipoint tunnel mode gre multipoint tunnel protection ipsec profile vpnprof tunnel protection ipsec profile vpnprof ! ! interface Ethernet0/0 interface Ethernet0/0 ipv6 address 2001:db8:0::1/64 ipv6 address 2001:db8:1::1/64 ipv6 eigrp 1 ipv6 eigrp 1 ! ! interface Serial2/0 interface Serial1/0 ip address 172.17.0.1 255.255.255.252 ip address 172.16.1.1 255.255.255.252 ! ! ipv6 router eigrp 1 ipv6 router eigrp 1 no shutdown no shutdown All combinations of IPv4 and IPv6 are allowed

• IPv4/IPv6 FlexVPN over IPv4 or IPv6 are allowed (IPv6 over IPv4 shown)

2001:db8:beef::/64 2001:db8:cafe::/64

172.16.1.1 172.16.2.1 interface Tunnel0 interface Tunnel0 ipv6 address fe80::1 link-local ipv6 address fe80::2 link-local ipv6 ospf 1 area 0 ipv6 ospf 1 area 0 tunnel source FastEthernet0/0 tunnel source FastEthernet0/0 tunnel destination 172.16.2.1 tunnel destination 172.16.1.1 tunnel protection ipsec profile default tunnel protection ipsec profile default interface FastEthernet0/1 interface FastEthernet0/1 ipv6 address 2001:db8:cafe::1/64 ipv6 address 2001:db8:beef::1/64 ipv6 ospf 1 area 0 ipv6 ospf 1 area 0 interface FastEthernet0/0 interface FastEthernet0/0 ip address 172.16.1.1 255.255.255.0 ip address 172.16.2.1 255.255.255.0

IPv6/IPv4 Intranet

. AnyConnect supports native IPv4/6 connectivity . Connecting via IPv4/6 Internet to ASA IPv4/6 Transport . SSL Tunneling IPv6 in IPv6 , IPv4 in IPv4, Network IPv6 in IPv4, IPv4 in IPv6 . IPv6 in IPv6 for IKEv2 coming in ASA 9.2 . No support for DHCPv6 yet . AnyConnect Mobile does not support IPv6 transport

TECIP6-2166 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 302 Summary Key Take Away • So, nothing really new in IPv6 • Reconnaissance: address enumeration replaced by DNS enumeration • Spoofing & bogons: uRPF is our IP-agnostic friend • NDP spoofing: RA guard and FHS Features • ICMPv6 firewalls need to change policy to allow NDP • Extension headers: firewall & ACL can process them • NGIPS / NGFW can detect & filter applications over IPv6 • Lack of operation experience may hinder security for a while: Training is required • Security enforcement is possible • Control your IPv6 traffic as you do for IPv4 • Leverage IPsec to secure IPv6 when suitable • Experiment with IPv6 here at Cisco Live! Or at home ;-)

• Easy to check!

• Look inside NetFlow records • Protocol 41: IPv6 over IPv4 or 6to4 tunnels • IPv4 address: 192.88.99.1 (6to4 anycast server) • UDP 3544, the public part of Teredo, yet another tunnel • ICMPv6 Packets, especially RA • Check your IPS System for discovery of ICMPv6 Traffic

• Look into DNS server log for resolution of ISATAP & Microsoft Teredo servers • Beware of the IPv6 latent threat:

Your IPv4-only network may be vulnerable to IPv6 attacks NOW!

• IPv6 on Host OS’s (1030 – 1100)

• Break (1100 – 1115)

• IPv6 on Host OS’s (1115 – 1145)

• IPv6 Planning & Operations (1145 – 1315)

• Lunch (1315 – 1415)

• IPv6 Planning & Operations (1415 – 1530)

• IPv6 Musings from the Fish Bowl (1530 – 1615)

• Break (1615 – 1630)

• IPv6 Access & Perimeter Security (1630 – 1815)

• Conclusion & Panel (1815 – 1830) Recommended Reading

TECIP6-2166 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 308 Key Take Away • Gain Operational Experience now • IPv6, the time is now. • Control IPv6 traffic as you would IPv4 • “Poke” your Provider’s • Lead your OT/LOB’s into the Internet

LTRSEC-3004 Advanced IOS IPSec VPN with FlexVPN hands-on Lab Tue 09:00:00 BRKIP6-2616 Addressing Networking challenges with latest Innovations in IPv6 Tue 11:15:00 BRKRST-2337 OSPF Deployment in Modern Networks Tue 11:15:00 BRKEWN-2010 Design and Deployment of Enterprise WLANs Tue 14:15:00 BRKSEC-2501 Deploying AnyConnect SSL VPN with ASA5500 Tue 14:15:00 LTRRST-2005 Introductory - LISP Cloud extension, VPN and DC Mobility Tue 14:15:00 BRKRST-2116 Intermediate - IPv6 from Intro to Intermediate Tue 14:15:00 BRKRST-2022 IPv6 Routing Protocols Update Tue 16:45:00 BRKSPG-2061 IPv6 Deployment Best Practices for the Cable Access Network Wed 09:00:00 BRKRST-3045 LISP - A Next Generation Networking Architecture Wed 09:00:00 LABSPG-7122 Advanced IPv6 Routing and services lab Wed 09:00:00 BRKSEC-3200 Advanced IPv6 Security Threats and Mitigation Wed 11:30:00 BRKIPM-2239 Multicast and Segment Routing Wed 14:30:00 BRKIP6-2002 IPv6 for the World of IoT Wed 16:30:00 LABIPM-2007 Intermediate - IPv6 Hands on Lab Thu 09:00:00 BRKSEC-3003 Advanced IPv6 Security in the LAN Thu 11:30:00 BRKRST-2336 EIGRP Deployment in Modern Networks Thu 11:30:00 LABSPG-7122 Advanced IPv6 Routing and services lab Thu 14:00:00 BRKRST-2045 BGP operational security best practices Thu 14:30:00 BRKCOL-2020 IPv6 in Enterprise Unified Communications Networks Thu 14:30:00 LABIPM-2007 Intermediate - IPv6 Hands on Lab Fri 09:00:00 BRKRST-2301 Intermediate - Enterprise IPv6 Deployment Fri 09:00:00 BRKSPG-2602 IPv4 Exhaustion: NAT and Transition to IPv6 for Service Providers Fri 11:30:00

During lunch on Tuesday, Wednesday and Thursday, you can join Cisco subject matter experts and your peers in casual conversations about topics of interest to you.

More questions? Join me at my Lunch & Learn Table LALIP6-2002 IPv6 in the Enterprise at 21 Feb @ 1245-1415 22 Feb @ 1300-1430 List of topics: in the Catering Area (Hall 6.2). http://www.ciscolive.com/emea/activities/lunch-learn/

• Experiment with IPv6-only WiFi: • SSID: CL-NAT64 • WPA passphrase: cl-nat64 • SLAAC + stateless DHCP • NAT64 included to access legacy

• Ask all World of Solutions exhibitors for their IPv6 support 

• DevNet Zone: IPv6 Content Networking • + ask other demos

• Please complete your Online Session Evaluations after each session • Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt • All surveys can be completed via the Cisco Live Mobile App or the Don’t forget: Cisco Live sessions will be available Communication Stations for viewing on-demand after the event at CiscoLive.com/Online