#CLUS Designing and Deploying a Secure IPv6 Network Timothy Martin - @bckcntryskr Eric Vyncke - @evyncke Christopher Werny - @bcp38_ TECRST-2001 #CLUS Agenda • IPv6 Design Considerations • IPv6 Routing Protocols • IPv6 Translation Technologies • IPv6 Only, A case study • Securing the IPv6 Perimeter • Conclusion #CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Cisco Webex Teams Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Live Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space Webex Teams will be moderated cs.co/ciscolivebot# TECRST-2001 by the speaker until June 16, 2019. #CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 IPv6 Design Considerations Tim Martin Solutions Specialist TECRST-2001 @bckcntryskr #2020 #CLUS Hardening IPv6 Management Plane • SSH, SNMPv3, Syslog, NTP, NetFlow v9 • Disable HTTP/HTTPS access if not needed • RADIUS over IPv6 • IPv6 access-class for SSH VTY access • Important: Harden the router, before enabling routing ipv6 access-list V6ACCESS permit ipv6 2001:db8:10:10::1/128 any deny ipv6 any any log-input line vty 0 4 ipv6 access-class V6ACCESS in transport input ssh #CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Routing Protocol Considerations • Enable IPv6 routing • ipv6 unicast-routing (ios) • no switchport (ios-xe) • IPv6 Next Hop • Link local addresses • Global address on interface not required • Topology & alignment with existing RP’s Management Routing • Router ID Switching Services • Unique 32-bit number identifier #CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Routing Design Considerations ipv6 route ::/0 gigabitethernet0/1 • Do you need to accept the full table ipv6 router eigrp 123 • Memory, processing, capital.. eigrp stub • Single router, single circuit ipv6 router ospf 1 • Take a default route router-id 3.3.3.3 area 2 stub • Dual router, private circuit • Use stub command from IGP interface Fastethernet0/1 ipv6 address 2001:db8:46:67::a • Dual router, Internet circuit bfd interval 222 min_rx 222 multiplier 3 ! • Take default from provider router bgp 65110 neighbor 2001:db8:46:67::b fail-over bfd • Bidirectional forwarding detection #CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Point-to-Point Routed Links • Use a prefix length of /127 • Reserve the /64, configure the /127 • Nodes 1 & 2 are NOT in the same subnet • Suppress RAs for global assigned addressing • Disable ICMPv6 redirects interface FastEthernet0/1 ipv6 address 2001:db8:46:67::a/127 • Don’t send ICMPv6 unreachable ipv6 nd ra suppress • RFC 7404, Link local only no ipv6 redirects 2001:db8:46:67::/127 no ipv6 unreachables ::a ::b #CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Static Routing • Link Local Next Hop ipv6 unicast-routing • Redistribution needs GUA or ULA !direct ipv6 route 2001:db8:1::/48 ethernet1/0 • Direct (interface) !recursive • Recursive (next hop) ipv6 route 2001:db8:5::/48 2001:db8:4::1 !fully qualified • Fully qualified (interface) (next hop) ipv6 route 2001:46::/32 ethernet0/0 fe80::9 !default • Default route ::/0 ipv6 route ::/0 ethernet0/2 fe80::2 #CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 IPv6 Routing Protocols OSPFv3 ipv6 unicast-routing ! • OSPFv3 – IP 89 interface loopback0 • fe80::/64 Source ff02::5, ff02::6 (DR’s) ipv6 address 2001:db8:1000::1/128 • Link-LSA (8) – Local Scope, NH ipv6 ospf 46 area 0 • Intra-Area-LSA (9) – Routers’ Prefixes ! interface ethernet 0/0 • LSA’s Disconnect topology from prefixes ipv6 address 2001:db8:50:31::1/64 • Can converge quickly to a point of scale ipv6 ospf 46 area 0 • Initial database build takes time ! ipv6 router ospf 46 router-id 4.6.4.6 passive-interface loopback0 LSPs* full mesh #CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 OSPFv3 AF Support router ospfv3 46 • Multiple AF’s (RFC5838) router-id 4.6.4.6 ! • Legacy IPv4 prefixes address-family ipv6 unicast • IPv6 prefixes passive-interface Loopback 0 exit-address-family • Transport over IPv6 ! address-family ipv4 unicast • Common elements passive-interface Loopback 0 • Neighbor table exit-address-family ! • Link State Data Base (LSDB) interface GigabitEthernet 0/2 ip address 192.168.4.1 255.255.255.0 • Show command structure ipv6 enable • ip ospf (IPv4 over OSPFv2) ospfv3 46 ipv4 area 0 ospfv3 46 ipv6 area 0 • ipv6 ospf (IPv6 over OSPFv3) sh ip route ospfv3 #CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 OSPFv3 Authentication • AH for authentication (RFC4552) interface Ethernet0/0 ipv6 ospf 46 area 0 • Manual key process ipv6 ospf authentication ipsec spi 500 sha • ESP could be used for confidentiality 1234567890ABCDEF1234567890ABCDEF • Need a security license for IPsec key chain AUTH • RFC7166 Authentication Trailers key 1 • Anti-replay key-string RFC • HMAC-SHA-1, 256, 384, 512 cryptographic-algorithm hmac-sha-512 ! address-family ipv6 unicast authentication mode strict area 0 authentication key-chain AUTH #CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Classic EIGRP or EIGRPv6 ipv6 unicast-routing • EIGRP – IP 88 ! Interface ethernet 0/0 • fe80::/64 Source ff02::a Destination ipv6 address 2001:db8:1000::1/128 • No shutdown for older versions ipv6 eigrp 46 ! • Apply the route process to interfaces interface ethernet 0/1 • Auto Summary disabled ipv6 address 2001:db8:50:31::1/64 ipv6 eigrp 46 • Transport & peering over IPv6 ! ipv6 router eigrp 46 no shutdown eigrp router-id 4.6.4.6 #CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 EIGRP Named Mode router eigrp IPv6rocks ! • Name creates a virtual instance address-family ipv6 unicast • Does not need to be common in domain autonomous-system 46 ! • Address family configures protocol instance af-interface Loopback0 passive-interface • AS number must common within domain exit-af-interface ! • Auto Applied to all IPv6 enabled interfaces af-interface Ethernet0/0 exit-af-interface • No need to configure under the interfaces eigrp router-id 4.6.4.6 exit-address-family Large-scale hub and spoke environments #CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 EIGRP Authentication • EIGRP supports HMAC-SHA-256 • To generate or validate messages, hash is constructed using: • Configured shared secret • Link Local address of sender • EIGRP packet prior to adding the IP header ! router eigrp IPv6rocks address-family ipv6 autonomous-system 46 af-interface ethernet 0/0 authentication mode hmac-sha-256 0 Cisco123 ! #CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 IS-IS ipv6 unicast-routing ! interface ethernet 0/0 • Single topology mode ipv6 address 2001:db8:5000:31::1/64 • Single LSDB, single cost ipv6 router isis CISCO isis circuit-type level-1 • Links must be congruent (dual stacked) isis ipv6 metric 10000 • Multi topology mode isis authentication mode md5 ! • LSDB & cost per protocol router isis CISCO • Flexible, transition mode available net 49.0001.2222.2222.222.00 • Authentication uses MD5 (TLV) metric style wide ! A B C A B C A B C address-family ipv6 D E D E D E multi-topology Physical Topology IPv4 SPT IPv6 SPT SPs, Underlay’s #CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 RIPng ipv6 unicast-routing • RIPng – UDP 521, 15 hops ! • fe80::/64 Source ff02::9 Destination interface loopback 0 ipv6 address 2001:db8:1000::1/128 • Distance Vector, Hop Count (1-15) ipv6 rip CISCO enable • Split Horizon, Poison Reverse ! interface ethernet 0/0 • Lightweight IPv6 only protocol ipv6 address 2001:db8:5000:31::1/64 • Uses AH for authentication ipv6 rip CISCO enable ! ipv6 router rip CISCO Star topology, single path edge devices #CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 IPv6 BGP & Multihome Network Prefix Translation IPv6 • RFC 6296 - NPTv6 Internet • Translators attached to internal network • Unique Local Addressing (ULA) inside • Provider allocated addressing outside • Swaps Left Most Bits of Address • Equal length Prefixes 2001:db8:46::/48 • Small-to-Medium Enterprise interface GigabitEthernet0/0/0 fd07:18:4c::/48 nat66 inside interface GigabitEthernet0/0/1 nat66 outside ! nat66 prefix inside fd07:18:4c::/48 outside 2001:db8:46::/48 #CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Multihomed, Multiprefix (BGP) • Solve for Ingress & Egress separately Internet • Peer over IPv6 for IPv6 prefixes ISP A ISP B • Controlling hop limit, accepting ~254 only • MD5, AH possible, next-hop-self (fe80::) • Prefix Size Filtering, /32 - /48 router bgp 200 bgp router-id 4.6.4.6 no bgp default ipv4-unicast neighbor 2001:db8:460:102::2 remote-as 2014 neighbor 2001:db8:460:102::2 ttl-security hops 1 neighbor 2001:db8:460:102::2 password cisco4646 #CLUS TECRST-2001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Solving Ingress • Equal load distribution • Advertise more specific /45 & /44 Ingress Internet • Non equal load distribution ISP A ISP B AS 64499 AS 64497 • Use AS path prepend, if accepted 2001:db8:a1::/32 2001:db8:b1::/32 ipv6 prefix-list ISPAout seq 5 2001:db8:460::/44 ipv6 prefix-list ISPAout seq 10 2001:db8:460::/45 ! ipv6 prefix-list ISPBout seq 5 2001:db8:460::/44 ipv6 prefix-list ISPBout seq 10 2001:db8:468::/45 2001:db8:460::/44 Enterprise Domain neighbor 2001:db8::b1 route-map ISPBout out ! route-map ISPBout permit 10 set as-path prepend 64498 64498 64498 64498 #CLUS TECRST-2001 © 2019 Cisco and/or its affiliates.