Designing and Deploying a Secure IPv6 Network Timothy Martin - @bckcntryskr Robert Barton - @MrRobbarto Eric Vyncke - @evyncke TECIP6-2001 Cisco Webex Teams Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Agenda • IPv6 Design Considerations • IPv6 Routing Protocols • IPv6 Translation Technologies • IPv6 in IoT, A case study • Securing the IPv6 Perimeter • Conclusion TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 IPv6 Design Considerations Tim Martin Solutions Specialist @bckcntryskr #2020 TECRST-2001 Hardening IPv6 Management Plane • SSH, SNMPv3, Syslog, NTP, NetFlow v9 • Disable HTTP/HTTPS access if not needed • RADIUS over IPv6 • IPv6 access-class for SSH VTY access • Important: Harden the router, before enabling routing ipv6 access-list V6ACCESS permit ipv6 2001:db8:10:10::1/128 any deny ipv6 any any log-input line vty 0 4 ipv6 access-class V6ACCESS in transport input ssh TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Routing Protocol Considerations • Enable IPv6 routing • ipv6 unicast-routing (ios) • no switchport (ios-xe) • IPv6 Next Hop • Link local addresses • Global address on interface not required • Topology & alignment with existing RP’s Management Routing • Router ID • Unique 32-bit number identifier Switching Services TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Routing Design Considerations ipv6 route ::/0 gigabitethernet0/1 • Do you need to accept the full table ipv6 router eigrp 123 • Memory, processing, capital.. eigrp stub • Single router, single circuit • Take a default route ipv6 router ospf 1 router-id 3.3.3.3 • Dual router, private circuit area 2 stub • Use stub command from IGP • Dual router, Internet circuit interface Fastethernet0/1 ipv6 address 2001:db8:46:67::a • Take default from provider bfd interval 222 min_rx 222 multiplier 3 • Bidirectional forwarding detection ! router bgp 65110 neighbor 2001:db8:46:67::b fail-over bfd TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Point-to-Point Routed Links • Use a prefix length of /127 • Reserve the /64, configure the /127 • Nodes 1 & 2 are NOT in the same subnet • Suppress RAs for global assigned addressing • Disable ICMPv6 redirects interface FastEthernet0/1 • Don’t send ICMPv6 unreachable ipv6 address 2001:db8:46:67::a/127 • RFC 7404, Link local only ipv6 nd ra suppress no ipv6 redirects 2001:db8:46:67::/127 no ipv6 unreachables ::a ::b TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Static Routing • Link Local Next Hop ipv6 unicast-routing • Redistribution needs GUA or ULA !direct ipv6 route 2001:db8:1::/48 ethernet1/0 • Direct (interface) !recursive • Recursive (next hop) ipv6 route 2001:db8:5::/48 2001:db8:4::1 • Fully qualified (interface) (next hop) !fully qualified ipv6 route 2001:46::/32 ethernet0/0 fe80::9 • Default route ::/0 !default ipv6 route ::/0 ethernet0/2 fe80::2 TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 IPv6 Routing Protocols OSPFv3 ipv6 unicast-routing ! • OSPFv3 – IP 89 interface loopback0 • fe80::/64 Source → ff02::5, ff02::6 (DR’s) ipv6 address 2001:db8:1000::1/128 • Link-LSA (8) – Local Scope, NH ipv6 ospf 46 area 0 • Intra-Area-LSA (9) – Routers’ Prefixes ! • LSA’s Disconnect topology from prefixes interface ethernet 0/0 • Can converge quickly to a point of scale ipv6 address 2001:db8:50:31::1/64 • Initial database build takes time ipv6 ospf 46 area 0 ! ipv6 router ospf 46 router-id 4.6.4.6 passive-interface loopback0 LSPs* full mesh TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 OSPFv3 AF Support router ospfv3 46 • router-id 4.6.4.6 Multiple AF’s (RFC5838) ! • Legacy IPv4 prefixes address-family ipv6 unicast • IPv6 prefixes passive-interface Loopback 0 • Transport over IPv6 exit-address-family ! • Common elements address-family ipv4 unicast • Neighbor table passive-interface Loopback 0 • Link State Data Base (LSDB) exit-address-family ! • Show command structure interface GigabitEthernet 0/2 ip address 192.168.4.1 255.255.255.0 • ip ospf (IPv4 over OSPFv2) ipv6 enable • ipv6 ospf (IPv6 over OSPFv3) ospfv3 46 ipv4 area 0 ospfv3 46 ipv6 area 0 sh ip route ospfv3 TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 OSPFv3 Authentication • AH for authentication (RFC4552) interface Ethernet0/0 ipv6 ospf 46 area 0 • Manual key process ipv6 ospf authentication ipsec spi 500 sha • ESP could be used for confidentiality 1234567890ABCDEF1234567890ABCDEF • Need a security license for IPsec • RFC7166 Authentication Trailers key chain AUTH • Anti-replay key 1 • HMAC-SHA-1, 256, 384, 512 key-string RFC cryptographic-algorithm hmac-sha-512 ! address-family ipv6 unicast authentication mode strict area 0 authentication key-chain AUTH TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Classic EIGRP or EIGRPv6 ipv6 unicast-routing ! • EIGRP – IP 88 Interface ethernet 0/0 • fe80::/64 Source → ff02::a Destination ipv6 address 2001:db8:1000::1/128 • No shutdown for older versions ipv6 eigrp 46 ! • Apply the route process to interfaces interface ethernet 0/1 • Auto Summary disabled ipv6 address 2001:db8:50:31::1/64 ipv6 eigrp 46 • Transport & peering over IPv6 ! ipv6 router eigrp 46 no shutdown eigrp router-id 4.6.4.6 TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 EIGRP Named Mode router eigrp IPv6rocks ! • Name creates a virtual instance address-family ipv6 unicast autonomous-system 46 • Does not need to be common in domain ! af-interface Loopback0 • Address family configures protocol instance passive-interface • AS number must common within domain exit-af-interface ! • Auto Applied to all IPv6 enabled interfaces af-interface Ethernet0/0 exit-af-interface • No need to configure under the interfaces eigrp router-id 4.6.4.6 exit-address-family Large-scale hub and spoke environments TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 EIGRP Authentication • EIGRP supports HMAC-SHA-256 • To generate or validate messages, hash is constructed using: • Configured shared secret • Link Local address of sender • EIGRP packet prior to adding the IP header ! router eigrp IPv6rocks address-family ipv6 autonomous-system 46 af-interface ethernet 0/0 authentication mode hmac-sha-256 0 Cisco123 ! TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 IS-IS ipv6 unicast-routing ! interface ethernet 0/0 • Single topology mode ipv6 address 2001:db8:5000:31::1/64 • Single LSDB, single cost ipv6 router isis CISCO • Links must be congruent (dual stacked) isis circuit-type level-1 • Multi topology mode isis ipv6 metric 10000 isis authentication mode md5 • LSDB & cost per protocol • Flexible, transition mode available ! router isis CISCO • Authentication uses MD5 (TLV) net 49.0001.2222.2222.222.00 metric style wide ! A B C A B C A B C address-family ipv6 D E D E D E multi-topology Physical Topology IPv4 SPT IPv6 SPT SPs, Underlay’s TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 RIPng ipv6 unicast-routing • RIPng – UDP 521, 15 hops ! • fe80::/64 Source → ff02::9 Destination interface loopback 0 • Distance Vector, Hop Count (1-15) ipv6 address 2001:db8:1000::1/128 ipv6 rip CISCO enable • Split Horizon, Poison Reverse ! • Lightweight IPv6 only protocol interface ethernet 0/0 • Uses AH for authentication ipv6 address 2001:db8:5000:31::1/64 ipv6 rip CISCO enable ! ipv6 router rip CISCO Star topology, single path edge devices TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 IPv6 BGP & Multihome Network Prefix Translation IPv6 • RFC 6296 - NPTv6 • Translators attached to internal network Internet • Unique Local Addressing (ULA) inside • Provider allocated addressing outside • Swaps Left Most Bits of Address • Equal length Prefixes • Small-to-Medium Enterprise 2001:db8:46::/48 interface GigabitEthernet0/0/0 fd07:18:4c::/48 nat66 inside interface GigabitEthernet0/0/1 nat66 outside ! nat66 prefix inside fd07:18:4c::/48 outside 2001:db8:46::/48 TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Multihomed, Multiprefix (BGP) • Solve for Ingress & Egress separately Internet ISP B • Peer over IPv6 for IPv6 prefixes ISP A • Controlling hop limit, accepting ~254 only • MD5, AH possible, next-hop-self (fe80::) • Prefix Size Filtering, /32 - /48 router bgp 200 bgp router-id 4.6.4.6 no bgp default ipv4-unicast neighbor 2001:db8:460:102::2 remote-as 2014 neighbor 2001:db8:460:102::2 ttl-security hops 1 neighbor 2001:db8:460:102::2 password cisco4646 TECRST-2001 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Solving Ingress • Equal load distribution • Advertise more specific /45 & /44 Ingress Internet • Non equal load distribution ISP A ISP B • Use AS path prepend, if accepted AS 64499 AS 64497 2001:db8:a1::/32 2001:db8:b1::/32 ipv6 prefix-list ISPAout seq 5 2001:db8:460::/44 ipv6 prefix-list ISPAout seq 10 2001:db8:460::/45 ! ipv6 prefix-list ISPBout seq 5 2001:db8:460::/44 ipv6 prefix-list ISPBout seq 10 2001:db8:468::/45 2001:db8:460::/44 Enterprise Domain neighbor 2001:db8::b1 route-map ISPBout out ! route-map ISPBout permit 10 set as-path prepend 64498 64498 64498 64498 TECRST-2001 © 2020 Cisco and/or its affiliates.