1. How to Securely Operate an IPv6 Network
Eric Vyncke, Distinguished

2. Foreword All topics common to IPv4/IPv6 are unchanged:
Physical security
Role Base Access Control
....
I took the liberty to include Cisco configuration (as it may be useful for you) but I will not detail them

3. Agenda Management Plane Control Plane Routing Information
Neighbor Discovery
Control Plane Protection
Data Plane
Anti-spoofing
Access Control List
Tunnel loops
Telemetry
Forensic
Lawful Intercept
Summary

4. Management Plane 4 4

5. Management over IPv6 SSH, syslog, SNMP, NetFlow all work over IPv6
Dual-stack management plane
More resilient: works even if one IP version is down
More exposed: can be attacked over IPv4 and IPv6
RADIUS over IPv6 is recent (IOS 15.2(1)T, IOS-XE rls 3.2S)
But, IPv6 RADIUS attributes can be transported over IPv4
As usual, infrastructure ACL is your friend (more to come) as well as out-of- band management

6. IPv6 ACL to Protect VTY
For Your
Reference
ipv6 access-list VTY permit ipv6 2001:db8:0:1::/64 any line vty ipv6 access-class VTY in
Must be done before enabling IPv6 on any interface
Beware there is no equivalent for HTTP => use ACL
In IOS-XR, the command is ‘access-class VTY ingress’,
the IPv4 and IPv6 ACL must have the same name

7. Control Plane: Routing Protocols7

8. Preventing IPv6 Routing Attacks Protocol Authentication
BGP, IS-IS, EIGRP no change:
An MD5 authentication of the routing update
OSPFv3 originally pulled MD5 authentication from the protocol and instead relies on transport mode IPsec (for authentication and confidentiality)
But see RFC 6506 (not yet widely implemented)
IPv6 routing attack best practices
Use traditional authentication mechanisms on BGP and IS-IS
Use IPsec to secure protocols such as OSPFv3

9. OSPF or EIGRP Authentication
For Your
Reference
interface Ethernet0/0
ipv6 ospf 1 area 0
ipv6 ospf authentication ipsec spi 500 md ABCDEF ABCDEF
interface Ethernet0/0
ipv6 authentication mode eigrp 100 md5
ipv6 authentication key-chain eigrp 100 MYCHAIN
key chain MYCHAIN
key 1
key-string ABCDEF ABCDEF
accept-lifetime local 12:00:00 Dec :00:00 Jan
send-lifetime local 00:00:00 Jan :59:59 Dec
8:15
No crypto maps, no ISAKMP: transport mode with static session keys

10. BGP Route Filters Pretty obvious for customer links
For Your
Reference
Pretty obvious for customer links
For peering, a relaxed one
ipv6 prefix-list RELAX deny 3ffe::/16 le 128
ipv6 prefix-list RELAX deny 2001:db8::/32 le 128
ipv6 prefix-list RELAX permit 2001::/32
ipv6 prefix-list RELAX deny 2001::/32 le 128
ipv6 prefix-list RELAX permit 2002::/16
ipv6 prefix-list RELAX deny 2002::/16 le 128
ipv6 prefix-list RELAX deny 0000::/8 le 128
ipv6 prefix-list RELAX deny fe00::/9 le 128
ipv6 prefix-list RELAX deny ff00::/8 le 128
ipv6 prefix-list RELAX permit 2000::/3 le 48
ipv6 prefix-list RELAX deny 0::/0 le 128
Source:

11. Link-Local Addresses vs. Global Addresses
Link-Local addresses, fe80::/10, (LLA) are isolated
Cannot reach outside of the link
Cannot be reached from outside of the link 
LLA can be configured statically (not the EUI-64 default) to avoid changing neighbor statements when changing MAC
interface FastEthernet 0/0
ipv6 address fe80::1/64 link-local

12. Link-Local Addresses vs. Global Addresses
Could be used on the infrastructure interfaces
Routing protocols (inc BGP) work with LLA
neighbor fe80::2%FastEthernet0/0
Case sensitive !

13. LLA-Only Pros and Cons Benefits: Cons: Special case for IXP:
no remote attack against your infrastructure links: implicit infrastructure ACL*
Smaller routing table (links do not appear)
Simpler configuration
Easier to renumber
Cons:
need to provision loopback for:
ICMP for Traceroute
ICMP for PMTUD
SNMP/NetFlow/syslog/ ...
No interface ping
Special case for IXP:
Usually a specific /64 which is not routed => uRPF will drop ICMP generated (PMTUd) by routers in the IXP
LLA-only on the IXP interfaces => ICMP are generated from a non IXP interface
*: loopbacks are still routable/reachable

14. Control Plane: Neighbor Discovery14

15. Scanning Made Bad for CPU Remote Neighbor Cache Exhaustion RFC 6583
Potential router CPU/memory attacks if aggressive scanning
Router will do Neighbor Discovery... And waste CPU and memory
Local router DoS with NS/RS/…
NS: 2001:db8::1
NS: 2001:db8::2
NS: 2001:db8::3
2001:db8::1
2001:db8::2
2001:db8::3
NS: 2001:db8::1
NS: 2001:db8::2
NS: 2001:db8::3
NS: 2001:db8::1
NS: 2001:db8::2
NS: 2001:db8::3
2001:db8::/64

16. Mitigating Remote Neighbor Cache Exhaustion
Built-in rate limiter with options to tune it
Since 15.1(3)T: ipv6 nd cache interface-limit
Or IOS-XE 2.6: ipv6 nd resolution data limit
Destination-guard is part of First Hop Security phase 3
Priority given to refresh existing entries vs. discovering new ones (RFC 6583)
Using a /64 on point-to-point links => a lot of addresses to scan!
Using /127 could help (RFC 6164)
Internet edge/presence: a target of choice
Ingress ACL permitting traffic to specific statically configured (virtual) IPv6 addresses only
Using infrastructure ACL prevents this scanning
iACL: edge ACL denying packets addressed to your routers
Easy with IPv6 because new addressing scheme can be done 

17. Simple Fix for Remote Neighbor Cache Exhaustion
Ingress ACL allowing only valid destination and dropping the rest
NDP cache & process are safe
Requires DHCP or static configuration of hosts
2001:db8::2
2001:db8::1
2001:db8::2
2001:db8::3
2001:db8::3
NS: 2001:db8::1
NA: 2001:db8::1
2001:db8::/64

18. ARP Spoofing is now NDP Spoofing: Threats
ARP is replaced by Neighbor Discovery Protocol
Nothing authenticated
Static entries overwritten by dynamic ones
Stateless Address Autoconfiguration
rogue RA (malicious or not)
All nodes badly configured
DoS
Traffic interception (Man In the Middle Attack)
Attack tools exist (from THC – The Hacker Choice)
Parasit6
Fakerouter6
...

19. ARP Spoofing is now NDP Spoofing: Mitigation
GOOD NEWS: dynamic ARP inspection for IPv6 is available
First phase (Port ACL & RA Guard) available since Summer 2010
Second phase (NDP & DHCP snooping) starting to be available since Summer 2011
(Kind of ) GOOD NEWS: Secure Neighbor Discovery
SeND = NDP + crypto
IOS 12.4(24)T
But not in Windows Vista, 2008 and 7, Mac OS/X, iOS, Android
Crypto means slower...
Other GOOD NEWS:
Private VLAN works with IPv6
Port security works with IPv6
IEEE 801.X works with IPv6 (except downloadable ACL)

20. Mitigating Rogue RA: Host Isolation
Prevent Node-Node Layer-2 communication by using:
Private VLANs (PVLAN) where nodes (isolated port) can only contact the official router (promiscuous port)
WLAN in ‘AP Isolation Mode’
1 VLAN per host (SP access network with Broadband Network Gateway)
Link-local multicast (RA, DHCP request, etc) sent only to the local official router: no harm
Can break DAD
Advertise the SLAAC prefix without the on-link bit to force router to do ‘proxy-ND’ RA
Promiscuous Port RA
Isolated Port RA

21. First Hop Security: RAguard since 2010 RFC 6105
Port ACL blocks all ICMPv6 RA from hosts
interface FastEthernet0/2
ipv6 traffic-filter ACCESS_PORT in
access-group mode prefer port
RA-guard lite (12.2(33)SXI4 & 12.2(54)SG ): also dropping all RA received on this port
ipv6 nd raguard
RA-guard (12.2(50)SY, 15.0(2)SE)
ipv6 nd raguard policy HOST device-role host
ipv6 nd raguard policy ROUTER device-role router
ipv6 nd raguard attach-policy HOST vlan 100
interface FastEthernet0/0
ipv6 nd raguard attach-policy ROUTER RA
ROUTER
Device-role RA
HOST
Device-role
Can also enforce MTU, prefix, ... In RA RA

22. IPv6 First Hop Security Platform Support
For Your
Reference
Feature/Platform
Catalyst 6500 Series
Catalyst 4500 Series
Catalyst 2K/3K Series
ASR1000 Router
7600 Router
Catalyst 3850
Wireless LAN Controller (Flex 7500, 5508, 2500, WISM-2)
Nexus 3k/5k/6k/7k
RA Guard
15.0(1)SY
15.1(2)SG
15.0.(2)SE
15.2(4)S
15.0(1)EX
7.2
NX-OS 7.2
IPv6 Snooping
15.0(1)SY1
XE 3.9.0S
DHCPv6 Guard
15.2(1)SY
Source/Prefix Guard
15.2(1)E
15.0.(2)SE2
15.3(1)S
Destination Guard
RA Throttler
ND Multicast Suppress
Note 1: IPv6 Snooping support in 15.0(1)SY does not extend to DHCP or data packets; only ND packets are snooped
Note 2: Only IPv6 Source Guard is supported in 15.0(2)SE; no support for Prefix Guard in that release
Near future:
- Cat6k – 15.1(1)SY ships in Oct 2012 (adds Sup720 support) - Cat4k – 15.1(2)SG - ships in Nov 2012
– 15.3(1)S – adds some more features - ships in Nov 2012
- NG3k (1)EX - ships in Jan 2013
- ASR1k – 15.3(2)S - ships in 03/29/13
- Cat3k/4k – 15.2(1)E – ships in Summer 2013
Shipped:
1. Cat6k – 15.0(1)SY shipped on Sept 2011 (Sup2T only)
2. WLC – 7.2 release shipped in Jan 2012
3. Cat3k – 15.0(2)SE shipped in July 2012
– 15.2(4)S shipped in July 2012
Available Now
Not Available
Roadmap

23. Control Plane Protection23

24. Control Plane Policing for IPv6 Protecting the Router CPU
For Your
Reference
Against DoS with NDP, Hop-by-Hop, Hop Limit Expiration...
See also RFC 6192

25. Data Plane 25

26. DoS Example Ping-Pong over Physical Point-to-Point
Same as in IPv4, on real P2P without NDP, if not for me, then send it on the other side... Could produce looping traffic
Classic IOS and IOS-XE platforms implement RFC 4443 so this is not a threat
Except on 76xx see CSCtg00387 (tunnels) and few others
IOS-XR see CSCsu62728
Else use /127 on P2P link (see also RFC 6164)
Or use infrastructure ACL or only link-local addresses
1) To 2001:db8::3
2) To 2001:db8::3
3) To 2001:db8::3 R2 R1
Serial 0/0 2001:db8::1/64
Serial 0/0 2001:db8::2/64
4) To 2001:db8::3
....
5) To 2001:db8::3

27. IPv6 Bogon and Anti-Spoofing Filtering
IPv6 nowadays has its bogons:
Every network should implement two forms of anti-spoofing protections:
Prevent spoofed addresses from entering the network
Prevent the origination of packets containing spoofed source addresses
Anti-spoofing in IPv6 same as IPv4
=> Same technique for single-homed edge= uRPF
Inter-Networking Device with uRPF Enabled
IPv6 Intranet X
IPv6 Intranet/Internet
IPv6 Unallocated
Source Address
No Route to SrcAddr => Drop

28. Bogons Filtering Detailed & updated list at:
Or simpler but more relaxed
ipv6 access-list NO_BOGONS
remark Always permit ICMP unreachable (Path MTU Discovery & co)
permit icmp any any unreachable
remark Permit only large prefix blocks from IANA
permit ip 2001::/16 any
permit ip 2002::/16 any
permit ip 2003::/18 any
permit ip 2400::/12 any
permit ip 2600::/10 any
permit ip 2800::/12 any
permit ip 2a00::/12 any
permit ip 2c00::/12 any
Remark implicit deny at the end (but see later)
Source:

29. Remote Triggered Black Hole
RFC 5635 RTBH is easy in IPv6 as in IPv4
uRPF is also your friend for blackholing a source
RFC 6666 has a specific discard prefix
100::/64
Source: Wikipedia Commons

30. Parsing the Extension Header Chain
Finding the layer 4 information is not trivial in IPv6
Skip all known extension header
Until either known layer 4 header found => MATCH
Or unknown extension header/layer 4 header found... => NO MATCH
IPv6 hdr
HopByHop
Routing AH
TCP
data
IPv6 hdr
HopByHop
Routing AH
Unknown L4
???
8H45

31. Parsing the Extension Header Chain Fragmentation Matters!
Extension headers chain can be so large than it must be fragmented!
RFC 3128 is not applicable to IPv6
Layer 4 information could be in 2nd fragment
IPv6 hdr
HopByHop
Routing
Destination
Fragment1
IPv6 hdr
HopByHop
Fragment2
TCP
Data
Routing
Layer 4 header is in 2nd fragment

32. Parsing the Extension Header Chain Fragments and Stateless Filters
RFC 3128 is not applicable to IPv6 but
RFC 6980 ‘nodes MUST silently ignore NDP ... If packets include a fragmentation header’ ;-)
Layer 4 information could be in 2nd fragment
But, stateless firewalls could not find it if a previous extension header is fragmented
IPv6 hdr
HopByHop
Routing
Fragment1
Destination …
IPv6 hdr
HopByHop
Routing
Fragment2
… Destination
TCP
Data
Layer 4 header is in 2nd fragment,
Stateless filters have no clue where to find it!

33. CRITICAL without this, there is a way to bypass STATELESS ACL!
IOS IPv6 Extended ACL
Can match on
Upper layers: TCP, UDP, SCTP port numbers, ICMPv6 code and type
TCP flags SYN, ACK, FIN, PUSH, URG, RST
Traffic class (only six bits/8) = DSCP, Flow label (0-0xFFFFF)
IPv6 extension header
routing matches any RH, routing-type matches specific RH
mobility matches any MH, mobility-type matches specific MH
dest-option matches any destination options
auth matches AH
hbh matches hop-by-hop (since 15.2(3)T)
fragments keyword matches
Non-initial fragments
undetermined-transport keyword does not match if
TCP/UDP/SCTP and ports are in the fragment
ICMP and type and code are in the fragment
Everything else matches (including OSPFv3, …)
Only for deny ACE
CRITICAL without this, there is a way to bypass STATELESS ACL!
Check your platform & release as your mileage can vary…

34. IPv6 ACL Implicit Rules
Implicit entries exist at the end of each IPv6 ACL to allow neighbor discovery:
Nexus 7000 also allows RS & RA
Be careful when adding « deny ipv6 any any log » at the end
permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any
permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any log
IPv6 neighbour discovery uses ICMPv6 which can be blocked by an IPv6 ACL. The IPv4 equivalent, ARP cannot be blocked by an IP ACL. The implicit permit rules bring the IPv6 ACL behaviour into line with IPv4 ACLs.
The implicit permit rules only take effect for incoming ACLs, since self-originating traffic from the router cannot be blocked by an ACL.
For IPv6 standard ACL 12.2(2)T where matching against protocol type is not possible, rules permitting link-local fe80::/16 any any are required to enable name resolution.
The user can override the implicit rules by adding the equivalent ‘deny icmp’ within an ACL.

35. Example: Generic ACL on PE-CE or Peering
For Your
Reference
ipv6 access-list SIMPLE
remark To be reviewed for potential customization (e.g. use of ULA)
remark Drop evil routing header type 0
deny ipv6 any any routing-type 0
remark allow DAD
permit IPv6 host :: 2000::/3
permit IPv6 host :: FE80::/10
remark Allow unicast global to other valid destinations
permit ipv6 2000::/3 2000::/3
permit ipv6 2000::/3 FE80::/10
permit ipv6 2000::/3 FF00::/8
remark Allow link-local to other valid destinations
permit ipv6 FE80::/64 FE80::/64
permit ipv6 FE80::/64 FF02::/10
permit ipv6 FE80::/ ::/3
remark Catch-up
deny ipv6 any any

36. Controls are Available For Example: Cisco IPv6 Security Products
ASA Firewall (Since version 7.0 released 2005)
Flexibility: Dual stack, IPv6 only, IPv4 only
SSL VPN for IPv6 over IPv4 (ASA 8.0) over IPv6 (ASA 9.0)
Stateful-Failover (ASA 8.2.2)
Extension header filtering and inspection (ASA 8.4.2)
Dual-stack ACL & object grouping (ASA 9.0)
ASA-SM
Leverage ASA code base, same features ;-) 16 Gbps of IPv6 throughput
IOS Firewall (IOS 12.3(7)T - released 2005; Zone-based firewall on IOS-XE )
IPS (Since released 2008)
Security Appliance (ESA) under beta testing since 2010, IPv6 support since (May 2012)
Web Security Appliance (WSA) with explicit and transparent proxy
Cisco Cloud Web Security (ScanSafe) work in progress (need IPv6 connectivity for all towers...)
FIREpower NGIPS provides Decoder for IPv4 & IPv6 Packets

37. Looping Attack Between 6to4 and ISATAP (RFC 6324)
6to4 relay
1. Spoofed packet
S: 2001:db8::200:5efe:c000:201
D: 2002:c000:202::1
ISATAP router
Prefix 2001:db8::/64
2. IPv4 Packet to containing
S: 2001:db8::200:5efe:c000:201
D: 2002:c000:202::1
3. IPv6 packet
S: 2001:db8::200:5efe:c000:201
D: 2002:c000:202::1
Repeat until Hop Limit == 0
Root cause
Same IPv4 encapsulation (protocol 41)
Different ways to embed IPv4 address in the IPv6 address
ISATAP router:
accepts 6to4 IPv4 packets
Can forward the inside IPv6 packet back to 6to4 relay
Symmetric looping attack exists
Mitigation:
Easy on ISATAP routers: deny packets whose IPv6 is its 6to4
Less easy on 6to4 relay: block all ISATAP-like local address?
Good news: not so many open ISATAP routers on the Internet
Do not announce the 6to4 relay address outside of your AS and accepts protocol-41 packets only from your AS

38. 6to4/6rd Tunnels Bypass Centralized ACL
IPv6
Internet
6to4/6rd relay
tunnel
ACL
IPv4
6to4/6rd router
Direct tunneled traffic ignores hub ACL
6to4/6rd router
6rd CPE router can be configured to always go through hub
Direct CPE-CPE communication must then be forbidden by IPv4 network

39. 6rd Relay Security Issues
6rd is more constrained than 6to4, hence more secure
IPv4 ACL (or IPv4 routing) can limit the 6rd packets to the 6rd domain within the ISP
No more open relay
No more looping attacks

40. Secure IPv6 over IPv4/6 Public Internet
No traffic sniffing
No traffic injection
No service theft
Public Network
Site 2 Site
Remote Access
IPv4
6in4/GRE Tunnels Protected by IPsec
DMVPN 12.4(20)T
ISATAP Protected by RA IPsec
SSL VPN Client AnyConnect
IPv6
IPsec VTI 12.4(6)T
DMVPN 15.2(1)T
AnyConnect 3.1 & ASA 9.0

41. 9H00 Telemetry IPv6 security is similar to IPv4 security
No excuse to operate an insecure IPv6 network
Telemetry
9H00 41

42. Available Tools Usually IPv4 telemetry is available SNMP MIB
Not always available yet on Cisco gears
Flexible Netflow for IPv6
Available in : 12.4(20)T, 12.2(33)SRE
Public domain tools: nfsen, nfdump, nfcpad…

43. IPv6 MIB Implementation
For Your
Reference
IP FWD
(ROUTES) IP
ICMP
TCP
UDP
Original IPv4 only
2096
2011
2012
2013
IPv6 only
2465
2466
2452
2454
Protocol Version Independent (PVI)
rfc2096-update =
4292
rfc2011-update
4293 = IP-MIB
rfc2012-update
4022
rfc2013-update
4113
IPv4/IPv6 stats can be monitored from CLI “show interface accounting” on most platforms
RFC 4292 and 4293 – Interface Stats table are added, also required HW support
Tunnel MIB (RFC 4087)

44. Using SNMP to Read Interfaces Traffic
For Your
Reference
snmpwalk -c secret -v 1 udp6:[2001:db8::1] –Cw 70 -m IP-MIB ipNetToPhysicalPhysAddress
SNMP table: IP-MIB::ipIfStatsTable
index ipIfStatsInReceives ipIfStatsHCInReceives ipIfStatsInOctets
ipv ?
ipv ?
ipv ?
ipv ?
snmpwalk -c secret -v 1 udp6:[2001:db8::1] –Cw 70 ifTabl
SNMP table: IF-MIB::ifTable
index ifIndex ifDescr ifType ifMtu ifSpeed
FastEthernet0/0 ethernetCsmacd
FastEthernet0/1 ethernetCsmacd

45. Using SNMP to Read IPv4/IPv6 Neighbors Cache
For Your
Reference
snmpwalk -c secret -v 1 udp6:[2001:db8::1] -m IP-MIB ipNetToPhysicalPhysAddress
IP-MIB::ipNetToPhysicalPhysAddress.1.ipv4." " = STRING: 0:13:c4:43:cf:e
IP-MIB::ipNetToPhysicalPhysAddress.1.ipv4." " = STRING: 0:23:48:2f:93:24
IP-MIB::ipNetToPhysicalPhysAddress.1.ipv4." " = STRING: 0:80:c8:e0:d4:be
...
IP-MIB::ipNetToPhysicalPhysAddress.2.ipv6."2a:02:05:78:85:00:01:01:02:07:e9:ff:fe:f2:a0:c6" = STRING: 0:7:e9:f2:a0:c6
IP-MIB::ipNetToPhysicalPhysAddress.2.ipv6."2a:02:05:78:85:00:01:01:02:20:4a:ff:fe:bf:ff:5f" = STRING: 0:20:4a:bf:ff:5f
IP-MIB::ipNetToPhysicalPhysAddress.2.ipv6."2a:02:05:78:85:00:01:01:30:56:da:9d:23:91:5e:ea" = STRING: 78:ca:39:e2:43:3
snmptable -c secret -v 1 udp6:[2001:db8::1] -Ci -m IP-MIB ipNetToPhysicalTable

46. NetFlow Versions NetFlow Version Comments 1 Original 5
For Your
Reference
NetFlow Version
Comments 1
Original 5
Standard and most common 7
Specific to Cisco Catalyst 6500 and 7600 Series Switches
Similar to version 5, but does not include AS, Interface, TCP Flags, and ToS Information 8
Choice of 11 aggregation schemes
Reduces resource usage 9
Flexible, extensible file export format to enable easier support of additional fields and technologies; coming out now are MPLS, Multicast, and BGP Next-Hop

47. Flexible Flow Record: IPv6 Key Fields
For Your
Reference
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol
Extension
Traffic Class
Hop-Limit
Flow Label
Length
Option Header
Next-header
Header Length
Version
Payload Length
Routing
Destination AS
Peer AS
Traffic Index
Forwarding Status
Is-Multicast
IGP Next Hop
BGP Next Hop
Transport
Destination Port
TCP Flag: ACK
Source Port
TCP Flag: CWR
ICMP Code
TCP Flag: ECE
ICMP Type
TCP Flag: FIN
IGMP Type
TCP Flag: PSH
TCP ACK Number
TCP Flag: RST
TCP Header Length
TCP Flag: SYN
TCP Sequence Number
TCP Flag: URG
TCP Window-Size
UDP Message Length
TCP Source Port
UDP Source Port
TCP Destination Port
UDP Destination Port
TCP Urgent Pointer
Flow
Sampler ID
Direction
Interface
Input
Output
Router(config-flow-record)#match trans tcp flags ?
ack TCP acknowledgement flag
cwr TCP congestion window reduced flag
ece TCP ECN echo flag
fin TCP finish flag
psh TCP push flag
rst TCP reset flag
syn TCP synchronise flag
urg TCP urgent flag

48. Flexible Flow Record: IPv6 Extension Header Map
For Your
Reference
Bits 11-31
Bit 10
Bit 9
Bit 8
Bit 7
Bit 6
Bit 5
Bit 4
Bit 3
Bit 2
Bit 1
Bit 0
Res
ESP AH
PAY
DST
HOP
UNK
FRA0 RH
FRA1
FRA1: Fragment header – not first fragment
RH: Routing header
FRA0: Fragment header – First fragment
UNK: Unknown Layer 4 header (compressed, encrypted, not supported)
HOP: Hop-by-hop extension header
DST: Destination Options extension header
PAY: Payload compression header
AH: Authentication header
ESP: Encapsulating Security Payload header
Res: Reserved 48

49. Flexible NetFlow Exporter, Record and Monitor
For Your
Reference
flow exporter FLOW-EXPORTER
destination 2001:db8::1 <<< IPv6 is supported
transport udp 9995
flow record FLOW-RECORD
match ipv6 source address <<< key fields
match ipv6 destination address
match ipv6 protocol
collect counter bytes <<< non key fields
collect counter packets
collect datalink mac source address input <<< can also collect MAC addresses ;-)
flow monitor FLOW-MONITOR
; record netflow ipv6 original-output <<< for traditional NetFlow records
record FLOW-RECORD
exporter FLOW-EXPORTER
statistics packet protocol
statistics packet size
interface GigEthernet0/15
ipv6 flow monitor FLOW-MONITOR output

50. Netflow Reverse Usage
Scanning an IPv6 network is impossible (address space too large)
How can we run a security audit?
Easy
Get all IPv6 addresses from Netflow
Note: scanning link-local addresses requires layer-2 adjacency, i.e.
Ping6 ff02::1

51. Vulnerability Scanning in a Dual-Stack World
Finding all hosts:
Address enumeration does not work for IPv6
Need to rely on DNS or NDP caches or NetFlow
Vulnerability scanning
IPv4 global address, IPv6 global address(es) (if any), IPv6 link-local address
Some services are single stack only (currently mostly IPv4 but who knows...)
Personal firewall rules could be different between IPv4/IPv6
IPv6 vulnerability scanning MUST be done for IPv4 & IPv6 even in an IPv4-only network
IPv6 link-local addresses are active by default

52. Forensic 52

53. Multiple Facets to IPv6 Addresses
Every host can have multiple IPv6 addresses simultaneously
Need to do correlation!
Alas, no Security Information and Event Management (SIEM) supports IPv6
Usually, a customer is identified by its /48 
Every IPv6 address can be written in multiple ways
2001:0DB8:0BAD::0DAD
2001:DB8:BAD:0:0:0:0:DAD
2001:db8:bad::dad (this is the canonical RFC 5952 format)
=> Grep cannot be used anymore to sieve log files…

54. Perl to Canonical IPv6 Addresses
For Your
Reference
#!/usr/bin/perl –w
use strict ;
use Socket ;
use Socket6 ;
my $word, $binary_address) ;
## go through the file one line at a time
while (my $line = <STDIN>) {
@words = split /[ \n]/, $line ;
foreach $word {
$binary_address = inet_pton AF_INET6, $word ;
if ($binary_address) {
print inet_ntop AF_INET6, $binary_address ;
} else {
print $word ; }
print " " ;
print "\n" ;

55. Perl Grep6 For Your Reference #!/usr/bin/perl –w use strict ;
use Socket ;
use Socket6 ;
my $word, $binary_address, $address) ;
$address = inet_pton AF_INET6, $ARGV[0] ;
if (! $address) { die "Wrong IPv6 address passed as argument" ; }
## go through the file one line at a time
while (my $line = <STDIN>) {
@words = split /[ \n\(\)\[\]]/, $line ;
foreach $word {
$binary_address = inet_pton AF_INET6, $word ;
if ($binary_address and $binary_address eq $address) {
print $line ;
next ; }

56. How to Find the MAC Address of an IPv6 Address?
Easy if EUI-64 format as MAC is embedded
2001:db8::0226:bbff:fe4e:9434
(need to toggle bit 0x20 in the first MAC byte = U/L)
Is :26:bb:4e:94:34

57. How to Find the MAC Address of an IPv6 Address?
DHCPv6 address or prefix… the client DHCP Unique ID (DUID) can be
MAC address: trivial
Time + MAC address: simply take the last 6 bytes
Vendor number + any number: no luck… next slide can help
No guarantee of course that DUID includes the real MAC address.
# show ipv6 dhcp binding
Client: FE80::225:9CFF:FEDC:7548
DUID: A00259CDC7548
Username : unassigned
Interface : FastEthernet0/0
IA PD: IA ID 0x B, T , T
Prefix: 2001:DB8:612::/48
preferred lifetime 3600, valid lifetime 3600
expires at Nov :22 PM (369)
9H15

58. DHCPv6 in Real Live… Actual MAC address: # show ipv6 dhcp binding
Not so attractive 
Only supported in Windows Vista, and Windows 7, Max OS/X Lion
Not in Linux (default installation), …
Windows Vista does not place the used MAC address in DUID but any MAC address of the PC
Actual MAC address:
0022.5f
# show ipv6 dhcp binding
Client: FE80::FDFA:CB28:10A9:6DD0
DUID: DB0EA6001E33814DEE
Username : unassigned
IA NA: IA ID 0x F, T1 300, T2 480
Address: 2001:DB8::D09A:95CA:6918:967
preferred lifetime 600, valid lifetime 600
expires at Oct :02 PM (554 seconds)

59. How to Find the MAC Address of an IPv6 Address?
Last resort… look in the live NDP cache (CLI or SNMP)
If no more in cache, then you should have scanned and saved the cache…
EEM can be your friend
First-Hop Security phase II can generate a syslog event on each new binding
ipv6 neighbor binding logging
#show ipv6 neighbors 2001:DB8::6DD0
IPv6 Address Age Link-layer Addr State Interface
2001:DB8::6DD f STALE Fa0/1

60. Lawful Intercept 60

61. Which Target? Target could be
Host address /128: probably very rare
Subscriber prefix /48 or /56
Layer-2 address (MAC address)
Circuit
PPP session
Content of 6RD/MAP-T/DS-lit tunnel by intercepting the external addresses
Targets based not based on IPv6 addresses are ‘as usual’ and can be done as usual from a SP perspective
Of course mediation device & LEA must understand IPv6 

62. Summary 62

63. Key Takeaway /1 Management plane Control plane Data plane
Protect management plane with access-class
Control plane
Authenticate IGP
Consider the use of link-local on P-P links?
Mitigate rogue-RA with RA-guard
Configure control plane policing
Data plane
Beware of ping-pong on not /127 real P2P link
Apply anti-spoofing, anti-bogons
Disable source routing
Use ACL where applicable
ACL must permit NDP

64. Key Takeaway /2 Telemetry Forensic Lawful Interception
SNMP MIB and Netflow v9 are your friends
Netflow can be used for inventory
Forensic
Multiple addresses per node, multiple ways to write an IPV6 address
Finding MAC address from IPv6:
EUI-64,
DHCPv6 (not so trivial)
else periodic NDP cache dumps...
Lawful Interception
implemented, missing mediation device

65. Conclusion
As expected IPv6 secure operations are quite similar to IPv4
Main differences at layer 2
Tunnels complicate everything
Lack of correlation tools

66. Questions and Answers?

67. 4/14/2017
Cisco Live 2013

68. List of Acronyms 6rd: 6 Rapid Deployment
For Your
Reference
6rd: 6 Rapid Deployment
AAA: Authentication, Authorization, Accounting
CGA: Cryptographically Generated Address
DUID: DHCP Unique ID
EUI-64: Extended Unique ID
IPSec: IP Security
ISATAP: Intra-Site Automatic Tunnel Addressing Protocol
LEA: Law Enforcement Agency
LLA: Link-Local Address
MD5: Message Digest 5
NDP: Neighbor Discovery Protocol
PIM: Protocol Independent Multicast
PMTUD: Path MTU Discovery
RA: Router Advertisement
RIPng: Routing Information Protocol Next Generation
SEND: Secure Neighbor Discovery
SSH: Secure SHell