Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public IPv6 WiFi: опыт внедрения Andrew Yourtchenko - Cisco.

Published byErik Benninger Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public IPv6 WiFi: опыт внедрения Andrew Yourtchenko - Cisco."— Presentation transcript:

1 © 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public IPv6 WiFi: опыт внедрения Andrew Yourtchenko - Cisco

2 © 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Cегодня 60-70% WiFi устройств поддерживают IPv6 2 Источник: NOC stats MPLS & IPv6 World Congress Conference, Paris, 2013

3 © 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Сеть конференции CiscoLive Europe 250-300 точек доступа (Access Points) ‒ большая площадь покрытия ‒ несколько тысяч одновременных подключений Динамичный жизненный цикл ‒ Подготовка на месте – 4-5 дней ‒ Срок эксплуатации – 5 дней WiFi - критичный и заметный компонент ‒ «прозрачный» роуминг в движении ‒ Простота в эксплуатации и настройке 3

4 © 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Общиe принципы дизайна Один сегмент: IPv4- /16, IPv6- /64 ‒ Простота управления адресным пространством ‒ Отсутствие L3-роуминга (только L2) Ограничение multicast-трафика Безопасность IPv6 Neighbor Discovery 4

5 © 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Обзор – новое подключение IPv6 5 RS 2 1 Can I use this LL addr ? IPv6 LL DAD NS RA 3 DHCPv6 Reply DNS DHCPv6 Reply addr DHCPv6 req 6 IPv6 g.a. DAD NS Can I use this addr ? O 4 IPv6 g.a. DAD NS Can I use this addr ? PrfxM DHCPv6 inf req 5

6 © 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Multicast Router Advertisement в WiFi сети конференции 6

7 © 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Multicast Router Advertisements: RA throttling 7

8 Безопасность Neighbor Discovery 8

9 Демо: Windows 7 & “Rogue” RA

10 © 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public WLC RA guard: запрет несанкционированных RA 10

11 © 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Node A can start using address A B A C  Проверка уникальности адреса перед его активизацией  Требуема (MUST) при SLACC, рекомендована (SHOULD) by DHCP  Запрос ND на случай если кто-то уже использует этот адрес Duplicate Address Detection: проверка уникальности NS ICMP type = 135 (Neighbor Solicitation) Src = UNSPEC = 0::0 Dst = Solicited-node multicast address of A target= A Query = Does anybody use A already?

12 © 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public  Атакующий отвечает на все NS запросы DAD  Ошибка DAD, невозможность использования адреса Src = UNSPEC Dst = Solicited-node multicast address of A target= A Query = Does anybody use A already? NS Src = any C’s I/F address Dst = A target= A Option = link-layer address of C NA “it’s mine !” C A Уязвимость в протоколе – блокировка работы From RFC 4862 5.4: « If a duplicate @ is discovered… the address cannot be assigned to the interface» What If: Use MAC@ of the Node You Want to DoS and Claim Its IPv6 @ Attack Tool: Dos-new-IPv6 Mitigation in IOS: Configuring the IPv6 address as anycast disables DAD on the interface

13 © 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public ICMP type = 136 (Neighbor Advertisement) Src = one B’s I/F address, Dst=A target = B Option = Target link-layer address (MAC B ) NA B A C  Позволяет узнать Ethernet адрес узла сети по его IPv6 адресу  Создает запись в таблице neighbor cache  Поддерживает актуальность записи (NUD / обновления)  Обновления обслуживаются по принципу “Last Come, First Serve (LCFS)” IPv6 Neighbor Discovery: поиск Ethernet-адреса B MAC B Neighbor cache ICMP type = 135 (Neighbor Solicitation) Dst = Solicited-node multicast address of B target = B Query = what is B’s Link-Layer Address? NS

14 © 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public B A C B MAC B Address resolution flow Уязвимость в протоколе – кража адреса Src = B Target = B Dst = all-nodes Option = MAC C (unsolicited) NA B MAC C MAC C Attack Tool: Parasite6 Answer to all NS, Claiming to Be All Systems in the LAN...

15 © 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public DHCP- server H1 H2H3 Защита: отслеживание адресов на уровне L2 DAD NS [IP source=UNSPEC, target=A 1, SMAC=MAC H1 ] REPLY[XID, IPA 21, IPA 22 ] REQUEST [XID, SMAC = MAC H2 ] data [IP source=A 3, SMAC=MAC H3 ] NA [IP source=A 3, LLA=MAC H3 ] DAD NS [IP source=UNSPEC, target = A 3 ] Binding table ADRMACVLANIF A1A1 MAC H1 100P1 A 21 MAC H2 100P2 A 22 MAC H2 100P2 A3A3 MAC H3 100P3

16 © 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public WLC 7.2 - FHS source-guard 16

17 © 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Neighbor Binding table in 7.3: установки по умолчанию 17

18 Демо: iPhone & Source Guard

19 © 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public В заключение IPv6 на WiFi требует внимания к Multicast трафику RA Guard + Source Guard необходимы в любой IPv6 сети

20 20

Download ppt "© 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public IPv6 WiFi: опыт внедрения Andrew Yourtchenko - Cisco."

Similar presentations

10: ICMPv6 Neighbor Discovery

10: ICMPv6 Neighbor Discovery
DHCPv6.

DHCPv6.
IPv6 Introduction What is IPv6 Purpose of IPv6 (Why we need it)Purpose of IPv6 IPv6 Addressing Architecture IPv6 Header ICMP v6 Neighbor Discovery (ND)

IPv6 Introduction What is IPv6 Purpose of IPv6 (Why we need it)Purpose of IPv6 IPv6 Addressing Architecture IPv6 Header ICMP v6 Neighbor Discovery (ND)
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v2.0—2-1 IPv6 Operations Defining and Configuring Neighbor Discovery.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v2.0—2-1 IPv6 Operations Defining and Configuring Neighbor Discovery.
Computer Networks21-1 Chapter 21. Network Layer: Address Mapping, Error Reporting, and Multicasting 21.1 Address Mapping 21.2 ICMP 21.3 IGMP 21.4 ICMPv6.

Computer Networks21-1 Chapter 21. Network Layer: Address Mapping, Error Reporting, and Multicasting 21.1 Address Mapping 21.2 ICMP 21.3 IGMP 21.4 ICMPv6.
2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College

2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College
1 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Regional Cisco Networking Academy Conference.

1 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Regional Cisco Networking Academy Conference.
6: IPv6 Multicast Addresses

6: IPv6 Multicast Addresses
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
Network Localized Mobility Management using DHCP

Network Localized Mobility Management using DHCP
Host Autoconfiguration ALTTC, Ghaziabad. IPv4 Address and IPv6 equivalents ALTTC, Ghaziabad.

Host Autoconfiguration ALTTC, Ghaziabad. IPv4 Address and IPv6 equivalents ALTTC, Ghaziabad.
IPv6: Neighbor Discovery

IPv6: Neighbor Discovery
LOGO IPv6 Application Analysis Xi Chen

LOGO IPv6 Application Analysis Xi Chen
Chapter 8b Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Describe the structure of an IPv4 address.  Describe.

Chapter 8b Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Describe the structure of an IPv4 address.  Describe.
 As defined in RFC 826 ARP consists of the following messages ■ ARP Request ■ ARP Reply.

 As defined in RFC 826 ARP consists of the following messages ■ ARP Request ■ ARP Reply.
Instructor & Todd Lammle

Instructor & Todd Lammle
1 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada DHCPv6 and IPv6 Automatic Address Allocation.

1 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada DHCPv6 and IPv6 Automatic Address Allocation.
Doc.: IEEE 802.11-11/1183r0 Submission September 2011 Masataka Ohta, Tokyo Institute of TechnologySlide 1 IP over Congested WLAN Date: 2011-09-19 Authors:

Doc.: IEEE /1183r0 Submission September 2011 Masataka Ohta, Tokyo Institute of TechnologySlide 1 IP over Congested WLAN Date: Authors:
System Configuration: DHCP and Autoconfiguration Chapter 6.

System Configuration: DHCP and Autoconfiguration Chapter 6.
7: SLAAC (Stateless Address Autoconfiguration) Rick Graziani Cabrillo College

7: SLAAC (Stateless Address Autoconfiguration) Rick Graziani Cabrillo College

Similar presentations

Ads by Google