Reply

IPv6 Security Webinar Information

community Employee
Employee
Posts: 73
5237     0

Are you looking for information on the September 19th IPv6 Security Webinar, or have a question from the presentation?  If so, we invite you to interact, ask questions, and request additional information from our Infoblox Experts who are monitoring this thread!

 

We had a very successful webcast, with a significant amount of questions submitted.  We are going to post 2-3 questions, and allow the Center of Excellence Team to answer.  We'll continue to post additional questions throughout the next few days, to ensure all of the submissions are covered.  If you have questions, feel free to post them here as a comment.

Here's the first set of questions submitted:

  1. In what circumstance would you need to allow ICMPv6 Redirects on the LAN?
  2. What about spanning ports for packet capture ( Will the IPsec security attached to IPv6) cause an issue..
  3. How should you manage management networks?  Is the best way to do it like an ipv4 network?

Re: IPv6 Security Webinar

user42
Techie
Posts: 35
5238     0
Given the size of a /64 and what that entails for broadcast domains, what are some best practices for allocating host addresses?

Re: IPv6 Security Webinar

MLampo
Techie
Posts: 2
5238     0
During the Webinar, only BGP approach of multi-ISP was touched (with PI address space). Can you share some thoughts on mutli-ISP without BGP, with PA address spaces ? Thanks !

Re: IPv6 Security Webinar

MLampo
Techie
Posts: 2
5238     0
Not a positive answer, in the sense of best practices, but at least some things to avoid (for address allocation in DMZ - publicly visible).Administrators tend to use easy-to-remember addresses, but by doing so IPv6 addresses tend to become predictable. I'd recommend to avoid this.As an example I investigate how AAAA records in the root-zone are predictable (I know, they are published anyway, but illustrate some principles that make scanning feasible again).cfr http://www.lampo-netsec.eu/examples/ipv6/ipv6-address-predictability.htmKind regards,

Re: IPv6 Security Webinar

user42
Techie
Posts: 35
5238     0
Was this webinar recorded, and will there be a published link to the recording?

Re: IPv6 Security Webinar

tcoffeen
Techie
Posts: 76
5238     0

Thanks for the question. I've always viewed multihoming as a means to redundancy and route optimization. Without BGP though either of those goals would require manual intervention through static routing or renumbering to accomplish (whether in IPv4 or IPv6).

Re: IPv6 Security Webinar

tcoffeen
Techie
Posts: 76
5238     0

Thanks for the questions!

1. From my perspective, in most LAN networks it's unlikely that you would have more than one router or gateway dynamically available. ICMPv6 redirects could be used by one router to point traffic from hosts to a different gateway. This wouldn't seem to be a common requirement and would actually likely be seen as a security risk to allow such behavior. Best then to disable ICMPv6 redirects.

2. The IPSec included in the IPv6 standard isn't widely utilized and largely unavailable as a configurable feature. Thus, the effectiveness of packet capture for IPv6 isn't typically different than in IPv4. This may of course change over time as more applications leverage the IPSec built into IPv6.

3. Network management isn't conceptually different in IPv6. The challenge is making sure that the hardware and software you're relying on to currently manage your IPv4 network supports IPv6 for critical features. IPv4/IPv6 feature parity can always be a problem so make sure that any new hardware or software you're purchasing for network management supports IPv6 for all the features you require. Where a feature is critical (or a vendor equivocal), get evaluation gear and test it.

Re: IPv6 Security Webinar

community Employee
Employee
Posts: 73
5238     0

Here's the next set of questions.  We have quite a few we'll be adding, so please check back over the next few days if your question isn't posted.

 

  1. What is the recommended tunnel method that provides the most secure method?
  2. Does ipv6 multicast require a rendezvous point for distribution?
  3. Who/which organization determines which prefixes should be filtered using a bogon list?
  4. Are there any best practice examples for disabling ipv6 tunneling or perhaps terminating ipv6 tunnels on your local network?
  5. Will 802.1x authentication on your network prevent people being able to sniff for neigbor solicitations?

Re: IPv6 Security Webinar

tcoffeen
Techie
Posts: 76
5238     0

Good questions! I hope these answers shed some light on them!

 

1. You may have the option of encrypting either the tunneled traffic or the tunneling protocol itself (though for reasons of performance vs. additional security it makes little sense to encrypt both). The encryption method chosen, and subsequent degree of security, will depend on the capabilities of the device terminating the tunnel.

 

2. As Paul mentioned during the webinar, it's important to distinguish between the multicast used in IPv6 that is restricted to the local segment for Neighbor Discovery, etc, and IPv6 mulitcast routing protocols like PIM that usually extend across LANs and WANs. As such, the RP is a component of the PIM protocol in IPv4 and is not used in IPv6 PIM.

 

3. There is no official agency responsible for keeping bogon information up-to-date but the non-profit Internet security organization Team Cymru maintains lists of bogons for both IPv4 and IPv6.

 

4. The method for disabling (or enabling) IPv6 tunneling on a given host depends of course on the host OS type and version. I don't know of a single resource that covers all possibilities but individual examples for a given host OS type and version are easy to find via a web search.

 

5. I don't think so since the authenticator and supplicant in 802.1x rely on EAPOL which itself relies on layer 3 for communication. Thus, Neighbor Discovery (and Solicitation) could still occur on a local segment without any limitation on the sniffing of any ND traffic on that segment.

 
Tom

Re: IPv6 Security Webinar

community Employee
Employee
Posts: 73
5238     0

Here's another set of questions:

  1.  How much do people use IPv6 addressing schemes that use embedded in IPv4 addresses, to ease the automatic generation of IPv6 ACLs?
  2.  Do many IPv6 products still not support stateful DHCP address assignment?
  3.  Doesn't "no ipv6 unreachables" suppress things like ICMP packet too big?
  4. Dhcp Options in IPv6 ( Is it same, as we are  using this many times), we may be using it in connecting LWAPs Wireless Controller.. or Voice Vlan options..
  5. How should you manage management networks?  Is the best way to do it like an ipv4 network?
  6. Is there some securities concerns related to NAT64? If so, what are they?

Re: IPv6 Security Webinar

tcoffeen
Techie
Posts: 76
5238     0

Hmm, today I feel like answering odd-numbered questions only!

 

1. I think this was done more frequently in the early days of IPv6 adoption when there was a desire to preserve architectural consistency for limited deployments of IPv6. In general, this method is *not* recommended. The main reason is that IPv6 address planning is fundamentally different in IPv6 due to the tremendous abundance of available addresses. Address plans in IPv6 are built around increasing opearational efficiency and network scalability by defining groups of subnets to assign to location or function (compared to preserving IPv4 addresses by adjusting the size of subnet assignments based on host count). Any ease of ACL generation would be trivial to the operational efficiency and scalability sacrificed by such an approach.

 

3. No. "Destination unreachable" and "packet too big" are two different ICMPv6 message types (1 and 2 respectively).

 

5. I believe this question was already answered above (#7).

 

Tom

Re: IPv6 Security Webinar

community Employee
Employee
Posts: 73
5238     0

Hi all,

We're nearing the end of the questions submitted during the webinar.  If you have additional questions, feel free to post here, or simply continue to follow along as Tom and the CoE Team provide some clarity to the questions you posted.

  1. What is the timeframe for eliminating IPv4?
  2.  /64 at Layer 3 is a large number of potential hosts at Layer 2. I have not been able to find any recommendations on the maximum number of Ethernet hosts per IPv6 subnet. Do you have any suggestions on best practices?
  3. Is there some securities concerns related to NAT64 and what are they?
  4. Do we have special means of ACLs for Anycast..
  5. Md5 security is not supported on OSPFv3. What kind of authentication is supported on OSPFv3?
  6.  Do many IPv6 products still not support stateful DHCP address assignment?
Showing results for 
Search instead for 
Do you mean 

Recommended for You