Advanced IPv6 Security: Securing Link- Operations at the First Hop
|
|
- August Perry
- 6 years ago
- Views:
Transcription
1
2 Advanced IPv6 Security: Securing Link- Operations at the First Hop ERIC LEVY-ABEGNOLI
3 Quick overview on the Layer 2 domain & IPv6 Some definitions Layer 2 domain: same broadcast domain = link = vlan Nodes: hosts, routers, switches, access points Link operations: operations between nodes on the shared link Security perimeter: draw a line between trusted and untrusted devices First hop: first trusted device inside the security perimeter What is specific to IPv6 on a link? More addresses! More hosts allowed on the link (up to 2 64!). Results in much bigger links More states (neighbor cache, etc) on hosts, routers and switches: creates new opportunities for DoS attacks And protocols IPv6 link operations protocol is Neighbor Discovery More distributed and more autonomous operations Nodes discover their default router automatically Nodes auto-configure their addresses Nodes defend themselves (SeND) 3
4 Abstract summary and pre-requisite This session focuses on IPv6 security within the Layer 2 domain It focuses on 4 cases: Router theft, Address theft, Address spoofing and Remote address resolution cache exhaustion It discuss the role of the First Hop, more often than not a Layer 2/3 switch It introduces security features at the First Hop, such RA Guard, Source Guard, Destination guard, etc Requirements: Knowledge of the IPv6 and IPv6 Neighbor Discovery Related recommended sessions: BRKSEC IPv6 Security Threats and Mitigations TECSEC IPv6 Security BRKRST Enterprise IPv6 Deployment 4
5 Agenda IPv6 in the Layer 2 domain: high level considerations Use Case #1: Router theft Use Case #2: Address theft Use Case #3: Address spoofing Use Case #4: Remote address resolution cache exhaustion 5
6 Quick overview on the Layer 2 domain & IPv6 Some definitions Layer 2 domain: same broadcast domain = link = vlan Nodes: hosts, routers, switches, access points Link operations: operations between nodes on the shared link Security perimeter: draw a line between trusted and untrusted devices First hop: first trusted device inside the security perimeter What is specific to IPv6 on a link? More addresses! More hosts allowed on the link (up to 2 64!). Results in much bigger links More states (neighbor cache, etc) on hosts, routers and switches: creates new opportunities for DoS attacks And protocols IPv6 link operations protocol is Neighbor Discovery More distributed and more autonomous operations Nodes discover their default router automatically Nodes auto-configure their addresses Nodes defend themselves (SeND) 6
7 Is Bigger better? More secure? 7
8 How about newer? Sometimes, newer means better and more secure Sometimes, experience IS better and safer! 8
9 Fundamentals On Neighbor Discovery Defined in: RFC 4861 Neighbor Discovery for IP Version 6 (IPv6) RFC 4862 IPv6 Stateless Address Auto-configuration RFC 3971 Secure Neighbor Discovery etc. Used for: Router discovery IPv6 Stateless Address Auto Configuration (SLAAC) IPv6 address resolution (replaces ARP) Neighbor Unreachability Detection (NUD) Duplicate Address Detection (DAD) Redirection Operates above ICMPv6 Relies heavily on (link-local scope) multicast, combined with Layer 2 Multicast Works with ICMP messages and message options 9
10 Agenda IPv6 in the Layer 2 domain: high level considerations Use Case #1: Router theft Target deployment model Vulnerability scope Protocols: operations and vulnerabilities Mitigation solutions Remaining vulnerabilities Use Case #2: Address ownership Use Case #3: Address spoofing Use Case #4: Remote address resolution cache exhaustion 10
11 Router Theft - Target deployment model Attacker goal is to become the primary link s default router Hosts, Routers and attacker reside on a shared Layer 2 domain Hosts discover their IPv6 default router with IPv6 ND Attacker can be a plain PC, running simple (publically available) attack tools. Or it can be a careless user 11
12 Router Theft Vulnerability scope 12
13 Router Theft Router Discovery protocol Discover default/first hop routers Discover on-link prefixes A B ICMP Type = 133 (Router Solicitation) Src = Host link-local address Dst = All-routers multicast address (FF02::2) Query = please send RA RS RA ICMP Type = 134 (Router Advertisement) Src = Router link-local address Dst = All-nodes multicast address (FF02::1) Data = router lifetime, preference=medium, Option = Prefix X,Y,Z, lifetime Use B as default gateway 13
14 Router Theft Router Discovery protocol cont d Stateless Address Auto-Configuration, based on prefix information delivered in Router Advertisement ICMP Type = 133 (Router Solicitation) Src = Host link-local address Dst = All-routers multicast address (FF02::2) Query = please send RA RS Computes X::x, Y::y, Z::z and DAD them RA NS Source traffic with X::x, Y::y, Z::z ICMP Type = 134 (Router Advertisement) Src = Router link-local address Dst = All-nodes multicast address (FF02::1) Data = router lifetime, oreference=medium Options = Prefix X,Y,Z, lifetime 14
15 Router Theft Vulnerability #1 Attacker tricks victim into accepting itself as default router Based on rogue Router Advertisements The most frequent threat by non-malicious user Many variants: preference, timing, final RA, etc. A C B RA Src = C s link-local address Dst = All-nodes Data = preference=high Options = subnet prefix, slla Node A sending off-link traffic to C 15
16 Router Theft Vulnerability #2 Attacker spoofs Router Advertisement with false on-link prefix Victim generates (topology-bogus) IP address with this prefix Access router drops outgoing packets from victim (ingress filtering) Or return path is broken A C B RA Autoconf BAD::A and DAD it Src = B s link-local address Dst = All-nodes Options = prefix BAD Node A sourcing off-link traffic via B with BAD::A B filters out BAD::A OR NOT 16
17 Router Theft - Mitigations Where Routers Hosts Routers & Hosts Switch (First Hop) Switch (First Hop) Switch (First Hop) What Increase legal router preference Disable Stateless Address Autoconfiguration SeND Router Authorization Host isolation Port Access Lists (PACL) RA Guard 17
18 Router Theft Mitigation: Router Authorization overview Objectives for (SeND) Router authorization: Secure default router election on hosts Authorize routers to advertise certain prefixes Protocol overview SeND is just an extension to Neighbor Discovery Protocol, NOT a new protocol SeND secures ND operations, not the end-to-end communication It provides Router Authorization and proof of Address Ownership SeND is specified in RFC3971 & RFC3972 Router identity is the IPv6 source (cryptographic) address of RAs This address is certified in a certificate delivered by a Certificate Authority (CA) 18
19 Router Theft Mitigation: Router Authorization overview cont d Certificate Authority Certificate C 0 host 1 provision Certificate Authority CA 0 Router certificate request ROUTER ADVERTISEMENT (SRC = R) provision 3 Router certificate C R 2 Router R 4 5 Certificate Path Solicit (CPS): I trust CA 0, who are you R? Certificate Path Advertise (CPA): I am R, this is my certificate C R signed by CA 0 6 Verify C R against CA 0 7 Insert R as default route 19
20 Router Theft Mitigation: SeND Deployment Challenges ADMINISTRATIVE BOUNDARY CA CA CA Host Router Host Router To benefit fully from SeND, nodes must be provisioned with CA certificate(s) A chain of trust is easy to establish within the administrative boundaries, but very hard outside It is a 2 player game! And very few IPv6 stacks can play the game today: Cisco IOS, Linux, some H3C, third party for Windows (from Hasso-Plattner-Institut in Germany!) 20
21 RA Router Theft Mitigation: Host Isolation Prevent Node-Node Layer-2 communication by using: Private VLANs (PVLAN) where nodes (isolated port) can only contact the official router (promiscuous port) Promiscuous Port RA RA WLAN in AP Isolation Mode one VLAN per host (SP access network with Broadband Network Gateway) Isolated Port Link-local multicast (RA, DHCP request, etc) sent only to the local official router: no harm RA But Duplicate Address Detection does not work anymore... RA 21
22 RA Router Theft Mitigation: RA Guard (RFC 6105) Port ACL: blocks all ICMPv6 RA from hosts interface FastEthernet0/2 ipv6 traffic-filter ACCESS_PORT in access-group mode prefer port RA-guard lite: pre-programmed ACL interface FastEthernet0/2 ipv6 nd raguard access-group mode prefer port Device-role router RA RA Device-role host RA-guard: deep RA packet inspection ipv6 nd raguard policy HOST device-role host RA ipv6 nd raguard policy ROUTER device-role router vlan configuration 100 ipv6 nd raguard attach-policy HOST vlan 100 RA interface FastEthernet0/0 ipv6 nd raguard attach-policy ROUTER 22
23 Router Theft Mitigation: Security Perimeter & Device Role HOST HOST RA device-role=router RA RA deep inspection - hop-limit - M & O flag - Router preference - Source - Prefix list - CGA credentials device-role=trusted switch RA device-role=host device-role=router RA trusted-port RA 23
24 General principles on FH command interface For Your Reference Each FH feature provides a configuration mode to create and populate policies (+ one implicit default policy) ipv6 nd raguard policy host device-role host Each FH feature provides commands to attach policies to targets: box, vlan, port vlan configuration 100 ipv6 nd raguard attach-policy host ipv6 snooping interface e 0/0 ipv6 nd raguard attach-policy router Packets are processed by the lowest-level matching policy for each feature Packets received on e0/0 are processed by policy ra-guard router AND policy snooping default Packets received on any other port of vlan 100 are processed by policy ra-guard host AND policy snooping default 24
25 Configuration examples For Your Reference Step1: Configures policies Step2: Attach policies to target Vlan Port ipv6 nd raguard policy HOST device-role host vlan configuration ipv6 nd raguard attach-policy HOST ipv6 nd raguard policy ROUTER device-role router interface Ethernet0/0 ipv6 nd raguard attach-policy ROUTER ipv6 snooping policy NODE tracking enable limit address-count 10 security-level guard vlan configuration 100,101 ipv6 snooping attach-policy NODE ipv6 snooping policy SERVER trusted-port tracking disable security-level glean interface Ethernet1/0 ipv6 snooping attach-policy SERVER 25
26 Router Theft Demo: topology vlan 100 HOST ROUTER PEER SWITCH VILLAIN CAT DUMB 26
27 Router Theft Demo: Router Discovery, Theft & Mitigation Regular operations ROUTER sends RAs HOST picks up ROUTER as default router and installs default route HOST goes via default route to reach PEER Attack VILLAIN sends RA with higher preference. With prefix BAD:: HOST (and DUMB) picks VILLAIN as default router HOST installs default route to VILLAIN and assigns addresses on BAD:: HOST connects to CAT Mitigation Increase preference on ROUTER: works but Enable SeND on ROUTER. HOST safe, not DUMB (FH) RA-guard 27
28 Router Theft Here comes fragmentation Problem - RA Guard works like a stateless ACL filtering ICMP type 134 (no reassembly) - Attackers can exploit that to evade RA guard by pushing ULP header (RA) into second fragment - They can even use overlapping fragments to disguise RA into some other valid message - RFC 3128 is not applicable to IPv6 - THC fake_router6 FD implements this attack which bypasses RA Guard IPv6 hdr HopByHop Routing Destination Fragment1 IPv6 hdr HopByHop Routing..Destination Fragment2 Possible solutions - block all fragments sent to ff02::1 - deny ipv6 any any undetermined-transport ICMP type=134 ICMP header is in 2 nd fragment, RA Guard has no clue where to find it! - How about overlapping fragments? Forbidden: RFC Use a compliant host stack! 28
29 Agenda IPv6 in the Layer 2 domain: high level considerations Use Case #1: Router discovery Use Case #2: Address theft Target deployment model Vulnerability scope Protocols: operations and vulnerabilities Mitigation solutions Demo Remaining vulnerabilities Use Case #3: Address spoofing Use Case #4: Remote address resolution cache exhaustion 29
30 Address Theft - Target deployment model Hosts reside on a shared Layer 2 domain (same link) Hosts address assignment performed using SLAAC, DHCP or statically assigned Attacker is also on the link. Can be a plain desktop/laptop, running simple attack tools. Or it can be a careless user Attacker goal is to take over (steal) someone else s address to either source (bogus) traffic or hijack sessions Attacker can also perform a DoS attack by pretending to own the entire address space Vulnerability scope: the link (same as for Router discovery) 30
31 Address Theft Address Resolution protocol When needed, it resolves the IP address into a MAC address Creates neighbor cache entry Maintains entry with NUD or upon receipt of any updated LLA Last Come, First Serve (LCFS): good for mobility, bad for security! A C B ICMP type = 135 (Neighbor Solicitation) Dst = Solicited-node multicast address of B target = B Query = what is B s Link-Layer Address? B MAC B Neighbor cache NA NS ICMP type = 136 (Neighbor Advertisement) Src = one B s I/F address, Dst=A target = B Option = Target link-layer address (MAC B ) 31
32 Address Theft Duplicate Address Resolution Verify address uniqueness before using it Required (MUST) by SLAAC, recommended (SHOULD) by DHCP Probe neighbors to verify nobody claims the address A C B ICMP type = 135 (Neighbor Solicitation) Src = UNSPEC = 0::0 Dst = Solicited-node multicast address of A target= A Query = Does anybody use A already? NS Node A can start using address A 32
33 Address Theft Vulnerability #1 Attacker can claim victim's IP address A Address resolution flow B C B MAC B B MAC MAC C C (unsolicited) NA Attack Tool: Parasite6 Answer to all NS, Claiming to Be All Systems in the LAN... Src = B Target = B Dst = all-nodes Option = MAC C 33
34 Address Theft Vulnerability #2 Attacker hacks any victim's DAD attempts Victim can't configure IP address and can't communicate A C Src = UNSPEC Dst = Solicited-node multicast address of A target= A Query = Does anybody use A already? NS From RFC : «If a is discovered the address cannot be assigned to the interface» What If: Use MAC@ of the Node You Want to DoS and Claim Its Attack Tool: Dos-new-IPv6 NA it s mine! Src = any C s I/F address Dst = A target= A Option = link-layer address of C Mitigation in IOS: Configuring the IPv6 address as anycast disables DAD on the interface 34
35 Address theft mitigations Where Routers & Hosts Routers & Hosts Switch (First Hop) Switch (First Hop) What configure static neighbor cache entries Use CryptoGraphic Addresses (SeND CGA) Host isolation Address watch Glean addresses in NDP and DHCP Log bindings <address, port, MAC, vlan> for traceability Establish and enforce rules for address ownership Prevent address thefts Limit number of bindings accepted per user (define user ) 35
36 Address Theft Mitigation: Address ownership proof Objectives for Address ownership: Enable the ND message sender to provide proof of ownership of address and for the receiver to validate the proof Verify that the address is either the source of the ND message or the target for DAD messages (when source is UNSPEC) This is a SeND feature Protocol overview Hosts (and routers) generate a pair of RSA keys The public key is hashed to create a Cryptographic address (CGA) The CGA address is signed by the private key Both the public key and signature are provided in ND messages Receivers must verify the signature and address/key consistency (address = hash(key)) No key distribution required! 36
37 Address Theft Mitigation: Address ownership overview Computes Address Prefix Interface-id = hash ( ) Src = Address ND-message My address! SIGN VERIFY 37
38 Address Theft Mitigation: SeND cont d SeND: Extending the 62 bits crypto barrier 62 bits is not considered a good protection against brute force Need to inject delay in the computation Need to make the computation able to evolve Generate keys pub and priv Generate keys pub and priv hash =SHA-1(pub+pfx) hash =SHA-1(pub+pfx) Add tunable delay there! 2 62 attempts hash =hash [0..61] hash =hash [0..61] hash = hash NO done done 38
39 Address Theft Mitigation: : SeND cont d The real thing key: public key in DER format sec: security level col: collision count = {0} Delay is here! Generate random 16 bytes : mod Build message = mod 0 0 key hash = SHA-1 (message) bits 0 16*sec of hash 0 no yes message = mod prefix col key Increment mod For Your Reference hash = SHA-1 (message) no col<2 Compute address = bytes 0 7 = prefix bytes 8 15 = hash, bytes 0 7 bits = sec bits 70, 71 = 0 ( u and g ) Increment col yes duplicate Do DAD No response Report error Start using address 39
40 Address Theft Mitigation: Address Glean at the First Hop Binding table H1 H2 H3 DAD NS [IP source=unspec, target=a 1, SMAC=MAC H1 ] ADR MAC VLAN IF A 1 MAC H1 100 P1 A 21 MAC H2 100 P2 A 22 MAC H2 100 P2 A 3 MAC H3 100 P3 Preference X Y Y Z DHCPserver REQUEST [XID, SMAC = MAC H2 ] REPLY[XID, IPA 21, IPA 22 ] data [IP source=a 3, SMAC=MAC H3 ] DAD NS [IP source=unspec, target = A 3 ] DHCP LEASEQUERY NA [IP source=a 3, LLA=MAC H3 ] DHCP LEASEQUERY_REPLY 40
41 Address Theft Mitigation: Address Watch at the First Hop host Binding table Address glean Arbitrate collisions, check ownership Check against max allowed per box/vlan/port Record & report changes Valid? bridge Preference is a function of: configuration, learning method, credential provided Upon collision, choose highest preference (for instance static, trusted, CGA, DHCP preferred over dynamic, not_trusted, not_cga, SLAAC) For collision with same preference, choose First Come, First Serve 41
42 Address Theft Mitigation: Security Perimeter & State Distribution H11 Binding table ADR MAC IF Binding table ADR MAC IF H21 A 11 MAC H1 P1 A 21 MAC H1 P1 A 21 MAC H2 P2 A 22 MAC H2 P2 Address glean Address glean ADR MAC IF A 11 MAC H1 P1 A 21 MAC H2 P2 A 21 MAC H1 P1 A 22 MAC H2 P2 Binding table 42
43 Address Theft Demo: the topology Provisioning system HOST ROUTER+DHCP server DUMB SWITCH vlan 100 VILLAIN 43
44 Address Theft Demo: Address theft & Mitigation Regular operations Show ipv6 address: SLAAC, DHCP, static HOST connects to ROUTER Show neighbor cache Attack HOST connects to ROUTER VILLAIN steals 2001:100::1 and connection breaks HOST re-connects and ends up at VILLAIN Mitigation Configures static cache entry on HOST Configure CGA address on ROUTER. Helps HOST, not DUMB Enable ipv6 snooping on SWITCH Show binding table, preference values, etc. Helps for non-cga, CGA, HOST and DUMB Show logging 44
45 Address Theft Remaining Vulnerabilities Problems address ownership address authorization! Attacker can forge any address of its own and prove ownership CGA is not widely available First-come first-serve is NOT very secure for SLAAC First-come first-serve is hardly compatible with mobility Solutions Use FH address glean & watch (combine with CGA when available) Use non-default preferences whenever you can. Use authoritative address assignment method (DHCP) when you can. When FCFS must be used, use long lifetime to keep entries in the binding table as long as you can Use logging to trace problems after the fact To reduce issues with mobility, use 802.1X whenever possible For address authorization, see next use case 45
46 Agenda IPv6 in the Layer 2 domain: high level considerations Use Case #1: Router theft Use Case #2: Address theft Use Case #3: Source Address spoofing Target deployment model Mitigation solutions Demo The standard Use Case #4: Remote address resolution cache exhaustion 46
47 Address Spoofing - Target deployment model Hosts (victims) are anywhere (on/off link) Attacker is on the link Attacker can be a plain PC, running simple attack tools Attacker goal is to launch single packet attacks or Flood-Based DoS attack without being identified or traceable 47
48 Address Spoofing Vulnerability scope Non-blind attacks Man in the Middle attacks Third Party Recon Blind attacks Single packet attacks Flood-Based DoS Poisoning attack Spoof-based Worm/Malware Propagation Reflective Attacks Accounting Subversion 48
49 Address Spoofing - Mitigations Where Routers Nodes What Ingress filtering Unicast Reverse Path Forwarding (urpf) Address Provisioning Mechanisms Layer 2 Switch Layer 2/3 Switch Port-based Address Binding (FH Source Guard) draft-ietf-savi-fcfs draft-ietf-savi-dhcp draft-ietf-savi-send draft-ietf-savi-mix Prefix Guard 49
50 Address Spoofing Mitigation: Source Guard IPv6 MAC VLAN IF Binding table A 1 MAC A1 100 P1 A 21 MAC A P2 H1 H2 H3 A 22 MAC A P2 A 3 MAC A3 100 P3 Address glean DAD NS [IP source=unspec, target = A 3 ] Allow traffic sourced with known IP/SMAC Deny traffic sources with unknown IP/SMAC and triggers address glean process NA [target = A 1 LLA=MAC A3 ] P 3 ::A 3, MAC A3 P 1 :: data, src= A 1, SMAC = MAC A1 P 2 :: data src= A 21, SMAC = MAC A21 P 3 :: data src= A 3, SMAC = MAC A3 DHCP LEASEQUERY DHCP LEASEQUERY_REPLY 50
51 Address Spoofing Mitigation: Prefix Guard P 1 Home Network Home gateway G1 G2 L2 switch: - FH security - DHCP tag Shared vlan p1 p2 p3 L3 switch: - FH security - DHCP relay DHCP server G3 IPv6 MAC VLAN Port P 1 MAC G1 100 p1 DHCP-PD reply: PREFIX=P 1 RA [P 1 ] SLAAC src = P1::iid src = BAD::iid 51
52 Address Spoofing Demo For Your Reference HOST SWITCH ROUTER+ DHCP server PEER VILLAIN vlan
53 Agenda IPv6 in the Layer 2 domain: high level considerations Use Case #1: Router discovery Use Case #2: Address ownership Use Case #3: Source Address Validation Use Case #4: Remote address resolution cache exhaustion The target deployment model Protocol and vulnerabilities Mitigation solutions Demo 53
54 Remote address resolution cache Exhaustion Target deployment model Attacker is off link Attacker can be a PC, running simple attack tools Attacker goal is to launch Flood-Based DoS attack targeting the last-hop router, the link behind it, and all nodes on the link Attacker method is to scan the link prefix to force high resolution attempts rate, exhaust the router resources, slow or deny valid resolutions, load the link with useless multicast packets 54
55 Remote address resolution cache exhaustion Vulnerability scope Internet Attacker is anywhere on the internet His primary victim is the last-hop Layer 3 device (router) He can also harm the link and nodes behind it 55
56 Remote address resolution cache exhaustion Protocol Gateway X PFX::/64 X scanning 2 64 addresses (ping PFX::a, PFX::b, PFX::z) Dst = Solicited-node multicast address of PFX::a Query = what is PFX::a s link-layer address? NS Dst = Solicited-node multicast address of PFX::b Query = what is PFX::b s link-layer address? NS Dst = Solicited-node multicast address of PFX::z Query = what is PFX::z s link-layer address? NS Neighbor cache 3 seconds history 56
57 Remote address resolution cache exhaustion Mitigation Where Routers Layer 3 Switch What Address Provisioning Mechanisms Allocate addresses by blocks and filter at the edge ND resolution algorithm - Rate limiting of new resolutions - Separate cache for confirmed reachable entries - Circular buffer for new resolution - Cache boundaries Destination Guard 57
58 DoS Attack on Address Resolution Mitigation Destination Guard L3 switch host Binding table Neighbor cache Internet B Address glean Scanning {P/64} SRC=D 1 SRC=D n NO Lookup D1 found Forward packet Mitigate prefix-scanning attacks and Protect ND cache Useful at last-hop router and L3 distribution switch Drops packets for destinations without a binding entry 58
59 DoS Attack on Address Resolution Demo HOST vlan 100 L2/L3 SWITCH PEER VILLAIN DHCP server 59
60 IPv6 First Hop Security Platform Support Feature/Platform Catalyst 6500 Series Catalyst 4500 Series Catalyst 2K/3K Series ASR1000 Router 7600 Router Catalyst 3850 Wireless LAN Controller (Flex 7500, 5508, 2500, WISM-2) RA Guard 15.0(1)SY 15.1(2)SG 15.0.(2)SE 15.2(4)S 15.0(1)EX 7.2 IPv6 Snooping 15.0(1)SY (2)SG 15.0.(2)SE XE 3.9.0S 15.2(4)S 15.0(1)EX 7.2 DHCPv6 Guard 15.2(1)SY 15.1(2)SG 15.0.(2)SE 15.2(4)S 15.0(1)EX 7.2 Source/Prefix Guard 15.2(1)SY 15.2(1)E 15.0.(2)SE 2 XE 3.9.0S 15.3(1)S 7.2 Destination Guard 15.2(1)SY 15.1(2)SG 15.2(1)E XE 3.9.0S 15.2(4)S RA Throttler 15.2(1)SY 15.2(1)E 15.2(1)E 15.0(1)EX 7.2 ND Multicast Suppress 15.2(1)SY 15.1(2)SG 15.2(1)E XE 3.9.0S 15.0(1)EX 7.2 Note 1: IPv6 Snooping support in 15.0(1)SY does not extend to DHCP or data packets; only ND packets are snooped Note 2: Only IPv6 Source Guard is supported in 15.0(2)SE; no support for Prefix Guard in that release Available Now Not Available Roadmap 60
61 Recommended Reading for 61
62 Call to Action Visit the Cisco Campus at the World of Solutions to experience Cisco innovations in action Get hands-on experience attending one of the Walk-in Labs Schedule face to face meeting with one of Cisco s engineers at the Meet the Engineer center Discuss your project s challenges at the Technical Solutions Clinics 62
63 63
64 Q & A
65
The Layer-2 Security Issues and the Mitigation
The Layer-2 Security Issues and the Mitigation Techniques Eric Vyncke Cisco Distinguished Engineer evyncke@cisco.com Eric.Vyncke@ipv6council.be Eric.Vynce@ulg.ac.be 2012 Cisco and/or its affiliates. All
More informationThe Layer-2 Insecurities of IPv6 and the Mitigation Techniques
The Layer-2 Insecurities of IPv6 and the Mitigation Techniques Eric Vyncke Cisco, Consulting Engineering Distinguished Engineer evyncke@cisco.com Eric.Vyncke@ipv6council.be 2012 Cisco and/or its affiliates.
More informationConfiguring IPv6 First-Hop Security
This chapter describes the IPv6 First-Hop Security features. This chapter includes the following sections: Finding Feature Information, on page 1 Introduction to First-Hop Security, on page 1 RA Guard,
More informationIPv6 Snooping. Finding Feature Information. Restrictions for IPv6 Snooping
The feature bundles several Layer 2 IPv6 first-hop security features, including IPv6 neighbor discovery inspection, IPv6 device tracking, IPv6 address glean, and IPv6 binding table recovery, to provide
More informationIPv6 Snooping. Finding Feature Information. Restrictions for IPv6 Snooping
The feature bundles several Layer 2 IPv6 first-hop security features, including IPv6 neighbor discovery inspection, IPv6 device tracking, IPv6 address glean, and IPv6 binding table recovery, to provide
More informationEric Vyncke, Distinguished Engineer, 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
Eric Vyncke, Distinguished Engineer, evyncke@cisco.com 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Security Myths of IPv6 Security Issues Shared by IPv4 and IPv6 Specific Security
More informationConfiguring Wireless Multicast
Finding Feature Information, on page 1 Prerequisites for, on page 1 Restrictions for, on page 1 Information About Wireless Multicast, on page 2 How to Configure Wireless Multicast, on page 6 Monitoring
More informationTable of Contents 1 IPv6 Configuration IPv6 Application Configuration 2-1
Table of Contents 1 IPv6 Configuration 1-1 IPv6 Overview 1-1 IPv6 Features 1-1 Introduction to IPv6 Address 1-2 Introduction to IPv6 Neighbor Discovery Protocol 1-5 Introduction to ND Snooping 1-7 Introduction
More informationIPv6 Associated Protocols. Athanassios Liakopoulos 6DEPLOY IPv6 Training, Skopje, June 2011
IPv6 Associated Protocols Athanassios Liakopoulos (aliako@grnet.gr) 6DEPLOY IPv6 Training, Skopje, June 2011 Copy... Rights This slide set is the ownership of the 6DEPLOY project via its partners The Powerpoint
More informationIPv6 Client IP Address Learning
Prerequisites for IPv6 Client Address Learning, on page 1 Information About IPv6 Client Address Learning, on page 1 Configuring IPv6 Unicast, on page 6 Configuring RA Guard Policy, on page 7 Applying RA
More informationIPv6 Neighbor Discovery
The IPv6 neighbor discovery process uses Internet Control Message Protocol (ICMP) messages and solicited-node multicast addresses to determine the link-layer address of a neighbor on the same network (local
More informationRemember Extension Headers?
IPv6 Security 1 Remember Extension Headers? IPv6 allows an optional Extension Header in between the IPv6 header and upper layer header Allows adding new features to IPv6 protocol without major re-engineering
More informationIPv6 Neighbor Discovery
The IPv6 neighbor discovery process uses Internet Control Message Protocol (ICMP) messages and solicited-node multicast addresses to determine the link-layer address of a neighbor on the same network (local
More informationGuide to TCP/IP Fourth Edition. Chapter 6: Neighbor Discovery in IPv6
Guide to TCP/IP Fourth Edition Chapter 6: Neighbor Discovery in IPv6 Objectives Describe Neighbor Discovery in IPv6 and how it compares to ARP in IPv4 Explain Neighbor Discovery message interaction between
More informationIPv6 Security Course Preview RIPE 76
IPv6 Security Course Preview RIPE 76 Alvaro Vives - Marseille - 14 May 2018 Overview IPv6 Security Myths Basic IPv6 Protocol Security (Extension Headers, Addressing) IPv6 Associated Protocols Security
More informationSecure Neighbor Discovery. By- Pradeep Yalamanchili Parag Walimbe
Secure Neighbor Discovery By- Pradeep Yalamanchili Parag Walimbe Overview Neighbor Discovery Protocol (NDP) Main Functions of NDP Secure Neighbor Discovery (SEND) Overview Types of attacks. NDP Nodes on
More informationIPv6 Neighbor Discovery
IPv6 Neighbor Discovery Last Updated: September 19, 2012 The IPv6 neighbor discovery process uses Internet Control Message Protocol (ICMP) messages and solicited-node multicast addresses to determine the
More informationDELVING INTO SECURITY
DELVING INTO SECURITY Cynthia Omauzo DREU SUMMER 2015 ABSTRACT The goal of this research is to provide another option for securing Neighbor Discovery in IPv6. ARPsec, a security measure created for ARP
More informationTD#RNG#2# B.Stévant#
TD#RNG#2# B.Stévant# En1tête#des#protocoles#IP# IPv4 Header IPv6 Extensions ICMPv6 s & 0...7...15...23...31 Ver. IHL Di Serv Packet Length Identifier flag O set TTL Checksum Source Address Destination
More informationIPv6 Security: Threats and Mitigation
IPv6 Security: Threats and Mitigation Eric Vyncke, Distinguished Engineer @evyncke Agenda Debunking IPv6 Myths Shared Issues by IPv4 and IPv6 Specific Issues for IPv6 Extension headers, IPsec everywhere,
More informationIPv6 Security Vendor Point of View. Eric Vyncke, Distinguished Engineer Cisco, CTO/Consulting Engineering
IPv6 Security Vendor Point of View Eric Vyncke, evyncke@cisco.com Distinguished Engineer Cisco, CTO/Consulting Engineering 1 ARP Spoofing is now NDP Spoofing: Threats ARP is replaced by Neighbor Discovery
More informationIPv6 Security. David Kelsey (STFC-RAL) IPv6 workshop pre-gdb, CERN 7 June 2016
IPv6 Security David Kelsey (STFC-RAL) IPv6 workshop pre-gdb, CERN 7 June 2016 Outline MORE MATERIAL HERE THAN TIME TO PRESENT & DISCUSS (BUT SLIDES AVAILABLE FOR LATER REFERENCE) IPv6 security & threats
More informationIntroduction to IPv6 - II
Introduction to IPv6 - II Building your IPv6 network Alvaro Vives 27 June 2017 Workshop on Open Source Solutions for the IoT Contents IPv6 Protocols and Autoconfiguration - ICMPv6 - Path MTU Discovery
More informationERNW WHITEPAPER 62 RA GUARD EVASION REVISITED
ERNW WHITEPAPER 62 RA GUARD EVASION REVISITED Version: 1.0 Date: 11.12.2017 Classification: Author(s): Public Omar Eissa;Christopher Werny TABLE OF CONTENT 1 MOTIVATION 3 2 PROBLEM STATEMENT 4 2.1 First
More informationSECURE ROUTER DISCOVERY MECHANISM TO OVERCOME MAN-IN THE MIDDLE ATTACK IN IPV6 NETWORK
1 SECURE ROUTER DISCOVERY MECHANISM TO OVERCOME MAN-IN THE MIDDLE ATTACK IN IPV6 NETWORK Navaneethan C. Arjuman nava@nav6.usm.my National Advanced IPv6 Centre, Universiti Sains Malaysia March 2018 Copyright
More informationIPv6 ND Configuration Example
IPv6 ND Configuration Example Keywords: IPv6 ND Abstract: This document describes the application environment and typical configuration of IPv6 ND. Acronyms: Acronym Full spelling ARP FIB Address Resolution
More informationRecent advances in IPv6 insecurities reloaded Marc van Hauser Heuse GOVCERT NL Marc Heuse
Recent advances in IPv6 insecurities reloaded Marc van Hauser Heuse GOVCERT NL 2011 2011 Marc Heuse Hello, my name is Basics Philosophy Vulnerabilities Vendor Responses & Failures Recommendations
More informationIPv6 Security Fundamentals
IPv6 Security Fundamentals UK IPv6 Council January 2018 Dr David Holder CEng FIET MIEEE david.holder@erion.co.uk IPv6 Security Fundamentals Common Misconceptions about IPv6 Security IPv6 Threats and Vulnerabilities
More informationThe Study on Security Vulnerabilities in IPv6 Autoconfiguration
The Study on Security Vulnerabilities in IPv6 Autoconfiguration Myung-Eun Kim*, Dong-il Seo** * Department of Network Security, ETRI, Daejeon, Korea (Tel : +82-42-860-5303; E-mail: mekim@etri.re.kr) **Department
More informationIPv6 CGAs: Balancing between Security, Privacy and Usability
IPv6 CGAs: Balancing between Security, Privacy and Usability Ahmad Alsadeh Birzeit university 1 Outline IPv6 Configuration IPv6 StateLess Address Auto-Configuration Extended Unique ID (EUI-64) Privacy
More informationSecurity Considerations for IPv6 Networks. Yannis Nikolopoulos
Security Considerations for IPv6 Networks Yannis Nikolopoulos yanodd@otenet.gr Ημερίδα Ενημέρωσης Χρηστών για την Τεχνολογία IPv6 - Αθήνα, 25 Μαίου 2011 Agenda Introduction Major Features in IPv6 IPv6
More informationConfiguring IPv6 basics
Contents Configuring IPv6 basics 1 IPv6 overview 1 IPv6 features 1 IPv6 addresses 2 IPv6 neighbor discovery protocol 5 IPv6 PMTU discovery 8 IPv6 transition technologies 8 Protocols and standards 9 IPv6
More informationChapter 5. Security Components and Considerations.
Chapter 5. Security Components and Considerations. Technology Brief Virtualization and Cloud Security Virtualization concept is taking major portion in current Data Center environments in order to reduce
More informationExample: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks In an ARP spoofing attack, the attacker associates its own MAC address with the IP address of a network device
More informationAugmented SEND: Aligning Security, Privacy, and Usability. Dr. Ahmad Alsadeh Birzeit University Palestine
Augmented SEND: Aligning Security, Privacy, and Usability Dr. Ahmad Alsadeh Birzeit University Palestine Neighbor Discovery Protocol (NDP) Fundamental protocol in IPv6 suite Obtain configuration information
More informationBasic L2 and L3 security in Campus networks. Matěj Grégr CNMS 2016
Basic L2 and L3 security in Campus networks Matěj Grégr CNMS 2016 1/ Communication in v4 network Assigning v4 address using DHCPv4 Finding a MAC address of a default gateway Finding mapping between DNS
More informationEric Vyncke, Distinguished Engineer, 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
Eric Vyncke, Distinguished Engineer, evyncke@cisco.com 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Security Myths of IPv6 Shared Issues by IPv4 and IPv6 Specific Issues for IPv6
More informationAdopting Innovative Detection Technique To Detect ICMPv6 Based Vulnerability Attacks
Adopting Innovative Detection Technique To Detect ICMPv6 Based Vulnerability Attacks Navaneethan C. Arjuman nava@nav6.usm.my National Advanced IPv6 Centre January 2014 1 Introduction IPv6 was introduced
More informationInternetwork Expert s CCNA Security Bootcamp. Common Security Threats
Internetwork Expert s CCNA Security Bootcamp Common Security Threats http:// Today s s Network Security Challenge The goal of the network is to provide high availability and easy access to data to meet
More informationSetup. Grab a vncviewer like: Or https://www.realvnc.com/download/viewer/
IPv6 Matt Clemons Topology 2 Setup Grab a vncviewer like: http://uvnc.com/download/1082/1082viewer.html Or https://www.realvnc.com/download/viewer/ Connect where I tell you and enter the password to see
More informationOperation Manual IPv6 H3C S3610&S5510 Series Ethernet Switches Table of Contents. Table of Contents
Operation Manual IPv6 Table of Contents Table of Contents Chapter 1 IPv6 Basics Configuration... 1-1 1.1 IPv6 Overview... 1-1 1.1.1 IPv6 Features... 1-2 1.1.2 Introduction to IPv6 Address... 1-3 1.1.3
More informationODL Summit Bangalore - Nov 2016 IPv6 Design in OpenDaylight
ODL Summit Bangalore - Nov 2016 IPv6 Design in OpenDaylight Sridhar Gaddam (sgaddam@redhat.com) Dayavanti Gopal Kamath (dayavanti.gopal.kamat@ericsson.com) Agenda IPv6 Intro. IPv6 Neighbor Discovery. IPv6
More informationDGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window
9. Security DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide Port Security 802.1X AAA RADIUS TACACS IMPB DHCP Server Screening ARP Spoofing Prevention MAC Authentication Web-based
More informationIPv6 address configuration and local operation
IPv6 address configuration and local operation Amsterdam, 16 february 2012 Iljitsch van Beijnum Today's topics IPv6 address configuration stateless autoconfig DHCPv6 DAD, NUD, timers Router solicitations/advertisements
More informationConfiguring ARP attack protection 1
Contents Configuring ARP attack protection 1 ARP attack protection configuration task list 1 Configuring unresolvable IP attack protection 1 Configuring ARP source suppression 2 Configuring ARP blackhole
More informationInternet Engineering Task Force (IETF) Category: Standards Track. J. Halpern Ericsson E. Levy-Abegnoli, Ed. Cisco February 2017
Internet Engineering Task Force (IETF) Request for Comments: 8074 Category: Standards Track ISSN: 2070-1721 J. Bi Tsinghua University G. Yao Tsinghua University/Baidu J. Halpern Ericsson E. Levy-Abegnoli,
More informationIPv6 First-Hop Security Binding Table
IPv6 First-Hop Security Binding Table Last Updated: July 25, 2012 A database table of IPv6 neighbors connected to a device is created from information sources such as Neighbor Discovery Protocol (NDP)
More informationTable of Contents 1 IPv6 Configuration IPv6 Application Configuration 2-1
Table of Contents 1 IPv6 Configuration 1-1 IPv6 Overview 1-1 IPv6 Features 1-1 Introduction to IPv6 Address 1-3 Introduction to IPv6 Neighbor Discovery Protocol 1-5 Introduction to IPv6 DNS 1-8 Protocols
More informationTable of Contents 1 IPv6 Basics Configuration 1-1
Table of Contents 1 IPv6 Basics Configuration 1-1 IPv6 Overview 1-1 IPv6 Features 1-1 Introduction to IPv6 Address 1-3 Introduction to IPv6 Neighbor Discovery Protocol 1-5 IPv6 PMTU Discovery 1-8 Introduction
More informationThe Netwok Layer IPv4 and IPv6 Part 2
ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE The Netwok Layer IPv4 and IPv6 Part 2 Jean Yves Le Boudec 2014 1 Contents 6. ARP 7. Host configuration 8. IP packet format Textbook Chapter 5: The Network Layer
More informationRecent IPv6 Security Standardization Efforts. Fernando Gont
Recent IPv6 Security Standardization Efforts Fernando Gont Part I: Protocol Issues 2 IPv6 Addressing 3 Security & Privacy Analysis RFC 7721: Security and Privacy Considerations for IPv6 Address Generation
More informationTable of Contents 1 IPv6 Configuration IPv6 Application Configuration 2-1
Table of Contents 1 IPv6 Configuration 1-1 IPv6 Overview 1-1 IPv6 Features 1-1 Introduction to IPv6 Address 1-3 Introduction to IPv6 Neighbor Discovery Protocol 1-6 Introduction to IPv6 DNS 1-8 Protocols
More informationInsights on IPv6 Security
Insights on IPv6 Security Bilal Al Sabbagh, MSc, CISSP, CISA, CCSP Senior Information & Network Security Consultant NXme FZ-LLC Information Security Researcher, PhD Candidate Stockholm University bilal@nxme.net
More informationInternet Protocol v6.
Internet Protocol v6 October 25, 2016 v6@nkn.in Table of Content Why IPv6? IPv6 Address Space Customer LAN Migration Why IPv6? IPv6 Address Space Customer LAN migration IPv4 DASH BOARD THE REASON For IPv6
More informationIPv6- IPv4 Threat Comparison v1.0. Darrin Miller Sean Convery
IPv6- IPv4 Threat Comparison v1.0 Darrin Miller dmiller@cisco.com Sean Convery sean@cisco.com Motivations Discussions around IPv6 security have centered on IPsec Though IPsec is mandatory in IPv6, the
More informationIPv6 migration challenges and Security
IPv6 migration challenges and Security ITU Regional Workshop for the CIS countries Recommendations on transition from IPv4 to IPv6 in the CIS region, 16-18 April 2014 Tashkent, Republic of Uzbekistan Desire.karyabwite@itu.int
More informationInternetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview
Internetwork Expert s CCNA Security Bootcamp Mitigating Layer 2 Attacks http:// Layer 2 Mitigation Overview The network is only as secure as its weakest link If layer 2 is compromised, all layers above
More informationIPv6 Protocol Architecture
IPv6 Protocol Architecture v4/v6 Header Comparison Not kept in IPv6 Renamed in IPv6 Same name and function New in IPv6 2 New Functional Improvement Address Space Increase from 32-bit to 128-bit address
More informationConfiguring Dynamic ARP Inspection
21 CHAPTER This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the Catalyst 3560 switch. This feature helps prevent malicious attacks on the
More informationIPv6 Security Safe, Secure, and Supported.
IPv6 Security Safe, Secure, and Supported. Andy Davidson Hurricane Electric and LONAP adavidson@he.net Twitter: @andyd MENOG 9 Muscat, Oman, Tuesday 4 th October 2011 Don t Panic! IPv6 is not inherently
More informationSecurity in an IPv6 World Myth & Reality
Security in an IPv6 World Myth & Reality DGI Washington D.C. August 2014 Chris Grundemann MYTH: IPv6 Has Security Designed In MYTH: IPv6 Has Security Designed In IPSEC IS NOT NEW IPsec exists for IPv4
More informationNetwork Security. Thierry Sans
Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability
More informationIPv6 associated protocols
IPv6 associated protocols Address auto-configuration in IPv6 Copy Rights This slide set is the ownership of the 6DISS project via its partners The Powerpoint version of this material may be reused and
More informationIPv6 Neighbor Discovery
About, page 1 Prerequisites for, page 2 Guidelines for, page 2 Defaults for, page 4 Configure, page 5 View and Clear Dynamically Discovered Neighbors, page 10 History for, page 11 About The IPv6 neighbor
More informationConfiguring IPv6 for Gigabit Ethernet Interfaces
CHAPTER 46 IP version 6 (IPv6) provides extended addressing capability beyond those provided in IP version 4 (IPv4) in Cisco MDS SAN-OS. The architecture of IPv6 has been designed to allow existing IPv4
More informationDHCPv6 OPERATIONAL ISSUES Tom Coffeen 4/7/2016
1 2016 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved. DHCPv6 OPERATIONAL ISSUES Tom Coffeen 4/7/2016 ABOUT THE PRESENTER Tom Coffeen IPv6 Evangelist Infoblox @ipv6tom tom@ipv6.works
More informationIPv6 Security Threats and #CLEUR BRKSEC Eric Vyncke
IPv6 Security Threats and Mitigations BRKSEC-2003 Eric Vyncke evyncke@cisco.com Follow us on Twitter for real time updates of the event: @ciscoliveeurope, #CLEUR Agenda Debunking IPv6 Myths Shared Issues
More informationSECURITY IN AN IPv6 WORLD MYTH & REALITY. RIPE 68 Warsaw May 2014 Chris Grundemann
SECURITY IN AN IPv6 WORLD MYTH & REALITY RIPE 68 Warsaw May 2014 Chris Grundemann WHO AM I? DO Director @ Internet Society CO ISOC Founding Chair RMv6TF Board NANOG PC NANOG-BCOP Chair IPv6 Author (Juniper
More informationIPv6 Protocol & Structure. npnog Dec, 2017 Chitwan, NEPAL
IPv6 Protocol & Structure npnog3 9-11 Dec, 2017 Chitwan, NEPAL Protocol Header Comparison IPv4 contains 10 basic header fields, while IPv6 has 6 basic header fields IPv6 header size is 40 octets compared
More informationIPv6 Traffic Hijack Test System and Defense Tools Using DNSSEC
IPv6 Traffic Hijack Test System and Defense Tools Using DNSSEC Lin Tao lintao850711@sina.com Liu Wu liuwu@cernet.edu.cn Duan Haixin dhx@cernet.edu.cn Sun Donghong sdh@cernet.edu.cn Abstract IPv6 is widely
More informationHP A5830 Switch Series Layer 3 - IP Services. Configuration Guide. Abstract
HP A5830 Switch Series Layer 3 - IP Services Configuration Guide Abstract This document describes the software features for the HP A Series products and guides you through the software configuration procedures.
More informationIPv6 Neighbor Discovery
About, page 1 Prerequisites for, page 2 Guidelines for, page 2 Defaults for, page 4 Configure, page 5 Monitoring, page 10 History for, page 11 About The IPv6 neighbor discovery process uses ICMPv6 messages
More informationIPv6 Next generation IP
Seminar Presentation IPv6 Next generation IP N Ranjith Kumar 11/5/2004 IPv6 : Next generation IP 1 Network Problems Communication Problem Identification Problem Identification of Networks Logical Addressing
More informationJuniper Netscreen Security Device. How to Enable IPv6 Page-51
Juniper Netscreen Security Device Page-51 Netscreen Firewall - Interfaces Below is a screen shot for a Netscreen Firewall interface. All interfaces have an IPv6 address except ethernet0/0. We will step
More informationHP FlexFabric 5930 Switch Series
HP FlexFabric 5930 Switch Series Layer 3 IP Services Command Reference Part number: 5998-4568 Software version: Release 2406 & Release 2407P01 Document version: 6W101-20140404 Legal and notice information
More informationHPE FlexNetwork 5510 HI Switch Series
HPE FlexNetwork 5510 HI Switch Series Layer 3 IP Services Command Reference Part number: 5200-3837 Software version: Release 13xx Document version: 6W100-20170315 Copyright 2015, 2017 Hewlett Packard Enterprise
More informationHPE FlexFabric 5940 Switch Series
HPE FlexFabric 5940 Switch Series Layer 3 IP Services Configuration Guide Part number: 5200-1022a Software version: Release 2508 and later verison Document version: 6W101-20161101 Copyright 2016 Hewlett
More informationIPv6 Rogue Router Advertisement Attack Prepared By: Andrew Gray & Wil Hall Prepared For: Dr. Tom Calabrese
IPv6 Rogue Router Advertisement Attack Prepared By: Andrew Gray & Wil Hall Prepared For: Dr. Tom Calabrese Table of Contents Where is IPv6?... 3 IPv6 Neighbor Discovery Protocol (NDP)... 4 Why NDP is Insecure...
More informationBasic Attacks and Mitigation Strategies
Basic Attacks and Mitigation Strategies Christopher Werny #2 Who am I Network geek, working as security researcher for Germany based ERNW GmbH Independent Deep technical knowledge Structured
More informationIPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo
IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines Merike Kaeo merike@doubleshotsecurity.com Current IPv6 Deployments Don t break existing IPv4 network Securing IPv6 Can t secure something
More informationNon-CGA addresses in SEND E. Levy-Abegnoli
Non-CGA addresses in SEND E. Levy-Abegnoli IETF 71, March 09/14th 2008 Philadelphia 1 What? Support for non-cga addresses in SEND Establish address ownership of addresses used in ND messages (NS, NA, RS,
More informationHPE FlexNetwork 5510 HI Switch Series
HPE FlexNetwork 5510 HI Switch Series Layer 3 IP Services Command Reference Part number: 5200-0078b Software version: Release 11xx Document version: 6W102-20171020 Copyright 2015, 2017 Hewlett Packard
More informationUne attaque par rejeu sur le protocole SEND
Une attaque par rejeu sur le protocole SEND Tony Cheneau mail: tony.cheneau@it-sudparis.eu (Télécom SudParis) & Jean-Michel Combes mail: jeanmichel.combes@orange-ftgroup.com (FT R&D) October 17, 2008 SAR-SSI'2008
More informationIPv6 Bootcamp Course (5 Days)
IPv6 Bootcamp Course (5 Days) Course Description: This intermediate - advanced, hands-on course covers pertinent topics needed for IPv6 migration and deployment strategies. IPv6 novices can expect to gain
More informationConfiguring ARP attack protection 1
Contents Configuring ARP attack protection 1 ARP attack protection configuration task list 1 Configuring unresolvable IP attack protection 1 Configuring ARP source suppression 2 Configuring ARP blackhole
More informationNetwork Security. The Art of War in The LAN Land. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, September 27th, 2018
Network Security The Art of War in The LAN Land Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, September 27th, 2018 Part I MAC Attacks MAC Address/CAM Table Review 48 Bit Hexadecimal Number Creates Unique
More informationInternet Control Message Protocol
Internet Control Message Protocol The Internet Control Message Protocol is used by routers and hosts to exchange control information, and to inquire about the state and configuration of routers and hosts.
More informationIPv6 maintenance Working Group (6man) Updates: 3971, 4861 (if approved) January 12, 2012 Intended status: Standards Track Expires: July 15, 2012
IPv6 maintenance Working Group (6man) F. Gont Internet-Draft UK CPNI Updates: 3971, 4861 (if approved) January 12, 2012 Intended status: Standards Track Expires: July 15, 2012 Security Implications of
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 18: Network Attacks Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Network attacks denial-of-service (DoS) attacks SYN
More informationHP 6125 Blade Switch Series
HP 6125 Blade Switch Series Layer 3 - IP Services Configuration Guide Part number: 5998-3156 Software version: Release 2103 Document version: 6W100-20120907 Legal and notice information Copyright 2012
More informationIPV6 SIMPLE SECURITY CAPABILITIES.
IPV6 SIMPLE SECURITY CAPABILITIES. 50 issues from RFC 6092 edited by J. Woodyatt, Apple Presentation by Olle E. Johansson, Edvina AB. ABSTRACT The RFC which this presentation is based upon is focused on
More informationConfiguration Examples for DHCP, on page 37 Configuration Examples for DHCP Client, on page 38 Additional References for DHCP, on page 38
This chapter describes how to configure the Dynamic Host Configuration Protocol (DHCP) on a Cisco NX-OS device. This chapter includes the following sections: About DHCP Snooping About DHCP Snooping, on
More informationIPv6 Security. 15 August
IPv6 Security 15 August 2016 0.1 Overview IPv6 Operations and Protocol Issues Scanning IPv6 Networks Toolkits and Example Attacks Best Practices in Securing IPv6 2 IPv6 Operations ü128-bit addresses üuses
More informationCharles Perkins Nokia Research Center 2 July Mobility Support in IPv6 <draft-ietf-mobileip-ipv6-14.txt> Status of This Memo
IETF Mobile IP Working Group INTERNET-DRAFT David B. Johnson Rice University Charles Perkins Nokia Research Center 2 July 2000 Mobility Support in IPv6 Status of This
More informationIETF Update about IPv6
IETF Update about IPv6 Eric Vyncke evyncke@cisco.com Eric.Vyncke@ipv6council.be @evyncke May 4, 2016 IPv6 To Become a Standard 2 6MAN Working Group Cleaner, more accurate IPv6 specification. Do not expect
More informationWorkshop on Scientific Applications for the Internet of Things (IoT) March
Workshop on Scientific Applications for the Internet of Things (IoT) March 16-27 2015 IP Networks: From IPv4 to IPv6 Alvaro Vives - alvaro@nsrc.org Contents 1 Digital Data Transmission 2 Switched Packet
More informationIPv6 Stateless Autoconfiguration
The IPv6 stateless autoconfiguration feature can be used to manage link, subnet, and site addressing changes. Information About, page 1 How to Configure, page 2 Configuration Examples for, page 3 Additional
More informationIPv6 Protocols and Networks Hadassah College Spring 2018 Wireless Dr. Martin Land
IPv6 1 IPv4 & IPv6 Header Comparison IPv4 Header IPv6 Header Ver IHL Type of Service Total Length Ver Traffic Class Flow Label Identification Flags Fragment Offset Payload Length Next Header Hop Limit
More informationHPE 5920 & 5900 Switch Series
HPE 5920 & 5900 Switch Series Layer 3 IP Services Command Reference Part number: 5998-6643t Software version: Release 2422P01 Document version: 6W101-20171030 Copyright 2016, 2017 Hewlett Packard Enterprise
More informationIPv6. IPv4 & IPv6 Header Comparison. Types of IPv6 Addresses. IPv6 Address Scope. IPv6 Header. IPv4 Header. Link-Local
1 v4 & v6 Header Comparison v6 Ver Time to Live v4 Header IHL Type of Service Identification Protocol Flags Source Address Destination Address Total Length Fragment Offset Header Checksum Ver Traffic Class
More information