Basic L2 and L3 security in Campus networks. Matěj Grégr CNMS 2016
|
|
- Eleanor Sherman
- 6 years ago
- Views:
Transcription
1 Basic L2 and L3 security in Campus networks Matěj Grégr CNMS /
2 Communication in v4 network Assigning v4 address using DHCPv4 Finding a MAC address of a default gateway Finding mapping between DNS name and address TCP connection HTTP request 2
3 DHCP Spoofing 3/
4 4
5 DHCP spoofing Steal an address of another device Forge DNS sever Forge default gateway Several softwares available Trojan.Flush.M, Trojan:W32/DNSChanger 5
6 DHCP spoofing DHCP Discover ETH: src mac: AA:AA:AA:AA:AA:AA dst mac: FF:FF:FF:FF:FF:FF (broadcast) src: dst: (broadcast) UDP src port 68 dst port 67 DHCP Client MAC addr: AA:AA:AA:AA:AA:AA Requests:, Router, DNS DHCP server MAC: DD:DD:DD:DD:DD:DD : MAC: AA:AA:AA:AA:AA:AA :? MAC: BB:BB:BB:BB:BB:BB : Attacker MAC: CC:CC:CC:CC:CC:CC :
7 DHCP spoofing DHCP Offer ETH: src mac: DD:DD:DD:DD:DD:DD dst mac: AA:AA:AA:AA:AA:AA src: dst: UDP src port 67 dst port 68 DHCP Client MAC addr: AA:AA:AA:AA:AA:AA Client : Router: DNS: DHCP Offer DHCP server MAC: DD:DD:DD:DD:DD:DD : MAC: AA:AA:AA:AA:AA:AA :? ETH: src mac: CC:CC:CC:CC:CC:CC dst mac: AA:AA:AA:AA:AA:AA src: dst: UDP src port 67, dst port 68 DHCP MAC: BB:BB:BB:BB:BB:BB Client MAC : addr: AA:AA:AA:AA:AA:AA Client : Router: DNS: Attacker MAC: CC:CC:CC:CC:CC:CC :
8 DHCP spoofing The attack can compromise only newly connecting clients Already connected clients renew address old DHCP server There are two variants of the attack: Attacker can exhaust address pool of DHCP server Attacker can try to answer quicker than DHCP server If a client assign an address from attacker s DHCP pool MitM attack all traffic flows through the attacker Attacker can forge only specific DNS addresses (harder to detect) 8
9 Defense: DHCP snooping DHCP Discover ETH: src mac: AA:AA:AA:AA:AA:AA dst mac: FF:FF:FF:FF:FF:FF (broadcast) src: dst: (broadcast) UDP src port 68 dst port 67 DHCP Client MAC addr: AA:AA:AA:AA:AA:AA Requests:, Router, DNS MAC: DD:DD:DD:DD:DD:DD : MAC: CC:CC:CC:CC:CC:CC : MAC: AA:AA:AA:AA:AA:AA :? MAC: BB:BB:BB:BB:BB:BB :
10 Defense: DHCP spoofing DHCP Offer ETH: src mac: DD:DD:DD:DD:DD:DD dst mac: AA:AA:AA:AA:AA:AA src: dst: UDP src port 67 dst port 68 DHCP Client MAC addr: AA:AA:AA:AA:AA:AA Client : Router: DNS: DHCP Offer MAC: DD:DD:DD:DD:DD:DD : MAC: AA:AA:AA:AA:AA:AA :? ETH: src mac: CC:CC:CC:CC:CC:CC dst mac: AA:AA:AA:AA:AA:AA src: dst: UDP src port 67, dst port 68 DHCP MAC: BB:BB:BB:BB:BB:BB Client MAC : addr: AA:AA:AA:AA:AA:AA Client : Router: DNS: MAC: CC:CC:CC:CC:CC:CC :
11 DHCP snooping example configuration 11
12 CAM overflow 12/
13 13
14 CAM Overflow Attack Port MAC 2 W 2 X 2 Y 2 Z PC: A 1 3 PC: C 2 4 PC: B PC: D 14
15 CAM Overflow attack Port MAC 2 W 2 X 2 Y 2 Z PC: A 1 3 PC: C 2 4 A -> C? Don t know, can t insert! PC: B PC: D 15
16 CAM Table Implementation dependent Older records usually are not deleted Platform Size Cisco Catalyst Cisco Catalyst Cisco Catalyst Linksys SRW Module to Cisco Catalyst HP ProCurve HP ProCurve
17 CAM overflow defese Port security Limited number of MAC addresses per port Switch# show port-security interface fa 0/1 Violation Mode :Shutdown Maximum MAC addresses :2 Switch# show port-security interface fa 0/1 addr Vlan Mac Address Type Ports CC:CC:CC:CC:CC:CC SecureSticky FastEthernet0/1 17
18 CAM overflow defese Port security MAC: DD:DD:DD:DD:DD:DD : MAC: AA:AA:AA:AA:AA:AA : ETH: src mac: DD:DD:DD:DD:DD:DD dst mac: FF:FF:FF:FF:FF:FF MAC: BB:BB:BB:BB:BB:BB : MAC: CC:CC:CC:CC:CC:CC :
19 Example of the attack 19
20 Impact of Port Security defense Filtration is usually in HW without performance impact If security policy is SHUTDOWN, user losses connection and admin cannot send him information what is wrong It is better to configure less restrictive policy only drop and inform the admin, but do not shut down the port 20
21 ARP spoofing 21/
22 22
23 Normal behavior MAC MAC C C A A 23
24 ARP MitM MAC MAC C A MAC C A 24
25 ARP MitM: Cache poisoning 1 MAC Sender HW addres: B MAC Sender proto address: C Target HW address: A Target proto address A C A MAC C A 25
26 ARP MitM: Cache poisoning 2 MAC MAC C B C A MAC C A 26
27 ARP MitM: Cache poisoning 3 MAC Sender HW addres: B MAC C B Sender proto address: A Target HW address: C Target proto address C C A MAC C A 27
28 ARP MitM: Cache poisoning 4 MAC MAC C B A B C A MAC C A 28
29 ARP MitM: Forwarding 3 MAC MAC C B A B C A MAC C A 29
30 Dynamic ARP Inspection Port security cannot be used for mitigation Does not look further than L2 header DHCP snooping mechanism can be reused DHCP snooping can create MAC--Port binding Dynamic ARP Inspection tests only ARP packets Does not provent spoofing Switch# show ip source binding MacAddress IpAddress Lease(sec) Type VLAN Interface CC:CC:CC:CC:CC:CC dhcp-snooping 1 FastEthernet2/1 30
31 Dynamic ARP Inspection Switch# show ip source binding MacAddress IpAddress CC:CC:CC:CC:CC:CC MAC: DD:DD:DD:DD:DD:DD : MAC: AA:AA:AA:AA:AA:AA : ETH: src mac: CC:CC:CC:CC:CC:CC dst mac: FF:FF:FF:FF:FF:FF ARP Reply Sender MAC: CC:CC:CC:CC:CC:CC Sender : Target MAC: AA:AA:AA:AA:AA:AA BB:BB:BB:BB:BB:BB Target : MAC: CC:CC:CC:CC:CC:CC :
32 v6 32/
33 v6 Different methods of autoconfiguration Stateless address autoconfiguration DHCPv6 A network interface can have several v6 addresses 33
34 Link local address Router LL: fe80::204:96ff:fe1d:4e30 GL: 2001:67c:1220:80e::1 Neighbor Solicitation src: :: dst: ff02::1:ff21:ee49 (solicitated node) Target address: fe80::c9ee:98f6:d621:ee49 A LL: fe80::c9ee:98f6:d621:ee49 [TENT] B 34
35 MLD Report Router LL: fe80::204:96ff:fe1d:4e30 GL: 2001:67c:1220:80e::1 Multicast Listener Report v2 src: :: dst: ff02::16 (All MLDv2-capable routers) Hop-by-hop Router Alert Changed to exclude: ff02::1:ff21:ee49 A LL: fe80::c9ee:98f6:d621:ee49 [TENT] B 35
36 Global address Router LL: fe80::204:96ff:fe1d:4e30 GL: 2001:67c:1220:80e::1 Router Solicitation src: fe80::c9ee:98f6:d621:ee49 dst: ff02::2 (All Routers) A LL: fe80::c9ee:98f6:d621:ee49 B 36
37 Global address Router Advertisement src: fe80::204:96ff:fe1d:4e30 dst: ff02::1 (All Nodes) M: 0 O: 0 Router LL: fe80::204:96ff:fe1d:4e30 GL: 2001:67c:1220:80e::1 Prefix Information PrfLen: 64 A: 1 Prefix: 2001:67c:1220:80e:: A LL: fe80::c9ee:98f6:d621:ee49 GL: 2001:67c:1220:80e:d4a3:cd1b:bac:942b [TENT] B 37
38 v6 address autoconfiguration DAD, RS/RA, DHCPv6, MLDv2, ND 38
39 v6 address autoconfiguration DAD, RS/RA, DHCPv6, MLDv2, ND MLDv2 G: ff02::1:ff4b:d6:e3 G: ff02::1:ff4b:d6:e3 39
40 v6 address autoconfiguration DAD, RS/RA, DHCPv6, MLDv2, ND DAD 40
41 v6 address autoconfiguration DAD, RS/RA, DHCPv6, MLDv2, ND SLAAC 41
42 v6 address autoconfiguration DAD, RS/RA, DHCPv6, MLDv2, ND DHCPv6 42
43 v6 address autoconfiguration DAD, RS/RA, DHCPv6, MLDv2, ND MLDv2 G: ff02::1:ffb0:5ec2 G: ff02::1:ffb0:5ec2 43
44 v6 address autoconfiguration DAD, RS/RA, DHCPv6, MLDv2, ND ND 44
45 v6 address autoconfiguration DAD, RS/RA, DHCPv6, MLDv2, ND TCP handshake 45
46 v6 L2, L3 security Similar attacks as in v4 world with some exceptions DAD, RA Flood, RA MitM Port-security can be used for mitigation CAM overflow similar to v4 Three protocols must be secured (MLD, NDP, DHCPv6) 46
47 ND snooping Switch creates binding between port-mac-v6 address based on DAD process Switch#show ipv6 neighbors binding Binding Table has 4 entries, 4 dynamic Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created (truncated output) v6 address Link-Layer addr Interface vlan age state Time left ND FE80::81E2:1562:E5A0:43EE 28D E276 Gi1/15 1 3mn REACHABLE 94 s ND FE80::3AEA:A7FF:FE85:C926 38EA.A785.C926 Gi1/2 1 26mn STALE s ND FE80::10 38EA.A785.C926 Gi1/2 1 26mn STALE s ND FE80::1 E4C7.228B.F180 Gi1/7 1 35s REACHABLE 272 s Beware! Different vendors have different behavior! First come first serve approach! Opens DoS attack vector address is registred on an attacker 47
48 DHCPv6 Guard Similar to DHCPv6 snooping feature Based on assigned v6 address, switch creates and maintains binding table Switch#show ipv6 neighbors binding Binding Table has 4 entries, 4 dynamic Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created (truncated output) v6 address Link-Layer addr Interface vlan age state Time left ND FE80::81E2:1562:E5A0:43EE 28D E276 Gi1/15 1 3mn REACHABLE 94 s ND FE80::3AEA:A7FF:FE85:C926 38EA.A785.C926 Gi1/2 1 26mn STALE 869 s ND FE80::10 38EA.A785.C926 Gi1/2 1 26mn STALE 855 s ND FE80::1 E4C7.228B.F180 Gi1/7 1 35s REACHABLE 172 s DH 2001:DB8::E1B9 28D E276 Gi1/15 1 3mn REACHABLE 67 s 48
49 RA Guard Protect against rogue RA messages similar feature as DHCP snooping 49
50 Summary 50/
51 Both protocols must be secured! Hardware and software have limitations! You have to do your due diligence. Skim-read the vendor PDF is not enough! To secure your network, you should at least configure: DHCP snooping, ARP inspection, Port security, DHCPv6 guard, ND snooping, RA guard 51
IPv6 Client IP Address Learning
Prerequisites for IPv6 Client Address Learning, on page 1 Information About IPv6 Client Address Learning, on page 1 Configuring IPv6 Unicast, on page 6 Configuring RA Guard Policy, on page 7 Applying RA
More informationIPv6 Snooping. Finding Feature Information. Restrictions for IPv6 Snooping
The feature bundles several Layer 2 IPv6 first-hop security features, including IPv6 neighbor discovery inspection, IPv6 device tracking, IPv6 address glean, and IPv6 binding table recovery, to provide
More informationIPv6 Snooping. Finding Feature Information. Restrictions for IPv6 Snooping
The feature bundles several Layer 2 IPv6 first-hop security features, including IPv6 neighbor discovery inspection, IPv6 device tracking, IPv6 address glean, and IPv6 binding table recovery, to provide
More informationConfiguring IPv6 for Gigabit Ethernet Interfaces
CHAPTER 46 IP version 6 (IPv6) provides extended addressing capability beyond those provided in IP version 4 (IPv4) in Cisco MDS SAN-OS. The architecture of IPv6 has been designed to allow existing IPv4
More informationConfiguring IPv6 First-Hop Security
This chapter describes the IPv6 First-Hop Security features. This chapter includes the following sections: Finding Feature Information, on page 1 Introduction to First-Hop Security, on page 1 RA Guard,
More informationIPv6 Security Course Preview RIPE 76
IPv6 Security Course Preview RIPE 76 Alvaro Vives - Marseille - 14 May 2018 Overview IPv6 Security Myths Basic IPv6 Protocol Security (Extension Headers, Addressing) IPv6 Associated Protocols Security
More informationIPv6 Associated Protocols. Athanassios Liakopoulos 6DEPLOY IPv6 Training, Skopje, June 2011
IPv6 Associated Protocols Athanassios Liakopoulos (aliako@grnet.gr) 6DEPLOY IPv6 Training, Skopje, June 2011 Copy... Rights This slide set is the ownership of the 6DEPLOY project via its partners The Powerpoint
More informationThe Netwok Layer IPv4 and IPv6 Part 2
ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE The Netwok Layer IPv4 and IPv6 Part 2 Jean Yves Le Boudec 2014 1 Contents 6. ARP 7. Host configuration 8. IP packet format Textbook Chapter 5: The Network Layer
More informationThe Layer-2 Insecurities of IPv6 and the Mitigation Techniques
The Layer-2 Insecurities of IPv6 and the Mitigation Techniques Eric Vyncke Cisco, Consulting Engineering Distinguished Engineer evyncke@cisco.com Eric.Vyncke@ipv6council.be 2012 Cisco and/or its affiliates.
More informationConfiguring Wireless Multicast
Finding Feature Information, on page 1 Prerequisites for, on page 1 Restrictions for, on page 1 Information About Wireless Multicast, on page 2 How to Configure Wireless Multicast, on page 6 Monitoring
More informationInternetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview
Internetwork Expert s CCNA Security Bootcamp Mitigating Layer 2 Attacks http:// Layer 2 Mitigation Overview The network is only as secure as its weakest link If layer 2 is compromised, all layers above
More informationThe Layer-2 Security Issues and the Mitigation
The Layer-2 Security Issues and the Mitigation Techniques Eric Vyncke Cisco Distinguished Engineer evyncke@cisco.com Eric.Vyncke@ipv6council.be Eric.Vynce@ulg.ac.be 2012 Cisco and/or its affiliates. All
More informationTable of Contents 1 IPv6 Configuration IPv6 Application Configuration 2-1
Table of Contents 1 IPv6 Configuration 1-1 IPv6 Overview 1-1 IPv6 Features 1-1 Introduction to IPv6 Address 1-2 Introduction to IPv6 Neighbor Discovery Protocol 1-5 Introduction to ND Snooping 1-7 Introduction
More informationGuide to TCP/IP Fourth Edition. Chapter 6: Neighbor Discovery in IPv6
Guide to TCP/IP Fourth Edition Chapter 6: Neighbor Discovery in IPv6 Objectives Describe Neighbor Discovery in IPv6 and how it compares to ARP in IPv4 Explain Neighbor Discovery message interaction between
More informationIPv6 Neighbor Discovery
The IPv6 neighbor discovery process uses Internet Control Message Protocol (ICMP) messages and solicited-node multicast addresses to determine the link-layer address of a neighbor on the same network (local
More informationThe Netwok Layer IPv4 and IPv6 Part 2
ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE The Netwok Layer IPv4 and IPv6 Part 2 Jean Yves Le Boudec 2015 1 Contents 6. ARP 7. Host configuration 8. IP packet format Textbook Chapter 5: The Network Layer
More informationHPE ArubaOS-Switch IPv6 Configuration Guide YA/YB.16.02
HPE ArubaOS-Switch IPv6 Configuration Guide YA/YB.16.02 Part Number: 5200-1665 Published: July 2016 Edition: 1 Copyright Copyright 2016 Hewlett Packard Enterprise Development LP The information contained
More informationTomáš Podermański, Matěj Grégr,
Tomáš Podermański, tpoder@cis.vutbr.cz Matěj Grégr, igregr@fit.vutbr.cz Agenda Current status of IPv6 deployment at BUT IPv6 problems to solve Addressing First hop security User tracking and accounting
More informationSecurity Considerations for IPv6 Networks. Yannis Nikolopoulos
Security Considerations for IPv6 Networks Yannis Nikolopoulos yanodd@otenet.gr Ημερίδα Ενημέρωσης Χρηστών για την Τεχνολογία IPv6 - Αθήνα, 25 Μαίου 2011 Agenda Introduction Major Features in IPv6 IPv6
More informationHP A5830 Switch Series Layer 3 - IP Services. Configuration Guide. Abstract
HP A5830 Switch Series Layer 3 - IP Services Configuration Guide Abstract This document describes the software features for the HP A Series products and guides you through the software configuration procedures.
More informationIPv6 associated protocols
IPv6 associated protocols Address auto-configuration in IPv6 Copy Rights This slide set is the ownership of the 6DISS project via its partners The Powerpoint version of this material may be reused and
More informationUnderstanding and Configuring Dynamic ARP Inspection
29 CHAPTER Understanding and Configuring Dynamic ARP Inspection This chapter describes how to configure Dynamic ARP Inspection (DAI) on the Catalyst 4500 series switch. This chapter includes the following
More informationNetwork Security. The Art of War in The LAN Land. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, September 27th, 2018
Network Security The Art of War in The LAN Land Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, September 27th, 2018 Part I MAC Attacks MAC Address/CAM Table Review 48 Bit Hexadecimal Number Creates Unique
More informationIPv4 and IPv6 Commands
This module describes the Cisco IOS XR software commands used to configure the IPv4 and IPv6 commands for Broadband Network Gateway (BNG) on the Cisco ASR 9000 Series Router. For details regarding the
More informationCh.6 Mapping Internet Addresses to Physical Addresses (ARP)
CSC521 Communication Protocols 網路通訊協定 Ch.6 Mapping Internet Addresses to Physical Addresses (ARP) 吳俊興國立高雄大學資訊工程學系 Internetworking With TCP/IP, Vol I: Sixth Edition, Douglas E. Comer Outline 1 Introduction
More informationArubaOS-Switch IPv6 Configuration Guide for YA/YB.16.04
ArubaOS-Switch IPv6 Configuration Guide for YA/YB.16.04 Part Number: 5200-3121 Published: July 2017 Edition: 1 Copyright 2017 Hewlett Packard Enterprise Development LP Notices The information contained
More informationDGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window
9. Security DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide Port Security 802.1X AAA RADIUS TACACS IMPB DHCP Server Screening ARP Spoofing Prevention MAC Authentication Web-based
More informationThe Netwok Layer IPv4 and IPv6 Part 2
ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE The Netwok Layer IPv4 and IPv6 Part 2 Jean Yves Le Boudec 2017 1 Contents 6. Host configuration 7. ARP 8. IP packet format, HL and TTL Textbook Chapter 5: The Network
More informationRemember Extension Headers?
IPv6 Security 1 Remember Extension Headers? IPv6 allows an optional Extension Header in between the IPv6 header and upper layer header Allows adding new features to IPv6 protocol without major re-engineering
More informationIPv6 Neighbor Discovery
About, page 1 Prerequisites for, page 2 Guidelines for, page 2 Defaults for, page 4 Configure, page 5 View and Clear Dynamically Discovered Neighbors, page 10 History for, page 11 About The IPv6 neighbor
More informationResults of a Security Assessment of the Internet Protocol version 6 (IPv6)
Results of a Security Assessment of the Internet Protocol version 6 (IPv6) Fernando Gont DEEPSEC 2011 Conference Vienna, Austria, November 15-18, 2011 About... I have worked in security assessment of communication
More informationExam : Cisco Title : Update : Demo. Composite Exam
Exam : Cisco 642-892 Title : Composite Exam Update : Demo 1. Refer to the exhibit. EIGRP is configured on all routers in the network. On the basis of the output provided, which statement is true? A. Because
More informationIntroduction to IPv6 - II
Introduction to IPv6 - II Building your IPv6 network Alvaro Vives 27 June 2017 Workshop on Open Source Solutions for the IoT Contents IPv6 Protocols and Autoconfiguration - ICMPv6 - Path MTU Discovery
More informationNetworking Potpourri: Plug-n-Play, Next Gen
Networking Potpourri: Plug-n-Play, Next Gen 14-740: Fundamentals of Computer Networks Bill Nace Material from Computer Networking: A Top Down Approach, 6 th edition. J.F. Kurose and K.W. Ross Administrivia
More informationAddress Resolution Protocol (ARP), RFC 826
Address Resolution Protocol (ARP), RFC 826 Prof. Lin Weiguo Copyleft 2009~2017, School of Computing, CUC Sept. 2017 ARP & RARP } Note: } The Internet is based on IP addresses } Data link protocols (Ethernet,
More informationIPv6 Neighbor Discovery
About, page 1 Prerequisites for, page 2 Guidelines for, page 2 Defaults for, page 4 Configure, page 5 Monitoring, page 10 History for, page 11 About The IPv6 neighbor discovery process uses ICMPv6 messages
More informationIPv6 Protocols and Networks Hadassah College Spring 2018 Wireless Dr. Martin Land
IPv6 1 IPv4 & IPv6 Header Comparison IPv4 Header IPv6 Header Ver IHL Type of Service Total Length Ver Traffic Class Flow Label Identification Flags Fragment Offset Payload Length Next Header Hop Limit
More informationDHCPv6 Overview 1. DHCPv6 Server Configuration 1
Table of Contents DHCPv6 Overview 1 Introduction to DHCPv6 1 DHCPv6 Address/Prefix Assignment 1 Rapid Assignment Involving Two Messages 1 Assignment Involving Four Messages 2 Address/Prefix Lease Renewal
More informationIPv6 migration challenges and Security
IPv6 migration challenges and Security ITU Regional Workshop for the CIS countries Recommendations on transition from IPv4 to IPv6 in the CIS region, 16-18 April 2014 Tashkent, Republic of Uzbekistan Desire.karyabwite@itu.int
More informationWorkshop on Scientific Applications for the Internet of Things (IoT) March
Workshop on Scientific Applications for the Internet of Things (IoT) March 16-27 2015 IP Networks: From IPv4 to IPv6 Alvaro Vives - alvaro@nsrc.org Contents 1 Digital Data Transmission 2 Switched Packet
More informationHP A3100 v2 Switch Series
HP A3100 v2 Switch Series Layer 3 - IP Services Configuration Guide HP A3100-8 v2 SI Switch (JG221A) HP A3100-16 v2 SI Switch (JG222A) HP A3100-24 v2 SI Switch (JG223A) HP A3100-8 v2 EI Switch (JD318B)
More informationDHCPv6 Options Support
This module describes the CAPWAP Access Controller DHCPv6 Option (DHCPv6 Option 52), DHCPv6 Client Link-Layer Address Option, and DNS Search List features. CAPWAP is a standard, interoperable protocol
More informationInternet Protocol v6.
Internet Protocol v6 October 25, 2016 v6@nkn.in Table of Content Why IPv6? IPv6 Address Space Customer LAN Migration Why IPv6? IPv6 Address Space Customer LAN migration IPv4 DASH BOARD THE REASON For IPv6
More informationIPv6 Security: Threats and Mitigation
IPv6 Security: Threats and Mitigation Eric Vyncke, Distinguished Engineer @evyncke Agenda Debunking IPv6 Myths Shared Issues by IPv4 and IPv6 Specific Issues for IPv6 Extension headers, IPsec everywhere,
More informationRecent advances in IPv6 insecurities reloaded Marc van Hauser Heuse GOVCERT NL Marc Heuse
Recent advances in IPv6 insecurities reloaded Marc van Hauser Heuse GOVCERT NL 2011 2011 Marc Heuse Hello, my name is Basics Philosophy Vulnerabilities Vendor Responses & Failures Recommendations
More informationArubaOS-Switch IPv6 Configuration Guide for WC.16.03
ArubaOS-Switch IPv6 Configuration Guide for WC.16.03 Part Number: 5200-2918b Published: August 2017 Edition: 3 Copyright 2017 Hewlett Packard Enterprise Development LP Notices The information contained
More informationIPv6 Stateless Autoconfiguration
The IPv6 stateless autoconfiguration feature can be used to manage link, subnet, and site addressing changes. Information About, page 1 How to Configure, page 2 Configuration Examples for, page 3 Additional
More informationAdopting Innovative Detection Technique To Detect ICMPv6 Based Vulnerability Attacks
Adopting Innovative Detection Technique To Detect ICMPv6 Based Vulnerability Attacks Navaneethan C. Arjuman nava@nav6.usm.my National Advanced IPv6 Centre January 2014 1 Introduction IPv6 was introduced
More informationChapter 5. Security Components and Considerations.
Chapter 5. Security Components and Considerations. Technology Brief Virtualization and Cloud Security Virtualization concept is taking major portion in current Data Center environments in order to reduce
More informationHP FlexFabric 5930 Switch Series
HP FlexFabric 5930 Switch Series Layer 3 IP Services Command Reference Part number: 5998-4568 Software version: Release 2406 & Release 2407P01 Document version: 6W101-20140404 Legal and notice information
More informationIPv6. IPv4 & IPv6 Header Comparison. Types of IPv6 Addresses. IPv6 Address Scope. IPv6 Header. IPv4 Header. Link-Local
1 v4 & v6 Header Comparison v6 Ver Time to Live v4 Header IHL Type of Service Identification Protocol Flags Source Address Destination Address Total Length Fragment Offset Header Checksum Ver Traffic Class
More informationHP 3600 v2 Switch Series
HP 3600 v2 Switch Series Layer 3 - IP Services Configuration Guide Part number: 5998-2351 Software version: Release 2108P01 Document version: 6W100-20131130 Legal and notice information Copyright 2013
More informationSetup. Grab a vncviewer like: Or https://www.realvnc.com/download/viewer/
IPv6 Matt Clemons Topology 2 Setup Grab a vncviewer like: http://uvnc.com/download/1082/1082viewer.html Or https://www.realvnc.com/download/viewer/ Connect where I tell you and enter the password to see
More informationODL Summit Bangalore - Nov 2016 IPv6 Design in OpenDaylight
ODL Summit Bangalore - Nov 2016 IPv6 Design in OpenDaylight Sridhar Gaddam (sgaddam@redhat.com) Dayavanti Gopal Kamath (dayavanti.gopal.kamat@ericsson.com) Agenda IPv6 Intro. IPv6 Neighbor Discovery. IPv6
More informationConfiguring Multicast Listener DiscoveryV2 (MLDV2) Snooping. MLD Snooping Overview. MLD Messages. First Published:
Configuring Multicast Listener DiscoveryV2 (MLDV2) Snooping First Published: 2016-11-30 MLD Messages Multicast Listener Discovery (MLD) is a protocol used by an IPv6 router to discover the presence of
More informationIPv6 Neighbor Discovery
The IPv6 neighbor discovery process uses Internet Control Message Protocol (ICMP) messages and solicited-node multicast addresses to determine the link-layer address of a neighbor on the same network (local
More informationInternet Protocol, Version 6
Outline Protocol, Version 6 () Introduction to Header Format Addressing Model ICMPv6 Neighbor Discovery Transition from to vs. Taken from:chun-chuan Yang Basics: TCP/ Protocol Suite Protocol (IP) Features:
More informationIPv6 Protocol Architecture
IPv6 Protocol Architecture v4/v6 Header Comparison Not kept in IPv6 Renamed in IPv6 Same name and function New in IPv6 2 New Functional Improvement Address Space Increase from 32-bit to 128-bit address
More informationERNW WHITEPAPER 62 RA GUARD EVASION REVISITED
ERNW WHITEPAPER 62 RA GUARD EVASION REVISITED Version: 1.0 Date: 11.12.2017 Classification: Author(s): Public Omar Eissa;Christopher Werny TABLE OF CONTENT 1 MOTIVATION 3 2 PROBLEM STATEMENT 4 2.1 First
More informationIPv6 Multicast Listener Discovery Protocol
Finding Feature Information, on page 1 Restrictions for, on page 1 Information About, on page 2 How to Configure, on page 4 Verifying, on page 11 Finding Feature Information Your software release may not
More informationFundamental IOS Security
Fundamental IOS Security Troy Sherman Principle Engineer Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click
More informationOrganization of Product Documentation... xi
Contents Organization of Product Documentation... xi Chapter 1 Getting Started... 1-1 Introduction...1-1 Software Versions Covered...1-1 Audience...1-1 Conventions...1-1 Terminology...1-2 Support and Warranty
More informationFiberstoreOS IPv6 Service Configuration Guide
FiberstoreOS IPv6 Service Configuration Guide Contents 1 Configuring IPv6 over IPv4 Tunnel...5 1.1 Overview...5 1.1.2 Manual Tunnel...6 1.1.3 6to4 Tunnel...6 1.1.4 ISATAP Tunnel...7 1.2 Configure Manual
More informationUnderstanding Switch Security
Overview of Switch Security Understanding Switch Security Most attention surrounds security attacks from outside the walls of an organization. Inside the network is left largely unconsidered in most security
More informationIPv6 Security Fundamentals
IPv6 Security Fundamentals UK IPv6 Council January 2018 Dr David Holder CEng FIET MIEEE david.holder@erion.co.uk IPv6 Security Fundamentals Common Misconceptions about IPv6 Security IPv6 Threats and Vulnerabilities
More informationAdvanced IPv6 Security: Securing Link- Operations at the First Hop
Advanced IPv6 Security: Securing Link- Operations at the First Hop ERIC LEVY-ABEGNOLI Quick overview on the Layer 2 domain & IPv6 Some definitions Layer 2 domain: same broadcast domain = link = vlan Nodes:
More informationTD#RNG#2# B.Stévant#
TD#RNG#2# B.Stévant# En1tête#des#protocoles#IP# IPv4 Header IPv6 Extensions ICMPv6 s & 0...7...15...23...31 Ver. IHL Di Serv Packet Length Identifier flag O set TTL Checksum Source Address Destination
More informationBasic Attacks and Mitigation Strategies
Basic Attacks and Mitigation Strategies Christopher Werny #2 Who am I Network geek, working as security researcher for Germany based ERNW GmbH Independent Deep technical knowledge Structured
More informationChapter 5 Reading Organizer After completion of this chapter, you should be able to:
Chapter 5 Reading Organizer After completion of this chapter, you should be able to: Describe the operation of the Ethernet sublayers. Identify the major fields of the Ethernet frame. Describe the purpose
More informationTutorial: IPv6 Technology Overview Part II
Tutorial: IPv6 Technology Overview Part II Speaker: Byju Pularikkal, Cisco Systems, Inc Date: 01/30/2011 1 DOCSIS = Data-Over-Cable Service Interface Specification CMTS = Cable Modem Termination System
More informationHP 5120 SI Switch Series
HP 5120 SI Switch Series Layer 3 - IP Services Configuration Guide Part number: 5998-1807 Software version: Release 1513 Document version: 6W100-20130830 Legal and notice information Copyright 2013 Hewlett-Packard
More informationCCNA 1 Chapter 5 v5.0 Exam Answers 2013
CCNA 1 Chapter 5 v5.0 Exam Answers 2013 1 2 A host is trying to send a packet to a device on a remote LAN segment, but there are currently no mappings in its ARP cache. How will the device obtain a destination
More informationConfiguring ARP attack protection 1
Contents Configuring ARP attack protection 1 ARP attack protection configuration task list 1 Configuring unresolvable IP attack protection 1 Configuring ARP source suppression 2 Configuring ARP blackhole
More informationHP 6125 Blade Switch Series
HP 6125 Blade Switch Series Layer 3 - IP Services Configuration Guide Part number: 5998-3156 Software version: Release 2103 Document version: 6W100-20120907 Legal and notice information Copyright 2012
More information2. What is a characteristic of a contention-based access method?
CCNA 1 Chapter 5 v5.0 Exam Answers 2015 (100%) 1. Which statement is true about MAC addresses? MAC addresses are implemented by software. A NIC only needs a MAC address if connected to a WAN. The first
More informationHPE FlexNetwork 5510 HI Switch Series
HPE FlexNetwork 5510 HI Switch Series Layer 3 IP Services Command Reference Part number: 5200-3837 Software version: Release 13xx Document version: 6W100-20170315 Copyright 2015, 2017 Hewlett Packard Enterprise
More informationRocky Mountain IPv6 Summit April 9, 2008
Rocky Mountain IPv6 Summit April 9, 2008 Introduction to the IPv6 Protocol Scott Hogg GTRI - Director of Advanced Technology Services CCIE #5133, CISSP 1 IPv6 Header IPv4 Header 20 bytes IPv6 Header, 40
More informationHPE FlexFabric 5940 Switch Series
HPE FlexFabric 5940 Switch Series Layer 3 IP Services Configuration Guide Part number: 5200-1022a Software version: Release 2508 and later verison Document version: 6W101-20161101 Copyright 2016 Hewlett
More informationIPv6 Configuration Guide, Cisco IOS XE Fuji 16.8.x (Catalyst 9400 Switches)
IPv6 Configuration Guide, Cisco IOS XE Fuji 16.8.x (Catalyst 9400 Switches) First Published: 2018-03-02 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com
More informationIPv6 Multicast Listener Discovery Protocol
Finding Feature Information, page 1 New and Changed Information, page 2 Restrictions for, page 2 Information About, page 2 How to Configure, page 5 Verifying, page 12 Additional References, page 14 Finding
More informationArubaOS-Switch IPv6 Configuration Guide for WB.16.03
ArubaOS-Switch IPv6 Configuration Guide for WB.16.03 Part Number: 5200-2917b Published: August 2017 Edition: 3 Copyright 2017 Hewlett Packard Enterprise Development LP Notices The information contained
More informationStep 2. Manual configuration of global unicast and link-local addresses
Lab: DHCPv6 CIS 116 IPv6 Fundamentals Enter your answers to the questions in this lab using Canvas Quiz DHCPv6 Lab. Step 1. Setup a. Log into NetLab: ccnp.bayict.cabrillo.edu b. Schedule IPv6 Pod 1: no
More informationCOE IPv6 Roadmap Planning. ZyXEL
COE IPv6 Roadmap Planning ZyXEL COE Product Offering with IPv6 Dual Stack Lite / Translation & Dual Stack, IPv6 Core Phase I Chassis MSAN FW Rel. 3.96.1 MSC1000G, MSC1024G, MSC1224G, ALC12xxG- 5x, VLC13xxG-5x
More informationRecent advances in IPv6 insecurities Marc van Hauser Heuse CCC Congress 2010, Berlin Marc Heuse
Recent advances in IPv6 insecurities Marc van Hauser Heuse CCC Congress 2010, Berlin 2010 Marc Heuse Hello, my name is Who has already heard my previous talk? played with IPv6? IPv6 at home?
More informationExample: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks In an ARP spoofing attack, the attacker associates its own MAC address with the IP address of a network device
More informationH3C S6800 Switch Series
H3C S6800 Switch Series Layer 3 IP Services Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2609 and later Document version: 6W103-20190104 Copyright 2019,
More information12. Name & Address 최양희서울대학교컴퓨터공학부
12. Name & Address 최양희서울대학교컴퓨터공학부 How do you get IP address? Manual Configuration Stateful Address Configuration (i.e. from servers) BOOTP DHCPv4, DHCPv6 Stateless Autoconfiguration : IPv6 2009 Yanghee
More informationInternet Control Message Protocol
Internet Control Message Protocol The Internet Control Message Protocol is used by routers and hosts to exchange control information, and to inquire about the state and configuration of routers and hosts.
More informationH3C S6520XE-HI Switch Series
H3C S6520XE-HI Switch Series Layer 3 IP Services Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com.hk Software version: Release 1108 Document version: 6W100-20171228 Copyright 2017,
More informationFiberstoreOS IPv6 Security Configuration Guide
FiberstoreOS IPv6 Security Configuration Guide Contents 1 Configuring IPv6 over IPv4 Tunnel...4 1.1 Overview... 4 1.1.2 Manual Tunnel... 5 1.1.3 6to4 Tunnel... 6 1.1.4 ISATAP Tunnel...7 1.2 Configure Manual
More informationIPv6 Neighbor Discovery
IPv6 Neighbor Discovery Last Updated: September 19, 2012 The IPv6 neighbor discovery process uses Internet Control Message Protocol (ICMP) messages and solicited-node multicast addresses to determine the
More informationDDoS Testing with XM-2G. Step by Step Guide
DDoS Testing with XM-G Step by Step Guide DDoS DEFINED Distributed Denial of Service (DDoS) Multiple compromised systems usually infected with a Trojan are used to target a single system causing a Denial
More informationConfiguring Dynamic ARP Inspection
21 CHAPTER This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the Catalyst 3560 switch. This feature helps prevent malicious attacks on the
More informationDGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide
6. Layer 3 Features ARP ARP Gratuitous ARP IPv4 Interface IPv4 Static/Default Route IPv4 Route Table IPv6 General Prefix IPv6 Interface IPv6 Neighbor IPv6 Static/Default Route IPv6 Route Table ARP Aging
More informationIPv6 Autoconfiguration. Stateless and Stateful. Rabat, Maroc Mars 2007
IPv6 Autoconfiguration Stateless and Stateful Rabat, Maroc 28-30 Mars 2007 Philippe.Bereski@alcatel.fr Simon.Muyal@renater.fr Bernard.Tuy@renater.fr Copy... Rights This slide set is the ownership of the
More informationIntroduction to IPv6
Introduction to IPv6 1 What is IPv6? IP (Internet Protocol) The most common protocol over the Internet defines how packets are sent over the internet Addressing and routing Current versions IPv4 & IPv6
More informationIPv6 Security. 15 August
IPv6 Security 15 August 2016 0.1 Overview IPv6 Operations and Protocol Issues Scanning IPv6 Networks Toolkits and Example Attacks Best Practices in Securing IPv6 2 IPv6 Operations ü128-bit addresses üuses
More informationOperation Manual IPv6 H3C S3610&S5510 Series Ethernet Switches Table of Contents. Table of Contents
Operation Manual IPv6 Table of Contents Table of Contents Chapter 1 IPv6 Basics Configuration... 1-1 1.1 IPv6 Overview... 1-1 1.1.1 IPv6 Features... 1-2 1.1.2 Introduction to IPv6 Address... 1-3 1.1.3
More informationICS 451: Today's plan
ICS 451: Today's plan ICMP ping traceroute ARP DHCP summary of IP processing ICMP Internet Control Message Protocol, 2 functions: error reporting (never sent in response to ICMP error packets) network
More informationConfiguring Interfaces (Transparent Mode)
8 CHAPTER This chapter includes tasks to complete the interface configuration in transparent firewall mode. This chapter includes the following sections: Information About Completing Interface Configuration
More information