Internet Protocol v6.

Similar documents
IPv6 Protocol Architecture

IPv6 Protocol & Structure. npnog Dec, 2017 Chitwan, NEPAL

ISO 9001:2008. Pankaj Kumar Dir, TEC, DOT

OSI Data Link & Network Layer

Rocky Mountain IPv6 Summit April 9, 2008

Configuring IPv6. Information About IPv6. Send document comments to CHAPTER

Introduction to IPv6

IPv6 Protocols & Standards

Chapter 7: IP Addressing CCENT Routing and Switching Introduction to Networks v6.0

Transitioning to IPv6

IPv6 Protocols & Standards. ISP/IXP Workshops

IPv6 Feature Facts

Workshop on Scientific Applications for the Internet of Things (IoT) March

Athanassios Liakopoulos

Table of Contents 1 IPv6 Configuration IPv6 Application Configuration 2-1

Module 13. IPv6 Addressing

Introduction to IPv6 - II

IPv6 Associated Protocols. Athanassios Liakopoulos 6DEPLOY IPv6 Training, Skopje, June 2011

Operation Manual IPv6 H3C S3610&S5510 Series Ethernet Switches Table of Contents. Table of Contents

IPv6 Protocols and Networks Hadassah College Spring 2018 Wireless Dr. Martin Land

OSI Data Link & Network Layer

Configuring IPv6 basics

Configuring IPv6 for Gigabit Ethernet Interfaces

Planning for Information Network

OSI Data Link & Network Layer

IPv6 Neighbor Discovery

IPv6. IPv4 & IPv6 Header Comparison. Types of IPv6 Addresses. IPv6 Address Scope. IPv6 Header. IPv4 Header. Link-Local

IPv6 Neighbor Discovery

The IPv6 Protocol & IPv6 Standards

IPv6 Neighbor Discovery

Understanding IPv6 BRKRST Cisco Public BRKRST Cisco and/or its affiliates. All rights reserved.

IPv6. (Internet Protocol version 6)

IPv6 Technical Challenges

An IPv6 unicast address is an identifier for a single interface, on a single node. A packet that is sent to a unicast

IPv6 Stateless Autoconfiguration

Table of Contents 1 IPv6 Configuration IPv6 Application Configuration 2-1

Understanding IPv6. Shannon McFarland CCIE #5245 Principal Engineer. #clmel BRKRST-1069

Table of Contents 1 IPv6 Configuration IPv6 Application Configuration 2-1

ODL Summit Bangalore - Nov 2016 IPv6 Design in OpenDaylight

Network Management. IPv6 Bootcamp. Zhiyi Huang University of Otago

Networking Fundamentals IPv6 APNIC 44. TAICHUNG, TAIWAN 7-14 September 2017

The Netwok Layer IPv4 and IPv6 Part 2

Setup. Grab a vncviewer like: Or

TD#RNG#2# B.Stévant#

12.1. IPv6 Feature. The Internet Corporation for Assigned Names and Numbers (ICANN) assigns IPv6 addresses based on the following strategy:

IPv6 Concepts. Improve router performance Simplify IP header Align to 64 bits Address hierarchy with more levels Simplify routing tables

Table of Contents 1 IPv6 Basics Configuration 1-1

TCP/IP Protocol Suite

Foreword xxiii Preface xxvii IPv6 Rationale and Features

DNS, DHCP and Auto- Configuration. IPv6 Training Day 18 th September 2012 Philip Smith APNIC

IPv6 Client IP Address Learning

IPv6 Bootcamp Course (5 Days)

IPv6: An Introduction

Step 2. Manual configuration of global unicast and link-local addresses

IPv6 address configuration and local operation

IPv6 migration challenges and Security

MUM Lagos Nigeria Nov 28th IPv6 Demonstration By Mani Raissdana

IPv6 tutorial. RedIRIS Miguel Angel Sotos

IPv6 associated protocols

Avaya Networking IPv6 Using Fabric Connect to ease IPv6 Deployment. Ed Koehler Director DSE Ron Senna SE Avaya Networking Solutions Architecture

Completing Interface Configuration (Transparent Mode)

IPv6 Neighbor Discovery

Introduction to IPv6. IPv6 addresses

IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo

Network Layer Protocol & Internet Protocol (IP) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

Configuring Interfaces (Transparent Mode)

Introduc)on to IPv6. Administra)on de Réseaux Dino Lopez h<p://

Outline. IP Address. IP Address. The Internet Protocol. o Hostname & IP Address. o The Address

Internet of Things (IOT) Things that you do not know about IOT

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

IPv6 Neighbor Discovery

TSIN02 - Internetworking

"Charting the Course... IPv6 Bootcamp Course. Course Summary

Internet Control Message Protocol

Advanced Computer Networking. CYBR 230 Jeff Shafer University of the Pacific. IPv6

H3C S6800 Switch Series

Contents. 1. Introduction to IPv6 2. Basic concepts of IPv6 3. The Need for IPv6 4. Where we are with IPv6 5. Summary & Discussion. Asela Galappattige

Advanced Computer Networking (ACN)

IPv6 is Internet protocol version 6. Following are its distinctive features as compared to IPv4. Header format simplification Expanded routing and

HP FlexFabric 5930 Switch Series

IPv6 It starts TODAY!

DHCPv6 Overview 1. DHCPv6 Server Configuration 1

Lecture Computer Networks

IPv6 : Internet Protocol Version 6

History. IPv6 : Internet Protocol Version 6. IPv4 Year-Wise Allocation (/8s)

Transition to IPv6. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

HPE FlexFabric 5940 Switch Series

IPv6 Next generation IP

DHCPv6 OPERATIONAL ISSUES Tom Coffeen 4/7/2016

Introduction to IPv6. IPv6 addresses

Guide to TCP/IP Fourth Edition. Chapter 6: Neighbor Discovery in IPv6

Internet Protocol, Version 6

ECE 435 Network Engineering Lecture 14

HPE FlexNetwork 5510 HI Switch Series

Lab - Configuring IPv6 Addresses on Network Devices

The Netwok Layer IPv4 and IPv6 Part 2

Network Layer Protocol & Internet Protocol (IP) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

Recent advances in IPv6 insecurities reloaded Marc van Hauser Heuse GOVCERT NL Marc Heuse

HPE 5920 & 5900 Switch Series

Results of a Security Assessment of the Internet Protocol version 6 (IPv6)

Transcription:

Internet Protocol v6 October 25, 2016 v6@nkn.in

Table of Content Why IPv6? IPv6 Address Space Customer LAN Migration

Why IPv6? IPv6 Address Space Customer LAN migration

IPv4 DASH BOARD THE REASON For IPv6 The IANA pool of available IPv4 addresses was exhausted on 3 February, 2011. APNIC is allocating IPv4 Addresses from its last /8 IPv4 block. Microsoft has managed to purchase 666,624 IP addresses from the bankrupt Canadian company Nortel for $7.5m. This works out to $11.25/IP. An exact list of blocks isn't available.

Address Distribution IETF IANA RIR ISP Regional Internet Registries (RIRs) distribute IPv4, IPv6, and AS numbers to the Internet community End User

RIRs

Why IPv6? IPv6 Address Space Customer LAN migration

IPv6 Address Space IPv6 Address is of 128 bits This means, total 340 282 366 920 938 463 463 374 607 431 768 211 456 IPv6 addresses are possible About 3.4 10 38 (340 trillion trillion trillion) unique IPv6 addresses. This means, we can roughly assigned 48,000 trillion trillion IPv6 addresses to every person Or, 6.7 10 23 address to per m 2 of land

How a IPv6 Address Space Look? x:x:x:x:x:x:x:x where x represents 16 bits written in hexadecimal format 2001:4408:0000:0000:C1C0:0000:ABCD:0786 Case insensitive 2001:4408:0000:0000:c1c0:0000:abcd:0786 Block of zero s can be replaced with (::) but only once 2001:4408::C1C0:0000:ABCD:0786 Leading zero s can be omitted and but not the trailing one 2001:4408::C1C0:0000:ABCD:786 In URL, it is enclosed in brackets http://[2001:4408::c1c0:0000:abcd:786]/index.html http://[2001:4408::c1c0:0000:abcd:786]:8080/index.html

How a IPv6 Address Space Look? 128 bit address Network Portion Interface ID gggg:gggg:gggg: ssss: xxxx:xxxx:xxxx:xxxx Global Unicast Identifier Global Routing Prefix n <= 48 bits Subnet ID 64 n bits Host 2405:8a00:0000: 0001: 0000:0000:0000:A100 Example (Full Format) 2405:8a00:0: 1 :: A100 Abbreviated format

IPv6 Address Scope Interface expected to have multiple addresses IPv6 node MUST support multicast Addresses have scope Link Local (FE80::/10) Unique Local (FC00::/7) Global (2000::/3) Global Unique Local Link Local

IPv6 Address Types Types of IPv6 Addresses Unicast A unicast address identifies a single network interface. Multicast Address of a set of interfaces. One-to-many delivery to all interfaces in the set Anycast An anycast address is assigned to a group of interfaces, usually belonging to different nodes. No more Broadcast addresses Link Local

IPv6 Addresses Unicast and Multicast NKN-SP-LAN#show ipv6 int Vlan196 is up, line protocol is up IPv6 is enabled, link-local address is FE80::6E20:56FF:FEC5:47DF No Virtual link-local address(es): Description: "LAN SAGEMENT 2 10.1.196.1 " Global unicast address(es): 2001:4408:5205:196::1, subnet is 2001:4408:5205:196::/64 Joined group address(es): FF02::1 Global FF02::2 All nodes FF02::1:2 FF02::1:FF00:1 All routers FF02::1:FFC5:47DF MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachable are sent ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) ND advertised reachable time is 0 (unspecified) ND advertised retransmit interval is 0 (unspecified) ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds ND advertised default router preference is High Hosts use DHCP to obtain routable addresses. Link-Local Solicit node multicast Address

IPv6 Address Type Unicast address scope Link local: Non routable exists on L2 domain (FE80::/10) FE80:0000:0000:0000:xxxx:xxxx:xxxx:xxxx Unique-Local (ULA) Routable with an administrative domain (similar to RFC 1918) (FC00::/7) FC00:gggg:gggg: ssss: xxxx:xxxx:xxxx:xxxx Global Routable across the Internet (2000::/3) 2000:gggg:gggg: Multicast addresses begin with FF00::/8 FF00: ssss: xxxx:xxxx:xxxx:xxxx XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX

IPv6 Address Types Address Type IPv6 Binary Prefix IPv6 Prefix IPv4 Prefix Unspecified 000 0 (128 bits) ::/128 0.0.0.0/0 Loopback 000..01 (128 bits) ::1/128 127.0.0.1 Unique Local Address 1111 110 FC00::/7 RFC 1918 {10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16} Link-local Unicast 1111 1110 10 FE80::/10 --- Multicast 1111 1111 FF00::/8 224.0.0.0-239.255.255.255 Global Unicast 001 2000::/3 Class A, B & C

IPv4 & IPv6 Header Comparison IPv4 Header IPv6 Header Version IHL Type of Service Total Length Version Traffic Class Flow Label Identification Flags Fragment Offset Payload Length Next Header Hop Limit Time to Live Protocol Header Checksum Source Address Source Address Destination Address Legend - field s name kept from IPv4 to IPv6 - fields not kept in IPv6 - Name & position changed in IPv6 - New field in IPv6 Destination Address

IPv4 Header The IPv4 packet header consists of 14 fields, of which 13 are required. The 14th field is optional (red background in table) and aptly named: options. Internet Header Length (IHL) The second field (4 bits) is the Internet Header Length (IHL), which is the number of 32-bit words in the header. The minimum value for this field is 5 (RFC 791), which is a length of 5 32 = 160 bits = 20 bytes. Being a 4-bit value, the maximum length is 15 words (15 32 bits) or 480 bits = 60 bytes.

Control Protocol(s) IPv4 Control Protocols: ARP (for Ethernet) ICMP IGMP IPv6 Control Protocols: ICMPv6 (IPv6 Next Header Value 58) Must be fully implemented and supported

MULTICAST IPv6 node MUST support Multicast All node with similar addresses share the same solicited-node multicast addresses Solicited-node multicast address format: Globally-assigned prefix FF02::1:FF00:0/104 low-order 24 bits of a node address Example: a node 2405:8A00:100:200::A101:3258 joins the multicast group FF02::1:FF01:3258 FF02:0:0:0:0:1:FF01:3258 (expanded form)

RSERVED MULTICAST ADDRESSES Address Scope Use FF01::1 Node-local All Nodes FF01::2 Node-local All Routers FF02::1 Link-local All Nodes FF02::2 Link-local All Routers FF05::2 Site-local All Routers FF02::1:FFxx:xxxx Link-local Solicited-Node

MAXIMUM TRANSMISSION UNIT (MTU) MTU is the maximum size of IP packet that can be transmitted without fragmentation. In IPv6, MTU must be of at least 1280 bytes while in IPv4 it was only 68 bytes. IPv6 uses Path MTU discovery protocol to find the smallest MTU and works on that MTU there on. PATH MTU DISCOVERY Settle down at 1300 Bytes 9000 4000 1500 1300 Path MTU discovery is mandatory in IPv6 because Routers doesn t perform fragmentation in IPv6. IPv6:- Fragmentation is handled by the Source through Path MTU discovery.

Anycast The same anycast address is assigned to a group of interfaces (nodes) A packet sent to an anycast address is delivered to the nearest interface (node) having this address Allow to increase the service reliability Allocated from the unicast address space

Why IPv6? IPv6 Address Space Customer LAN migration IPv6 Address Allocation Address Assignment Security

Customer LAN Migration to IPv6 IPv6 Address Allocation Address Assignment Security

Customer LAN Migration to IPv6 IPv6 Address Allocation Address Assignment Security

NKN IPv6 Address Space NKN has got 2405:8A00::/32 IPv6 address block from APNIC. NKN is allocating /48 block to every connected member institute. /48 is the minimum number required for multihoming. Each and every institute can do a multihoming using NKN IPv6 address block. NKN IPv6 ANYCAST DNS SERVER 2405:8A00:AA::AA

Address allocation plan for an Institute Each Institute got /48 v6 address block from NKN From this block, user has the flexibility to have 2^16 (i.e., 65536) LANs in its network Each LAN will have 2^64 global IP addresses for client allocation User also has the option to have Unique local addresses in its LAN and do the NATing at the firewall FC00::/7 is the ULA segment But if you are thinking that using ULA will provide you an add-on security feature then think again Not a recommended practice but implementation depends on user requirement

v6 Address Allocation in NKN 2405:8a00:8000::/35 2405:8a00:8000::/48 2405:8a00:8001::/48.. 2405:8a00:8002::/48 2405:8a00:9fff::/48 BANGLURU NKN POP 2405:8a00 0::/32 NKN IPv6 Addr ress Block 2405:8a00:6000::/35 2405:8a00:4000::/35 2405:8a00:6000::/48 2405:8a00:6001::/48.. 2405:8a00:6002::/48 2405:8a00:7fff::/48 2405:8a00:4000::/48 2405:8a00:4001::/48 2405:8a00:4002::/48.. 2405:8a00:5fff::/48 MUMBAI NKN POP HYD. NKN POP NKN has got a 2405:8a00::/32 IPv6 block from APNIC. We divide this /32 block into Eight /35 blocks. First /35 block, is used for NKN Network Infrastructure use. Rest Seven /35 block is assigned to NKN seven super core POPs. Every Super core will aggregating multiple institute. We have assigned /48 block of IPv6 to every Institute from respected super core block of /35. 2405:8a00:2000::/35 2405:8a00:2000::/48 2405:8a00:2001::/48.. 2405:8a00:2002::/48 2405:8a00:3fff::/48 DELHI NKN POP

IPv6 Address Allocation to Institutes NKN allocates /48 to every Institute. For Example: Consider a case of Delhi : Block 2405:8a00:2000::/35 is allocated to Delhi NKN POP. From the given blocks, we will use multiples of /48 blocks for institutes. 2405:8a00:2000::/48 2405:8a00:2000::/35 2405:8a00:2001::/48 2405:8a00:2002::/48....... /48 Blocks Address Block 2405:8a00:2000::/35 is allocated to Delhi Super Core NKN POP. First block of this /35 is 2405:8a00:2000::/48 is allocated to Institute 1. Second block of this /35 is 2405:8a00:2001::/48 is allocated to Institute 2. 2405:8a00:3fff::/48

Customer LAN Migration to IPv6 IPv6 Address Allocation Address Assignment Security

IPv6 Address Assignment Similar to IPv4 New in IPv6 Manually configured Stateless configuration 1 2 Router Solicitation Router Announcement (/64 prefix, timers, etc ) 1 2 Assigned via DHCP 3 DHCPv6 Request 4 DHCPv6 Reply RS RA IPv6 Address = /64 prefix + EUI-64 (e.g. MAC address) Auto-generated pseudo-random number (rfc3041) 1 2 Router Solicitation Router Announcement IPv6 Address = /64 prefix + Random 64 bits (rfc3041)

IPv6 Address Assignment Various IPv6 address assignment methods are as follows: Manual Assignment Stateless Address Autoconfiguration (SLAAC) Stateless DHCPv6 Stateful DHCPv6 DHCPv6 Prefix Delegation(DHCPv6-PD)

IPv6 Address Assignment Various IPv6 address assignment methods are as follows: Manual Assignment Stateless Address Autoconfiguration (SLAAC) Stateless DHCPv6 Stateful DHCPv6 DHCPv6 Prefix Delegation(DHCPv6-PD)

Stateless Address Auto-configuration (SLAAC) The network should have at least one IPv6 router configured to send periodic Router Advertisements (RA) announcements. IPv6 host when connected to the network sends a ICMPv6 Router Solicit (RS) message and picks up ICMPv6 RA as a response from IPv6 router. The IPv6 host uses a combination of IPv6 prefix received in RA message and its link layer address to form a IPv6 address.

SLAAC Continue. Subnet Prefix + Interface-ID At boot time, an IPv6 host build a Link-Local address, then its global IPv6 address(es) from RA Auto-configuration with no collisions Offers plug and play RA Message Sends Network-Type Information 1. Router Advertisement (RA) sent with A-Flag = ON (Default behavior) ICMP type = 134 Src = Router link layer address Dst = All node multicast address (ff02::1) Data = link-layer address of Router Prefix = 2405:8a00:1::/64

EUI-64 Addressing format Extended Unique Identifier Interface-ID can be manually configured Using stateless autoconfiguration This format expands the 48 bit MAC address to 64 bits by inserting FFFE into the middle 16 bits U bit is inverted when using EUI- 64 format 00 26 B9 9B 95 49 00 26 B9 9B 95 49 FF FE 00 26 B9 FF FE 9B 95 49 1 = Unique 000000U0 Where U= 0 = Not Unique U = 1 02 26 B9 FF FE 9B 95 49 EUI-64 Format

Auto-generated pseudo-random number (rfc3041) Auto- generating 64 bit interface identifier using random algorithm Keeping privacy How to Disable: C:\> netsh interface ipv6 set privacy state=disable C:\> netsh interface ipv6 set global randomizeidentifiers=disabled

Why not SLAAC? Does not provide DNS/NTP servers to be used by client No authorization to obtain address on the network Attack on Router Discovery Attack on Address Configuration (Rogue RA) Attack on Address Resolution DoS with DAD is always possible ( just like ARP spoofing in IPv4)

IPv6 Address Assignment Various IPv6 address assignment methods are as follows: Manual Assignment Stateless Address Autoconfiguration (SLAAC) Stateless DHCPv6 Stateful DHCPv6 DHCPv6 Prefix Delegation(DHCPv6-PD)

Stateless DHCPv6 Host is configured an address based on SAC but other information like DNS will be received via DHCPv6 DHCP server must be preconfigured with other configuration like DNS. Router/L3 in between DHCP server and host must be preconfigured as relay router Host will receive: List of DHCPv6 Servers Network address (using SAC) List of DNS etc (using DHCPv6) Domain search list option (using DHCPv6) Edge Router(R1) L2 Switch DHCPv6 Server Edge Router(R2) L3 Switch L2 Switch

Stateless DHCPv6 1. Router Advertisement (RA) sent, containing link prefix, with A-Flag = ON (Default behavior) also with O-Flag = ON Core Router DHCPv6-Serv-1 DHCPv6-Relay-3 DHCPv6-Client-1 2. Client auto-configures address based on prefix option in RA, then sends DHCPv6 SOLICIT Stateless DHCPv6 normally combines stateless autoconfiguration for address assignment, DHCPv6 exchange for all other configuration settings.

IPv6 Address Assignment Various IPv6 address assignment methods are as follows: Manual Assignment Stateless Address Autoconfiguration (SLAAC) Stateless DHCPv6 Stateful DHCPv6 DHCPv6 Prefix Delegation(DHCPv6-PD)

Stateful DHCPv6 DHCP server must be preconfigured with pool of IP prefixes. Router/L3 in between DHCP server and host must be preconfigured as relay router Host will receive: List of DHCPv6 Servers Network address List of DNS etc Domain search list option Edge Router (R1) L2 Switch DHCPv6 Server Edge Router (R2) L3 Switch L2 Switch

Stateful DHCPv6 RA s can be used to control DHCPv6 Client Behavior 1. Router Advertisement (RA) sent with M-Flag = ON with A-Flag = OFF Core Router DHCPv6-Serv-1 DHCPv6-Relay-1 DHCPv6-Relay-3 DHCPv6-Client-1 2. Client sends DHCPv6 SOLICIT

Example: Stateful DHCPv6 DHCPv6 Address Assignment 2405:8a00:1000:1::2/64 L2 Switch DHCPv6 Server Edge Router(R1) Pool of /64 prefixes from 2405:8a00::/32 2405:8a00:1000:1::/64 2405:8a00:1000:2::/64 L3 Switch Proxy 2405:8a00:1000:1::1/64 2405:8a00:1000:2::1/64 2405:8a00:1000:1::2/64

IPv6 Address Assignment Various IPv6 address assignment methods are as follows: Manual Assignment Stateless Address Autoconfiguration (SLAAC) Stateless DHCPv6 Stateful DHCPv6 DHCPv6 Prefix Delegation(DHCPv6-PD)

DHCPv6- Delegation Model rfc3633 DHCP server will delegate prefix addresses to Edge router Edge router (which act as a delegation client for a DHCP server) will act as a DHCP server for Host same as in stateful/ stateless DHCPv6. DHCP server must be preconfigured with prefix address to be delegated to Edge router. Router in between Edge Router and DHCP server must be preconfigured as relay router Intermediary routers/l3 between end system and edge routers must be preconfigured as relay router. Host will receive: List of DHCPv6 Servers Network address List of DNS etc Domain search list option PE Edge Router (R1) L2 Switch PE DHCPv6 Server Edge Router (R2) L3 Switch L2 Switch

Example: DHCPv6 Delegation Model: Stateful / Stateless Pool of /64 prefixes from 2405:8a00::/32 DHCPv6 Address Delegation 2405:8a00:1000:0001::/56 DHCPv6 Server 2405:8a00:1000:1::/56 2405:8a00:1000:256::/56 DHCPv6 Address Assignment 2405:8a00:1000:0001::2/64 Edge Router acting as DHCP Server L2 Switch 2405:8a00:1000:0001::1/64 L3 Switch Proxy 2405:8a00:1000:0001::2/64 2405:8a00:1000:0002::1/64

DHCP Deployment Strategy Stateful DHCPv6 without Delegation Central DHCPv6 server assigning address to all end clients Each L3/ Router s routed ports/svis preconfigured with static /64 addresses Each L3/ Router configured as relay Each client is assigned a DHCPv6 address based on L3 segment DHCPv6 Delegation model Stateful DHCPv6 Central DHCP server delegating /56 prefixes to Edge routers Edge router in turn acting as DHCPv6 server for downstream clients.

Open Source IP Registrar (OSIR) OSIR is a full feature solution that provides Dynamic Host Configuration Protocol (DHCP) service and delivers client management feature. Auto Installation Failover Management Link Management OSIR Client Management Lease Management Policy Management https://osiradmin.nkn.in

Customer LAN Migration to IPv6 IPv6 Address Allocation Address Assignment Security

IPv6 What to look out and how to assess??

WATCH OUT?? Network Infrastructure: Routers Bandwidth Shapers Switches Layer2 Layer3 Devices Data Centre Devices : Load Balancers Firewall IPS/IDS Virtual Machines ( VMWARE/ ZEN) Blade management consoles IP KVM Clients: PC s on the LAN Servers Proxy/ UTM Network Printers Display System Antivirus/ HIPS

WATCH OUT?? Software Stacks: Windows/Linux/Solaris/ AIX IIS6 & above / Apache 2 & above AAA server Bind 9.5 & above Database ( Transaction Log ) Logging Server ( Syslog / Special tools like Web trends) Infrastructure: Power/Infra management S/W UPS management Console Building Management System Access Control System Cameras Digital Video Recorders Wi-Fi Systems: WIFI controllers AAA Servers

IPv6 Supported Devices Operating System: Windows XP(service Pack2), Windows Vista, Windows 7, Windows 8 Linux RHEL5, RHEL6, Fedora12 and above Cisco Routers: IOS 12.2 and above Juniper routers Junos 6.0R2 and above

Best Deployment Practices Deployment Strategy at LAN side All clients should be configured with global IP addresses, thus no NAT scenario Block all sessions initiated from outside on non-server segments Block all irrelevant neighbor discovery protocol messages from outside the LAN except DHCPv6. e.g NS, NA,RS, RA All standard security portfolios of IPv4 should also be implemented for IPv6 Use L2 switches with L3 capabilities to stop rogue Routers and DHCPv6 servers from spoofing the LAN

Security IPv6 IPv4 Vulnerabilities IPv6 Vulnerabilities Specific IPv4 Issues Specific IPv6 Issues

Thank You

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback