© 2006 Cisco Systems, Inc. All rights reserved. IP6FD v Security Issues in IPv6 Understanding IPv6 Security Practices

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Build Distributed Security Capability Now Interior Router Edge Firewall PC w/Platform FW Internet-Based Peer Pinhole permit for IPsec ESP between PC and Server Deep traffic inspection performed here Distributed firewall needed for securing end-to-end sessions

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Hide Topology When Possible Interior Router Edge Firewall Correspondent Node Allows MIPv6 Functions 2001:DB8:8904:17BA::/64 MIPv6 Mobile Node Home Agent Router 2001:DB8:8904:A23B::/64 Topology hiding still possible in IPv6 deployment

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Secure a Local-Link IP-AMAC-A Node A Node B Node C IP-AMAC-B Correct Wrong! Sends false NA Protect against link-local attacks using SeND/CGA

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v ICMPv6 at EdgeManage ICMPv6 Traffic Edge Firewall Peer Application Internet-Based Peer ICMPv6 Too Big ICMPv6 Time Exceeded ICMPv6 Parameter Problem Internet Router Allow selective ICMPv6, rate-limit ICMPv6 needed for properly-functioning IPv6 network

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Develop Mobility Support Plan Edge Firewall Allow MIPv6 Functions Home Agent Router 2001:DB8:8904:A23B::/64 Interior Router 2001:DB8:8904:17BA::/64 MIPv6 Mobile Node Correspondent Node Type-2 Routing Header MIPv6 impacts security posture when deployed.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Transition Mechanisms as Transport Only Advertising 2002::/16 IPv6 Internet 6to4 Site 6to4 Site Router 6to4 Relay Router IPv6 Firewall Untunneled IPv6 Packets Transition mechanisms require active security planning.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Secure the Routing Plane Advertising 2001:DB8:8904:1700::/56 Advertising 2001:DB8:8904:1800::/56 Advertising 2001:DB8:8904:1700::/58 Attacker Bogus route injection easily prevented using authentication

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Deploy an Early-Warning System Edge Firewall Internet Node Inspect for IPv6 Dual-Stack Host Teredo Attempting UDP 3544 Server Bootstrap Actively monitor for IPv6, prevent accidental backdoor connections

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Use ULA for Internal-Use-Only Nodes Interior Router Edge Firewall HTTP Proxy Web Server ACL to restrict ULA leakage Interior Router Globally-routable IPv6 address FD8A:872F:8904:13FF::/64 FD8A:872F:8904:17BA::/64 FD8A:872F:8904:1D55::/64 Interior Host

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Summary IPv6 security practices will be different from longstanding IPv4 practices, because the protocol works differently and offers a number of potential new services. Increased use of tunneling and IPsec makes edge firewalls less effective. Topology hiding is still possible, sometimes desireable. New tools are becoming available to secure the local-link. ICMPv6 must be allowed to flow for network to perform optimally. MIPv6 is a powerful protocol with significant security practice impacts. Transition mechanisms are intended to move IPv6 packets in mixed IPv4/IPv6 environmentssecurity not built-in to these tools. Authenticating routing protocols is easy to do and provides real benefits (IPv4 and IPv6). Actively monitor for IPv6 activity inside the network, and seek to manage bootleg activity.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v