ipv6 operations tools and troubleshooting

Router Configuration IPv6 Headers IPv6 Security IPv6 Performance and Monitoring IPv6 Applications Agenda... Router Configuration IPv6 Headers IPv6 Security IPv6 Performance and Monitor

Trang 1

NYSERNet

IPv6 Operations, Tools, and

Troublshooting

Trang 2

Router Configuration

IPv6 Headers IPv6 Security IPv6 Performance and Monitoring IPv6 Applications

Agenda

Trang 3

Cisco Router Configuration

Trang 4

LAN Interface

interface FastEthernet0/0

ip address 192.168.1.254 255.255.255.0 ipv6 address 2001:468:123:1::2/64

Interface Configuration

Trang 5

IGP - OSPFv3, IS-IS, EIGRPv6 Static

ipv6 route <prefix> <nexthop>

IGP Configuration

Trang 6

Published as RFC 2740 (80 pages!)

– Protocol version 3

– Link-state IGP (additive interface costs)

– Same basic structure as OSPF for IPv4

– IPv4/IPv6 OSPF run as “ships in the night”

OSPF for IPv6

Trang 7

Use of link-local addresses

Used for next hop Link-local destination not forwarded

Authentication changes

Remove authentication-related fields Rely on AH, ESP

Use normal IP checksum

Changes in OSPF for IPv6

Trang 8

interface Vlan257

ip address 128.254.1.12 255.255.255.0 load-interval 30

ipv6 address 2001:FFE8:1:1::C/64 ipv6 enable ! Not needed for physical interface ipv6 ospf network broadcast

ipv6 ospf 1 area 0.0.0.0

! ipv6 router ospf 1 log-adjacency-changes passive-interface default

OSPFv3 Interface Configuration

Trang 9

router#show ipv6 ospf neighbor

Neighbor ID Pri State Dead Time Interface ID Interface 128.254.1.17 1 FULL/BDR 00:00:33 7 Vlan257 128.254.1.18 1 FULL/DROTHER 00:00:31 7 Vlan257 OSPF Neighbor

Trang 10

address-family ipv4 multicast

BGP Configuration

Trang 11

Add IPv6 to your existing IPv4 BGP config

router bgp 64555 bgp router-id 192.168.2.1

no bgp default ipv4-unicast neighbor 2001:DB8:1::2 remote-as 11537

router-id

– only a 32-bit number, not an IPv4 address

– only has to be unique within the AS

BGP Configuration: General configuration

Trang 12

address-family ipv6 unicast neighbor 2001:DB8:2::1 activate neighbor 2001:DB8:2::1 soft-reconfiguration in neighbor 2001:DB8:2::1 prefix-list to-Internet2-v6 out network 2001:DB8:4ff::/48

exit-address-family

BGP Configuration: IPv6 Address Family

Trang 13

ipv6 route 2001:DB8:4ff::/48 Null0

! ipv6 prefix-list to-Internet2-v6 seq 5 permit 2001:DB8:4ff::/48

BGP Configuration: Supporting Configuration

Trang 14

show bgp ipv6

c7609#sh bgp ipv6 BGP table version is 5108260, local router ID is 199.109.35.125 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath, b backup-path, x best-external Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Trang 15

show bgp ipv6 unicast summary

syr-7600#sh bgp ipv6 uni sum BGP router identifier 199.109.0.70, local AS number 3754

…

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

2620:F::3 4 3754 220379 12569 13209423 0 0 1w0d 6327

2620:F::8 4 3754 176865 176836 13209423 0 0 15w6d 4

2620:F::A 4 3754 342247 342214 13209423 0 0 30w5d 7

2620:F::B 4 3754 8049174 342231 13209423 0 0 30w5d 7721

2620:F:0:901::3 4 3756 342155 2253291 13209423 0 0 30w5d 2

2620:F:0:903::3 4 26 6987 46405 13209423 0 0 4d09h 1

2620:F:0:907::3 4 11872 77607 171775 13209423 0 0 1w1d 1

2620:F:0:909::4 4 32360 266263 1661429 13209423 0 0 23w6d 1

2620:F:0:909::5 4 32360 106482 757371 13209423 0 0 9w4d 0

2620:F:0:910::3 4 65001 310881 2242736 13209423 0 0 30w5d 1

Cisco Show Commands

Trang 16

show bgp ipv6 unicast neighbor <addr> routes

syr-7600#sh bgp ipv6 unicast nei 2620:F::8 routes BGP table version is 13209574, local router ID is 199.109.0.70 Network Next Hop Metric LocPrf Weight Path

Trang 17

show bgp ipv6 unicast neighbor <addr>

Total number of prefixes 9

Cisco Show Commands

Trang 18

show ipv6 route

syr-7600#sh ipv6 route IPv6 Routing Table - default - 8932 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route

B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2

IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external

Trang 19

show ipv6 interface

syr-7600#sh ipv6 interface brief GigabitEthernet1/1 [up/up]

FE80::212:80FF:FE20:E3C0 2620:F:0:901::2

GigabitEthernet1/2 [administratively down/down]

unassigned GigabitEthernet1/3 [up/up]

unassigned GigabitEthernet1/4 [administratively down/down]

unassigned GigabitEthernet1/5 [up/up]

FE80::212:80FF:FE20:E3C0 2620:F:0:701::3

GigabitEthernet1/6 [up/up]

FE80::212:80FF:FE20:E3C0 2620:F:0:734::2

Cisco Show Commands

Trang 20

show ipv6 interface

GigabitEthernet1/1 is up, line protocol is up

IPv6 is enabled, link-local address is FE80::212:80FF:FE20:E3C0

No Virtual link-local address(es):

Description: NYSERNet Syracuse Office Global unicast address(es):

2620:F:0:901::2, subnet is 2620:F:0:901::2/127 Joined group address(es):

FF02::1 FF02::2 FF02::D FF02::16 FF02::1:FF00:2 FF02::1:FF20:E3C0

Cisco Show Commands

Trang 21

show ipv6 interface

GigabitEthernet1/1 is up, line protocol is up

… ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled

ICMP unreachables are sent Output features: MFIB Adjacency HW Shortcut Installation Post_Encap features: HW shortcut

ND DAD is enabled, number of DAD attempts: 1

ND reachable time is 30000 milliseconds (using 30000)

ND advertised reachable time is 0 (unspecified)

ND advertised retransmit interval is 0 (unspecified)

ND router advertisements are sent every 200 seconds

ND router advertisements live for 1800 seconds

ND advertised default router preference is Medium Hosts use stateless autoconfig for addresses

Cisco Show Commands

Trang 22

show ipv6 neighbors

c7609#sh ipv6 nei IPv6 Address Age Link-layer Addr State Interface

FE80::222:19FF:FE60:383D 0 0022.1960.383d STALE Vl101 2620:F:1:1101::2D 203 0022.1960.383d STALE Vl101

FE80::2F4:B9FF:FE29:45A4 3 00f4.b929.45a4 STALE Vl103 2620:F:1:1201:8563:7D6F:2267:194D 0 b8ac.6f9e.ff76 REACH Vl104 2620:F:1:1201:70B6:66CD:4D79:B026 0 0016.d337.ddc4 STALE Vl104 2620:F:1:1101::21 0 0013.2079.bbe7 DELAY Vl101 FE80::21A:6DFF:FE7C:7B16 0 001a.6d7c.7b16 REACH Gi1/45 2620:F:1:1101::3C 0 0011.43d6.9aa3 STALE Vl101

FE80::230:48FF:FE52:530E 8 0030.4852.530e STALE Vl101

FE80::223:15FF:FECA:1380 0 0023.15ca.1380 REACH Vl103

2620:F:1:1101::37 8 0030.4852.530e STALE Vl101

Cisco Show Commands

Trang 23

IPv6 Headers

IPv6 Security IPv6 Performance and Monitoring IPv6 Applications

Agenda

Trang 24

What are the changes in the IP header in IPv6 How those changes may affect policies

IPv6 Headers

Trang 25

IPv6 Headers

IPv6

IPv4

Basic Headers

Trang 26

Next Header (8 bits) – type of the next header, new idea

Hop Limit (8 bits) – was time-to-live, renamed Source address (128 bits)

Destination address (128 bits)

Basic Headers

IPv6 Headers

Trang 28

Version=6 Traffic Class Flow Label

Payload Length Next Header=43 (Routing) Hop Limit

Trang 29

Order Header Type Next Header Code

Extension Header Codes

IPv6 Headers

Trang 30

Option headers in general

Provides the next header and length Any options that might be defined

Extension Headers

IPv6 Headers

Trang 31

Look in packet for next header

Can be extension header Can be something like ICMP, TCP, UDP, or other normal types

Header Types

IPv6 Headers

Trang 32

Completely changed – note new header type Now includes IGMP (MLD)

Types organized as follows

Trang 34

Destination unreachable

Code 0 – No route to destination Code 1 – Can’t get to destination for administrative reasons Code 2 – Beyond scope of source address

Code 3 – Address unreachable Code 4 – Port unreachable Code 5 – Source address failed ingress/egress policy Code 6 – Reject route to destination

Packet too big

Code 0, parameter is set to MTU of next hop Allows for MTU determination

General format:

ICMP Error Messages

IPv6 Headers

Trang 35

Expanded addressing capabilities Header format simplification

Improved support for extensions and options Flow labeling capability

Authentication and privacy capabilities

Summary of Changes in IPv6

IPv6 Headers

Trang 36

Router Configuration IPv6 Headers

IPv6 Security

IPv6 Performance and Monitoring IPv6 Applications

Agenda

Trang 37

IPv6 Security

Evaluate IPv4 Security Best Practices

Go through your best security practices Create campus/department best security practices if necessary Check off each practice for IPv6 as well as IPv4

What can you not do in IPv6 that you can in IPv4?

Machines can and will have multiple addresses – especially if using SLAAC and privacy addresses

Filters based on source IP will not longer work

Security Considerations

Trang 38

IPv6 Security

Most of the same threats still exist

Sniffing Rogue devices Man-in-the-middle (MITM) attacks Flooding

IPsec is built-in to IPv6 spec

Could mitigate most of these threats, if used IPv4 ESP traffic estimated as low as 0.9%

IPv6 accounts for <1% of traffic on Internet2, making IPsec usage largely insignificant

http://www.uoregon.edu/~joe/ipv6-security/

IPv6 Security Threats whitepaper -

www.seanconvery.com/v6-v4-threats.pdf Security Considerations

Trang 39

Security Considerations

Trang 40

IPv6 Security

IPv6 Security Topics

First Hop Security

Layer 2 Layer 3 Edge Firewalls/IDS/IPS Applications

IPv6 Security

Trang 41

IPv6 Security

First Hop Security refers to securing end station access to the network

Layer 2 technologies such as 802.1x still apply

First Hop Security in IPv4 involves securing against ARP based attacks, rogue DHCP servers, and packet sniffing

IPv6 First Hop Security

Trang 42

IPv6 Security

First Hop Security in IPv6 does NOT involve ARP

as IPv6 does not use ARP to resolve Layer 3 addresses to machine addresses IPv6 uses the

First Hop Security in IPv6 still needs to protect against rogue DHCP servers and packet sniffing

First Hop Security in IPv6 also must protect against Rogue Router Advertisements as part of NDP

Trang 43

IPv6 Security

Neighbor Discovery Protocol (NDP)

Already discussed as part of IPv6 Addressing Neighbor Solicitations, Neighbor Advertisements, Router Solicitations and Router Advertisements

Securing NDP ensures that the solicitations are only sent from valid hosts, and only valid hosts return advertisements Specification calls for IPSEC, however IPSEC requires IKE, which requires the IP stack be operational to function…leads

to a bootstrapping problem

Trang 44

IPv6 Security

Securing NDP mitigates two main attack vectors – Denial of Services and redirect threats

DoS attacks at the first hop are attempts to prevent the node in question from being able to establish

communications on the link

Redirect attacks at the first hop are attempts to divert packets from the node being attacked to other hosts or the default router

Trang 45

IPv6 Security

First Hop Denial of Service attacks

First hop DoS attacks occur when a malicious node replies to every bootstrap neighbor solicitation (NS) request with a neighbor advertisement (NA)

If this occurs the node under attack will never be able to generate a link local address, never be able

to query the router for the link, and therefore never

be able to get a global address (either SLAAC or DHCP)

Trang 46

IPv6 Security

First Hop Redirect Attacks First Hop Redirect attacks occur when malicious nodes respond to NS requests (not during the bootstrap

process) with their own or incorrect information in the NA All traffic from the targeted node is redirected to the

Trang 47

IPv6 Security

These attack vectors are similar to ARP spoofing in IPv4 Malicious hosts attempting to hijack legitimate traffic by interrupting the Layer 3/Layer 2 addressing

Added importance as this threat could not only provide attack vectors but keep legitimate hosts off the network completely

In IPv4 ARP spoofing can be mitigated by a number of methods:

Port Security – configure switches for a maximum number of MAC addresses

Dynamic ARP inspection (with DHCP snooping) ARP ACLs

Trang 48

IPv6 Security

As IPv6 does not use ARP those mitigation techniques do not all translate

ARP ACLs, Port Security will not protect against NDP spoofing DHCPv6 snooping and Dynamic ARP Inspection are not

available

New methods of securing the first hop must be used IPv6 binding tables

IPv6 ND snooping/inspection IPv6 Port ACLs on switches Secure Neighbor Discovery (SeND)

xml/ios/ipv6/configuration/15-2mt/ip6-first-hop- security.html#GUID-FA247591-8050-4A6E-B2CC- 0DAD4D39F77C

http://www.cisco.com/en/US/docs/ios-IPv6 First Hop Security

Trang 49

IPv6 Security

IPv6 Binding Tables Allows for a maximum number of ND table entries Similar to ARP port security

IPv6 ND inspection/snooping IPv6 ND inspection analyzes neighbor discovery messages in order to build a trusted binding table database, and IPv6

neighbor discovery messages that do not conform are dropped This feature mitigates some of the inherent vulnerabilities for the neighbor discovery mechanism, such as attacks on duplicate address detection (DAD), address resolution, router discovery, and the neighbor cache

Allows for user defined policies either globally or on a per-port basis

Trang 50

IPv6 Security

IPv6 Port ACLs Allows for IPv6 ACL to be applied in port mode with the command: access-group mode prefer port and then applying the ACL to the physical port

Trang 51

IPv6 Security

Secure Neighbor Discovery (SeND) SeND secures the Neighbor Discovery process by requiring certificates and key pairs

SeND extends the ND protocol with new options Certificate Path Solicitation and Certificate Path Answer

Associates a cryptographic public key with an IPv6 address Cryptographic generated addresses (CGAs) are generated with the public key and other parameters and signed with a private key

Trang 52

IPv6 Security

Secure Neighbor Discovery (SeND)

Before configuring SeND the following must be performed:

Hosts are configured with one or more trust anchors Hosts configured with an RSA key pair or the ability to locally generate one

Routers are configured with RSA keys and the corresponding certificate chains

During the boot process, hosts and routers will either retrieve or generate their CGAs and save them into storage

Định dạng
Số trang	132
Dung lượng	1,02 MB