brksec-2003

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

1

© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRSEC-200314343_04_2008_c2 2

IPv6 Security Threats and Mitigations

BRKSEC-2003


2

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKSEC-200314343_04_2008_c2

Session Objectives

IPv6 vs. to IPv4 from a threat and mitigation perspective

Advanced IPv6 security topics like transition options and dual stack environments

Requirements: Basic knowledge of the IPv6 and IPsec protocols as well as IPv4 security best practices


For Reference Slides

There are more slides in the hand-outs than presented during the class

Those slides are mainly for reference and are indicated by the book icon on the top right corner (as on this slide)

For YourReference


3


Agenda

Shared Issues by IPv4 and IPv6

Specific Issues for IPv6IPsec everywhere, dual-stack, tunnels and 6VPE

IPv6 Security Best Common Practice

Enforcing a Security Policy in IPv6ACL, Firewalls and Host IPS

Enterprise Secure DeploymentSecure IPv6 transport over public network


Shared Issues

Security Issues Shared by IPv4 and IPv6


4


Reconnaissance in IPv4

1. DNS/IANA crawling (whois) to determine ranges

2. Ping sweeps and port scans

3. Application vulnerability scans

[tick:/var] scott# nmap -sP 10.1.1.0/24Starting nmap V. 3.00 ( www.insecure.org/nmap/ )Host (10.1.1.0) seems to be a subnet broadcast …Host (10.1.1.1) appears to be up.Host (10.1.1.12) appears to be up.Host (10.1.1.22) appears to be up.Host (10.1.1.23) appears to be up.Host (10.1.1.101) appears to be up.Host (10.1.1.255) seems to be a subnet broadcast …Nmap run completed -- 256 IP addresses (7 hosts up) scanned in 4 seconds

Relatively Easy to Perform



Default subnets in IPv6 have 264 addresses 10 Mpps = More than 50 000 years

NMAP doesn’t even support ping sweeps on IPv6 networks

Subnet Size Difference


5



Public servers will still need to be DNS reachable More information collected by Google...

Cfr SensePost BiDiBLAH

Increased deployment/reliance on dynamic DNSMore information will be in DNS

Administrators may adopt easy-to-remember addresses (::10,::20,::F00D, ::C5C0 or simply IPv4 last octet for dual stack)

By compromising hosts in a network, an attacker can learn new addresses to scan

Scanning Methods Are Likely to Change


Reconnaissance in IPv6?

For example, all routers (FF05::2) and all DHCP servers (FF05::1:3)

No need for reconnaissance anymore

Some deprecated (RFC 3879) site-local addresses are still used

FEC0:0:0:FFFF::1 DNS server

2001:0410::50

2001:0410::60

2001:0410::70

Attacker FF05::1:3

Source Destination Payload

DHCP Attack

Easy with Multicast!


6


Preventing Reconnaissance with IPv6 Multicast

The site-local/anycast addresses must be filtered at the border in order to make them unreachable from the outside

ACL block ingress/egress traffic toBlock FEC0::/10 (site-local addresses)

Permit mcast to FF02::/16 (link-local scope)

Permit mcast to FF0E::/16 (global scope)

Block all mcast

Organization A

Organization B

ipv6 access-list NO_RECONNAISSANCEdeny any fec0::/10permit any ff02::/16permit any ff0e::/16deny any ff00::/8permit any any


Viruses and Worms in IPv6

Viruses and email worms: IPv6 brings no change

Other worms:IPv4: reliance on network scanning

IPv6: not so easy (see reconnaissance) will use alternative techniques

Worm developers will adapt to IPv6

IPv4 best practices around worm detection and mitigation remain valid

Potential router CPU attacks if aggressive scanning Router will do Neighbor Discovery...


7


IPv6 Privacy Extensions (RFC 3041)

Inhibit device/user tracking Random 64 bit interface ID, then run Duplicate Address Detectionbefore using itRate of change based on local policy

2001

/32 /48 /64/23

Interface ID

Recommendation: Use Privacy Extensions for External Communication but Not for Internal Networks (Troubleshooting and Attack Trace Back)

Temporary addresses for IPv6 host client application, e.g. web browser


How to Prevent Privacy Extension

Microsoft WindowsDeploy a Group Policy Object (GPO)

or

AlternativelyUse DHCP (see later) to a specific pool

Ingress filtering allowing only this pool

netsh interface ipv6 set global randomizeidentifiers=disablednetsh interface ipv6 set global randomizeidentifiers=disabled store=persistentnetsh interface ipv6 set privacy state=disabled store=persistent


8


IPv6 Intranet

Access Control in IPv6 Privacy Extension

Good to protect the privacy of a host/user

Hard to define authorization policy when the Layer 3 information is always changing :-)

Firewall

Management System IPv6 Address—2001:DB8:F15:C15::1*

Management System New IPv6 Address—2001:DB8:F15:C15::2*

Internal Server2001:DB8:F15:c16::1/64

*Not real RFC3041 derived addresses

X

Deny

Permit

Action

AnyAny

80Any2001:DB8:F15:c16::1

2001:DB8:F15:C15::1

Dst PortSrc PortDestSrc


L3-L4 Spoofing in IPv4

L4 spoofing can be done in concert with L3 spoofing to attack systems (most commonly running UDP, i.e. SNMP, Syslog, etc.)


9


IPv6 Intranet

IPv6 Bogon Filtering

In IPv4, easier to block bogons than to permit non-bogons

In IPv6, in the beginning when a small amount of top-level aggregation identifiers (TLAs) has been allocated

Easier to permit non-bogons

Now, more complex: http://www.cymru.com/Bogons/ipv6.txt

Now IPv6 is in a similar situation as IPv4 Same technique = uRPF

Inter-Networking Device with uRPF Enabled

IPv6 Unallocated Source Address

X IPv6 Intranet/Internet

No Route to SrcAddr Drop


L3 Spoofing in IPv6

Access Layer


Spoofed IPv6Source Address


No Route to Src Addr PrefixDrop

Access Layer


Spoofed IPv6Source Address


No Route to Src Addr Prefix out the Packet Inbound Interface Drop

uRPF Loose Mode

uRPF Strict Mode

uRPF Remains the Primary Tool for Protecting Against L3 Spoofing


10


ICMPv4 vs. ICMPv6

Significant changes

More relied upon

ICMP policy on firewalls needs to change

XMobile IPv6 Support

XMulticast Group Management

XAddress Resolution

XAddress AssignmentXXFragmentation Needed Notification

Informational/Error Messaging

Connectivity Checks

ICMP Message Type

XX

XX

ICMPv6ICMPv4


Generic ICMPv4

Internet

Internal Server A

Permit

Permit

Permit

Permit

Permit

Action

Time Exceeded—TTL Exceeded011AAny

Dst. Unreachable—Frag. Needed43AAny

Dst. Unreachable—Net Unreachable03AAny

Echo Request08AAny

Echo Reply00 AAny

NameICMPv4 Code

ICMPv4 TypeDstSrc

For YourReference

Border Firewall Policy


11


Equivalent ICMPv6

*RFC 4890

For YourReference

Border Firewall Policy*

Internet

Internal Server A

Permit

Permit

Permit

Permit

Permit

Action

Time Exceeded—TTL Exceeded03AAny

Packet Too Big02AAny

No Route to Dst.01AAny

Echo Request0129AAny

Echo Reply0128 AAny

NameICMPv6 Code

ICMPv6 TypeDstSrc


Internet

Internal Server A

Potential Additional ICMPv6 Firewall B

*RFC 4890

Permit

Permit

Permit

Permit

Permit

Action

Parameter Problem04BAny

Neighbor Solicitation and Advertisement0133/134BAny

Multicast Listener0130–132BAny

Packet too Big02BAny

Parameter Problem04AAny

NameICMPv6 Code

ICMPv6 TypeDstSrc

For YourReference

Border Firewall Policy*


12


Fragmentation Used in IPv4 by Attackers

Great evasion techniques

Tools like whisker, fragrout, etc.

Makes firewall and network intrusion detection harder

Used mostly in DoSing hosts, but can be used for attacks that compromise the host


Fragment Header

Fragment Header: IPv6

In IPv6 fragmentation is done only by the end system

Reassembly done by end system like in IPv4

Attackers can still fragment in intermediate system on purpose

a great obfuscation tool

Fragment Data

IPv6 Basic HeaderNext Header = 44 Fragment

Header

Fragment Header

IdentificationReserved Fragment OffsetNext Header


13


IPv6 Fragmentation: Still Need Reassembly in the Firewall and NIPS

Should we consider 2.1a part of the data stream “USER root”?

Or is 2.1b part of the data stream? “USER foot”If the OS makes a different decision than the monitor: bad

Even worse: different OSs have different protocol interpretations

TCP USIP11

ERIP12

IP21a TCP ro

IP22 ot

1.1

1.2

2.1b

2.2

IP21b TCP fo

2.1a

Time

Imagine an Attacker Sends:


IPv6 Fragmentation

Procedure1. Parse the next headers until the fragment header

Extract the flags and offset

2. Parse further NHs until the upper layer protocol

3. Check if enough of the upper Layer protocol header is within the first fragment

This makes matching against the first fragment non-deterministic: TCP/UDP/ICMP might not be thereBut in a later fragment

Need for stateful inspection

Issues for Non-Stateful Filtering Devices


14


IPv6 Fragmentation

fragment keyword matches Non-initial fragments (same as IPv4)

And the first fragment if the L4 protocol cannot be determined

Best common practiceDeny IPv6 fragments destined to an internetworking device (DoS vector)

Infrastructure ACL

Fragment Keyword in IPv6 ACL


IPv6 Routing Header

An extension header

Processed by the listed intermediate routers

Two typesType 0: Similar to IPv4 source routing (multiple intermediate routers)

Type 2: Used for mobile IPv6

Routing Header

Routing Header Data

IPv6 Basic HeaderNext Header = 43 Routing Header

Routing HeaderExt Hdr LengthNext Header RH Type Segments Left


15


Type 0 Routing Header

Rule on the Firewall

Allow proto tcp from any to webserver port 80

Deny proto tcp from any to any

Firewall

Host1

Host2

Web

src=host1,dst=web,

payload proto=tcp, dport=80rtheader=host2, segments left=1 src=host1,

dst=host2rtheader=web,segments left=0

payload proto=tcp, dport=80IPv6

Network

Issue #1: Traffic Rebound


Type 0 Routing Header

What if attacker sends a packet with RH containingA B A B A B A B A ...

Packet will loop multiple time on the link R1-R2

An amplification attack!

A B

Issue #2: Amplification Attack


16


IPv6 Type 2 Routing Header

Required by mobile IPv6 (see later)

Rebound/amplification attacks impossibleOnly one intermediate router: the mobile node home address

Routing Header

Mobile Node Home Address

IPv6 Basic HeaderNext Header = 43 Routing Header

Routing HeaderExt Hdr LengthNext Header RH Type = 2 Segments Left = 1


Preventing Routing Header Attacks

Apply same policy for IPv6 as for Ipv4: Block Routing Header type 0

Prevent processing at the intermediate nodesno ipv6 source-route

Windows, Linux, MacOS: default setting

At the edgeWith an ACL blocking routing header

RFC 5095 (December 2007) RH0 is deprecatedDefault Cisco IOS® will change in 12.5T


17


Quick Refresh

With ARP misuse host W can claim to be the default gateway and hosts X and Y will route traffic through him; man in the middle attack

1.2.3.0/24

Host W.4

.1

Host Y.2

Host X.3

• With DHCP it is similar except the attacker just needs to put a DHCP server on the wire delivering false information (gateways, DNS servers, etc.)

ARP and DHCP Attacks in IPv4


Neighbor Discovery Issue #1

Router Solicitations are sent by booting nodes to request router advertisements for configuring

2. RA:Src = Router Link-local AddressDst = All-nodes multicast addressICMP Type = 134Data= options, prefix, lifetime, autoconfig flag

2. RA2. RA1. RS

ICMP without Any Authentication Gives Exactly Same Level of Security as ARP for IPv4 (None)

Attack Tool:fake_router6

Can Make Any IPv6 Address the Default Router

Stateless Autoconfiguration

1. RS:Src = ::

Dst = All-Routers multicast Address

ICMP Type = 133

Data = Query: please send RA


18



Src = ADst = Solicited-node multicast of BICMP type = 135Data = link-layer address of A

Query: what is your link address?

A B

Src = BDst = AICMP type = 136Data = link-layer address of B

A and B Can Now Exchange

Packets on This Link

Security Mechanisms Built into Discovery Protocol = None

Very Similar to ARP

Attack Tool:Parasite6Answer to All NS, Claiming to Be All Systems in the LAN...

Neighbor Solicitation



Duplicate Address Detection (DAD) uses neighbor solicitation to verify the existence of an address to be configured

Src = ::Dst = Solicited-node multicast of AICMP type = 135 Data = link-layer address of A

Query = what is your link address?

A BFrom RFC 2462:

« If a Duplicate @ Is Discovered…the Address Cannot Be Assigned to the Interface »

What If: Use MAC@ of the Node You Want to DoS and Claim Its IPv6 @

Attack Tool:dos-new-ipv6

Duplicate Address Detection


19


ICMP Issue #4

Redirect is used by a router to signal the reroute of a packet to a better router

Original packet has to be included...

Redirect:Src IP: R2 (Default Router)Dst IP: AData: Good Router = R1

2001:DB8:C18:2::/64

R1

R2A B

Src: ADst IP: 2001:DB8:C18:2::1Dst Ethernet: R2 (Default Router)

Original Packet Has to Be Included to Prevent Spoofed Redirect…ButWhat if Attacker First Sent ICMP Echo Request? The Reply Packet Is Predictable…

In IPv4: « no ip icmp redirect »In IPv6: « no ipv6 redirect »

Spoofed Redirect


Neighbor Discovery Attacks inIPv6 RFC 3756

Redirect attacks A malicious node redirects packets away from a legitimate receiver to another node on the link

Denial-of-service attacks A malicious node prevents communication between the node under attack and other nodes

Flooding denial-of-service attacksA malicious node redirects other hosts’ traffic to a victim node creating a flood of bogus traffic at the victim host


20


Secure Neighbor Discovery (SEND)RFC 3971

Certification pathsAnchored on trusted parties, expected to certify the authority of the routers on some prefixes

Cryptographically Generated Addresses (CGA)IPv6 addresses whose the interface identifier is cryptographically generated

RSA signature optionProtect all all messages relating to neighbor and router discovery

Timestamp and nonce optionsPrevent replay attacks


Cryptographically Generated Addresses CGA RFC 3972 (Simplified)

Each devices has a RSA key pair (no need for cert)Ultra light check for validityPrevent spoofing a valid CGA address

SHA-1

RSA KeysPriv Pub

SubnetPrefix

InterfaceIdentifier

Crypto. Generated Address

Signature

SEND Messages

Modifier(nonce)Public

KeySubnetPrefix

CGA Params


21


Secure Neighbor Discovery: Caveats

Private/public key pair on all devices for CGAOverhead introduced

Routers have to do many public/private key calculation (some may be done in advance of use)

Potential DoS targetRouters need to keep more state

Available: LinuxMicrosoft: no support on Vista, probably Windows 2008Future implementation: Cisco IOS

BRKSEC-4003: Advanced IPv6 Security: Secure Neighbor Discovery


DHCPv6 Threats

Note: use of DHCP is announced in Router Advertisements

Rogue devices on the network giving misleading information or consuming resources (DoS)

Rogue DHCPv6 client and servers on the network (same threat as IPv4)

Rogue DHCPv6 servers on the site local multicast address (FF05::1:3) (new threat in IPv6)

Tampering of communication between DHCPv6 relays and servers

Scanning possible if leased addresses are consecutive


22


DHCPv6 Threat Mitigation

Rogue clients and servers can be mitigated by using the authentication option in DHCPv6

There are not many DHCPv6 client or server implementations using this today

Cisco Network Registrar®

DHCPv6 Server

Leased addresses are random scanning difficult

Can also lease temporary addresses (like privacy extension)

For really paranoid: Protect the relay to server communications with IPsec (similar to IPv4)


Quick Reminder

ICMP REQ D=160.154.5.255 S= 172.18.1.2

160.154.5.0

Attempt toOverwhelm WAN

Link to Destination

ICMP REPLY D=172.18.1.2 S=160.154.5.19

ICMP REPLY D=172.18.1.2 S=160.154.5.18

ICMP REPLY D=172.18.1.2 S=160.154.5.17

ICMP REPLY D=172.18.1.2 S=160.154.5.16

ICMP REPLY D=172.18.1.2 S=160.154.5.15

ICMP REPLY D=172.18.1.2 S=160.154.5.14

172.18.1.2

BelgianSchtroumpf

IPv4 Broadcast Amplification: Smurf


23


IPv6 and Broadcasts

There are no broadcast addresses in IPv6

Broadcast address functionality is replaced with the appropriate link local multicast address

Link Local All Nodes Multicast—FF02::1

Link Local All Routers Multicast—FF02::2


IPv6 and Other Amplification Vectors

Specific mention is made in ICMPv6 RFC that no ICMP error message should be generated in response to a packet with a multicast destination address

The exceptions are the packet too big message and the parameter problem ICMP messages

RFC 2463 Section 2.4 (e.2)

Implement Ingress Filtering of Packets withIPv6 Multicast Source AddressesRate Limit ICMP Packets


24


Preventing IPv6 Routing Attacks

BGP, ISIS, EIGRP no change: An MD5 authentication of the routing update

OSPFv3 has changed and pulled MD5 authentication from the protocol and instead is supposed to rely on transport mode IPsec

RIPng also relies on IPsec

IPv6 routing attack best practicesUse traditional authentication mechanisms on BGP and IS-IS

Use IPsec to secure protocols such as OSPFv3 and RIPng

Protocol Authentication


OSPF or EIGRP Authenticationinterface Ethernet0/0ipv6 ospf 1 area 0ipv6 ospf authentication ipsec spi 500 md5 1234567890ABCDEF1234567890ABCDEF

interface Ethernet0/0ipv6 authentication mode eigrp 100 md5ipv6 authentication key-chain eigrp 100 MYCHAIN

key chain MYCHAINkey 1

key-string 1234567890ABCDEF1234567890ABCDEF accept-lifetime local 12:00:00 Dec 31 2006 12:00:00 Jan 1 2008

send-lifetime local 00:00:00 Jan 1 2007 23:59:59 Dec 31 2007

For YourReference


25


IPv6 Attacks with Strong IPv4 Similarities

SniffingWithout IPsec, IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4

Application layer attacksEven with IPsec, the majority of vulnerabilities on the Internet today are at the application layer, something that IPsec will do nothing to prevent

Rogue devicesRogue devices will be as easy to insert into an IPv6 network as in IPv4

Man-in-the-Middle Attacks (MITM)Without IPsec, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4

FloodingFlooding attacks are identical between IPv4 and IPv6


IPv6 Stack Vulnerabilities

IPv6 stacks are new and could be buggy

IPv6 enabled application can have bugs

Some examplesApple Mac OS X IPv6 Packet Processing Double-Free Memory Corruption (November 2007)

Cisco Security Advisory: IPv6 Routing Header (May 2007)

OpenBSD remote code execution in IPv6 stack (March 07)

Python getaddreinfo() remote IPv6 buffer overflow

Apache remote IPv6 buffer overflow

...


26


By the Way: It Is Real

Sniffers/packet captureSnortTCPdumpSun Solaris snoopCOLDEtherealAnalyzerWindumpWinPcapNetPeekSniffer Pro

WormsSlapper

Advisories/field noticeshttp://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtmlhttp://www.kb.cert.org/vuls/id/658859

ScannersIPv6 security scannerHalfscan6NmapStrobeNetcat

DoS Tools6tunneldos4to6ddosImps6-tools

Packet forgersScapy6SendIPPackitSpak6

Complete toolhttp://www.thc.org/thc-ipv6/

IPv6 Hacking ToolsLet the Games Begin


By the Way: It Is Real

Sniffers/packet captureSnortTCPdumpSun Solaris snoopCOLDEtherealAnalyzerWindumpWinPcapNetPeekSniffer Pro

WormsSlapper

Advisories/field noticeshttp://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtmlhttp://www.kb.cert.org/vuls/id/658859

ScannersIPv6 security scannerHalfscan6NmapStrobeNetcat

DoS Tools6tunneldos4to6ddosImps6-tools

Packet forgersScapy6SendIPPackitSpak6

Complete toolhttp://www.thc.org/thc-ipv6/

IPv6 Hacking ToolsLet the Games Begin


27


Specific IPv6 Issues

Issues Applicable Only to IPv6


IPv6 Header Manipulation

Unlimited size of header chain (spec-wise) can make filtering difficultPotential DoS with poor IPv6 stack implementations

More boundary conditions to exploitCan I overrun buffers with a lot of extension headers?

Perfectly Valid IPv6 Packet According to the Sniffer

Destination Options Header Should Be the Last

Header Should Only Appear Once

Destination Header Which Should Occur at Most Twice


28


The IPsec Myth

IPv6 mandates the implementation of IPsec

IPv6 does not require the use of IPsec

Some organizations believe that IPsec should be used to secure all flows...

Interesting scalability issue (n2 issue with IPsec)

Need to trust endpoints and end-users because the network cannot secure the traffic: no IPS, no ACL, no firewall

Network telemetry is blinded: NetFlow of little use

Network services hindered: What about QoS?

Recommendation: Do not use IPsec end to end within an administrative domain

Suggestion: Use IPsec for residential

IPsec End-to-End Will Save the World


IPv4 to IPv6 Transition Challenges

16+ methods, possibly in combinationIP spoofing

Dual stackConsider security for both protocols

Cross v4/v6 abuse

Resiliency (shared resources)

TunnelsBypass firewalls (protocol 41 or UDP)


29


Dual Stack Host Considerations

Host security on a dual-stack deviceApplications can be subject to attack on both IPv6 and IPv4

Host security controls should block and inspect traffic from both IP versions

Host intrusion prevention, personal firewalls, VPNclients, etc.

Dual Stack Client

IPv4 IPsecVPN with No Split Tunneling

Does the IPsec Client Stop an Inbound IPv6 Exploit?

IPv6 HDR IPv6 Exploit


Dual Stack with Enabled IPv6 by Default

Your host:IPv4 is protected by your favorite personal firewall...

IPv6 is enabled by default (Vista, Linux, MacOS, ...)

Your network:Does not run IPv6

Your assumption:I’m safe

RealityYou are not safe

Attacker sends Router Advertisements

Your host configures silently to IPv6

You are now under IPv6 attack

Probably time to think about IPv6 in your network


30


Enabling IPv6 on a Remote Host(In this Case MacOS)

1. Dual-Stack MacOS: Any IPv6 Router?2. Hacker: I’m the Router

3. Newly Enabled IPv6 MacOS Does DAD

4. The Full IPv6 Address of the MacOS


IPv6 Tunneling Summary

RFC 1933/2893 configured and automatic tunnels

RFC 2401 IPsec tunnel

RFC 2473 IPv6 generic packet tunnel

RFC 2529 6over4 tunnel

RFC 3056 6to4 tunnel

ISATAP tunnel

MobileIPv6 (uses RFC2473)

Teredo tunnels

Only allow authorized endpoints to establish tunnels

Static tunnels are deemed as “more secure,” but less scalable

Automatic tunneling mechanisms are susceptible to packet forgery and DoS attacks

These tools have the same risk as IPv4, just new avenues of exploitation

Automatic IPv6 over IPv4 tunnels could be secured by IPv4 IPsec


31


IPv6 in IPv4Tunnel

L3–L4 Spoofing in IPv6 When Using IPv6 over IPv4 Tunnels

Most IPv4/IPv6 transition mechanisms have no authentication built in

an IPv4 attacker can inject traffic if spoofing on IPv4 and IPv6 addresses

Public IPv4 Internet

Server B Server A

Tunnel Termination

TunnelTermination

IPv6 Network IPv6 Network

IPv6 ACLs Are Ineffective Since IPv4 and IPv6 Is Spoofed Tunnel Termination Forwards the Inner IPv6 PacketIPv4

IPv6


Transition Threats: ISATAP

Unauthorized tunnels—firewall bypass (protocol 41)

IPv4 infrastructure looks like a Layer 2 network to ALL ISATAP hosts in the enterprise

This has implications on network segmentation and network discovery

No authentication in ISATAP—rogue routers are possible

Host security needs IPv6 support

ISATAP Router

ISATAP Tunnels

Direct Communication

Any Host Can Talk to the Router

IPv4 Network ~ Layer 2 for IPv6 Service


32


Teredo?

Teredo Navalis A shipworm drilling holes in boat hulls

Teredo MicrosoftisIPv6 in IPv4 punching holes in NAT devices

Source: United States Geological Survey


Teredo Tunnels (1 of 3)

Without Toredo TunnelsAll outbound traffic inspected: e.g., P2P is blockedAll inbound traffic blocked by firewall

IPv4 Intranet

IPv4 Firewall

IPv6 Internet

Teredo Relay

IPv4 Internet

Without Teredo: Controls Are in Place


33



Teredo threats—IPv6 over UDP (port 3544)Internal users wants to get P2P over IPv6Configure the Teredo tunnel (already enabled by default!)FW just sees IPv4 UDP traffic (may be on port 53)No more outbound control by FW

IPv4 FirewallTeredo Relay

IPv4 Intranet

IPv6 InternetIPv4 Internet

No More Outbound Control



Once Teredo is configuredInbound connections are allowedIPv4 firewall unable to controlIPv6 hackers can penetrateHost security needs IPv6 support now

Teredo Relay

No More Outbound Control

IPv4 Intranet

IPv6 InternetIPv4 Internet

IPv4 Firewall


34


Understand the Behavior of Vista

IPv6 is preferred over IPv4Vista sends IPv6 NA/NS/RS upon link-up

Attempts DHCP for IPv6

Else wait for local RA received with Global or ULA

Else try ISATAP

Else try Teredo

Else use IPv4—last resort

http://www.microsoft.com/technet/network/ipv6/ipv6faq.mspx


Can We Block Rogue Tunnels?

Rogue tunnels by naïve users:Sure, block IP protocol 41 and UDP/3544

In Windows:

Really rogue tunnels (covert channels)No easy way...

Teredo will run over a different UDP port of course

Network devices can be your friend (more to come)

Deploying native IPv6 (including IPv6 firewalls) is probably a better alternative

Or disable IPv6 on Windows through GPO or CSA 6.0

netsh interface 6to4 set state state=disabled undoonstop=disablednetsh interface isatap set state state=disablednetsh interface teredo set state type=disabled


35


Can the Network Block Rogue Tunnels?

Use Flexible Packet Matching (FPM)Blocking all Teredo addresses 2001::/32 in the UDP payload

FPMAvailable in software since 12.4(4)THardware implementation in PISA (requires Sup32 and Cat6K)Classify on multiple attributes within a packetString match and regexExpressed in XML

0111111010101010000111000100111110010001000100100010001001

Match Pattern And Or Not

http://www.cisco.com/go/fpm


load protocol bootdisk:ip.phdfload protocol bootdisk:udp.phdf

class-map type stack match-all cm-ip-udpmatch field IP protocol eq 17 next UDP

class-map type access-control match-all cm-teredo1match start udp payload-start offset 0 size 1 eq 0x60 mask 15match start udp payload-start offset 8 size 4 eq 0x20010000

class-map type access-control match-all cm-teredo2match start udp payload-start offset 0 size 1 eq 0x60 mask 15match start udp payload-start offset 24 size 4 eq 0x20010000

policy-map type access-control pm-teredoclass cm-teredo1dropclass cm-teredo2drop

policy-map type access-control pm-udp-teredoclass cm-ip-udp

service-policy pm-teredo

interface GigabitEthernet1/36service-policy type access-control in pm-udp-teredo

FPM Configuration to Block Teredo

The trick is to block all packets containing a Teredo source or destination address in the UDP payload

Teredo addresses are in the 2001::/32 (note 32) prefix

IP Version = 6

Teredo Prefix as Embedded Address

For YourReference


36


SP Transition Mechanism: 6VPE

6VPE: the MPLS-VPN extension to also transport IPv6 traffic over a MPLS cloud and IPv4 BGP sessions

PE1

2001:db8:1:1:/64

PE3

PE4

IPv4 only MPLS

10.1.1.0/24

PE2

v4 and v6 VPN

10.1.1.0/242001:db8:1:1:/64

v4 only VPN

2001:db8:1:2:/64

v4 and v6 VPN

10.1.2.0/242001:db8:1:2:/64

v4 only VPN

10.1.2.0/24

v6 VPN v6 VPN

VRF VRF

VRF

VRF

VRF

VRF

Dual-StackIPv4-IPv6

PE Routers

Dual-StackIPv4-IPv6

PE Routers


6VPE Security

Identical to IPv4 MPLS-VPN, see RFC 4381MPLS VPNs can be secured as well as ATM/FR VPNsSecurity depends on correct operation and implementation

QoS prevent flooding attack from one VPN to another onePE routers must be secured: AAA, iACL, CoPP …

MPLS backbones can be more secure than “normal”IP backbones

Core not accessible from outsideSeparate control and data plane

Key: PE securityAdvantage: Only PE-CE interfaces accessible from outsideMakes security easier than in “normal” networks


37


IPv6 Security: Best Common Practice


Candidate Best Practices

Implement privacy extensions carefully

Filter internal-use IPv6 addresses at the enterprise border routers

Filter unneeded services at the firewall

Selectively filter ICMP

Maintain host and application security

Determine what extension headers will be allowed through the access control device

Block Type 0 Routing Header at the edge

Determine which ICMPv6 messages are required

Deny IPv6 fragments destined to an internetworking device when possible

Ensure adequate IPv6 fragmentation filtering capabilities

For YourReference


38


Candidate Best Practices (Cont.)

Implement RFC 2827-like filtering and encourage your ISP to do the sameDocument procedures for last-hop tracebackUse cryptographic protections where criticalUse static neighbor entries for critical systemsImplement ingress filtering of packets with IPv6 multicast source addresses Use traditional authentication mechanisms on BGP and IS-ISUse IPsec to secure protocols such as OSPFv3 and RIPngUse static tunneling rather than dynamic tunnelingImplement outbound filtering on firewall devices to allow only authorized tunneling endpointsTrain your network operators and security managers on IPv6

For YourReference


Enforcing a Security Policy


39


Cisco IOS IPv6 Access Control Lists

Can filter traffic based on source and destination address

Can filter traffic inbound or outbound to a specific interface

Implicit “deny all” at the end of access list

Very much like in IPv4


Cisco IOS IPv6 Access Control Lists

Filtering inbound traffic from one specific source address

Prefix: 2001:db8:2c80:1000::/64

IPv6 Internet

2001:db8:2c80:1000::1

Others

Serial 0

ipv6 access-list MY_ACLpermit any 2001:db8:2c80:1000::1/128 deny any 2001:db8:2c80:1000::/64

interface Serial 0ipv6 traffic-filter MY_ACL in

A Trivial Example


40


IPv6 Extended Access Control Lists

Upper layers: ICMP, TCP, UDP, SCTP, any value

ICMPv6 code and type

TCP SYN, ACK, FIN, PUSH, URG, RST

L4 port numbers

Traffic class (only six bits/8) = DSCP

Flow label (0-0xFFFFF)

IPv6 header optionsFragments

Routing header type

Destination header type


IPv6 ACL Implicit Rules

The following implicit rules exist at the end of each IPv6 ACL to allow ICMPv6 neighbor discovery:

Be careful when adding « deny ipv6 any anylog » at the end

permit icmp any any nd-napermit icmp any any nd-nsdeny ipv6 any any

permit icmp any any nd-napermit icmp any any nd-nsdeny ipv6 any any log

Implicit Permit for Enable Neighbor Discovery


41


IPv6 ACL to Protect VTY

ipv6 access-list VTYpermit ipv6 2001:db8:0:1::/64 any

line vty 0 4ipv6 access-class VTY in

For YourReference


Control Plane Policing for IPv6

Against DoS with Neighbor Discovery...Can also throttle IPv6 traffic when processed in SW while IPv4 is in HW (legacy platform)

Beware of CSCso03034

If in doubt: show proc cpu | include IPv6

class-map match-all ipv6match protocol ipv6

policy-map CoPPclass ipv6police rate 100 ppsconform-action transmit exceed-action drop

control-planeservice-policy input CoPP

For YourReference

Protecting the Router CPU


42


Cisco IOS Firewall IPv6 Support

Stateful protocol inspection (anomaly detection) of IPv6 fragmented packets, TCP, UDP, ICMP and FTP traffic

Stateful inspection and translation services of IPv4/IPv6 packets

IPv6 DoS attack mitigation

IPv4/v6 coexistence, no need for new hardware, just software

Recognizes IPv6 extension header information such as routing header, hop-by-hop options header, fragment header, etc.

IPv4Site 3

IPv6Site 2 IPv6 IPv6

Dual Stack Router

IPv6 Router withCisco IOS Firewall

Internet (IPv4)

IPv6Site 1IPv6 Router with

Cisco IOS Firewall




ASA Firewall IPv6 Support

Since version 7.0

Dual-stack, IPv6 only, IPv4 only

Extended IP ACL with stateful inspection

Application awarenessHTTP, FTP, telnet, SMTP, TCP, SSH, UDP

uRPF and v6 Frag guard

IPv6 header security checks

Management access via IPv6Telnet, SSH, HTTPS

Caveat: no fail-over support (should be in 8.2)


43


ASA: Sample IPv6 Topology

2001

:db8

:c00

0:10

52::/

64

..::7Inside..::8

Outside2001:db8:c000:1051::37/64


ASA 7.x: ACL

interface Ethernet0nameif outsideipv6 address 2001:db8:c000:1051::37/64ipv6 enableinterface Ethernet1nameif insideipv6 address 2001:db8:c000:1052::1/64ipv6 enable

ipv6 route outside ::/0 2001:db8:c000:1051::1

ipv6 access-list SECURE permit tcp any host 2001:db8:c000:1052::7 eq telnet ipv6 access-list SECURE permit icmp6 any 2001:db8:c000:1052::/64

access-group SECURE in interface outside

For YourReference

Very Similar to Cisco IOS


44


ASA 7.x: Stateful Inspection

ASA# show conn4 in use, 7 most usedICMP out fe80::206:d7ff:fe80:2340:0 in fe80::209:43ff:fea4:dd07:0 idle 0:00:00 bytes 16UDP out 2001:db8:c000:1051::138:53 in 2001:db8:c000:1052::7:50118 idle 0:00:02 flags -TCP out 2001:200:0:8002:203:47ff:fea5:3085:80 in 2001:db8:c000:1052::7:11009 idle 0:00:14 bytes 8975 flags UfFRIOTCP out 2001:db8:c000:1051::1:11008 in 2001:db8:c000:1052::7:23 idle 0:00:04 bytes 411 flags UIOB

For YourReference

© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRSEC-200314343_04_2008_c2 88

“There is no reason anymore to let your site be wide open for IPv6.”

An IPv6 Site AdministratorPreviously Fully Opened in IPv6


45


Cisco Security Agent and IPv6

IPv6 ACL (only on Vista)

Disable IPv6 (XP and Vista) Deny

To Any IPv6 Addresses

IPv6 Support for Windows in CSA 6.0 (May 2008)


CSA 6.0 in Action

IPv6 traffic is denied by CSA...


46


Enterprise Deployment: Secure IPv6 Connectivity

How to Secure IPv6 over the WAN


Secure IPv6 over IPv4/6 Public Internet

No traffic sniffing

No traffic injection

N/AIPsec VTI 12.4(6)TIPv6

ISATAP Protected by RA IPsec

SSL VPN Client AnyConnect

6in4/GRE Tunnels Protected by IPsec

DMVPN 12.4(20)TIPv4

Remote AccessSite 2 SitePublic Network


47


IPv6 in IPv4 Tunnel

IPv4

IPv6

Net

wor

k

Secure Site to Site IPv6 Traffic over IPv4 Public Network

IPv6

Net

wor

k

IPsec Protects IPv4 Unicast Traffic... The Encapsulated IPv6 Packets

IPsec

GRE Tunnel Can Be Used to Transport BothIPv4 and IPv6 in the Same Tunnel

See reference slides for more details


Secure Site to Site IPv6 Traffic over IPv4 Public Network with DMVPN

IPv6 packets over DMVPN IPv4 tunnelsIn IOS release 12.4(20)T (July 2008)

IPv6 and/or IPv4 data packets over same GRE tunnel

Complete set of NHRP commandsnetwork-id, holdtime, authentication, map, etc.

NHRP registers two addressesLinkLink--locallocal for routing protocol (Automatic or Manual)

GlobalGlobal for packet forwarding (Mandatory)


48


DMVPN for IPv6 Phase 1 Configuration

interface Tunnel0! Optional IPv4 DMVPN configuration

ipv6 address 2001:db8:100::1/64ipv6 eigrp 1no ipv6 split-horizon eigrp 1no ipv6 next-hop-self eigrp 1ipv6 nhrp map multicast dynamicipv6 nhrp network-id 100006ipv6 nhrp holdtime 300tunnel source Serial2/0tunnel mode gre multipointtunnel protection ipsec profile PROF

!interface Ethernet0/0

ipv6 address 2001:db8:0::1/64ipv6 eigrp 1

!interface Serial2/0

ip address 172.17.0.1172.17.0.1 255.255.255.252!ipv6 router eigrp 1

no shutdown

interface Tunnel0! Optional IPv4 DMVPN configuration

ipv6 address 2001:db8:100::11/64ipv6 eigrp 1ipv6 nhrp map multicast 172.17.0.1172.17.0.1ipv6 nhrp map 2001:db8:100::1/128 172.17.0.1172.17.0.1ipv6 nhrp network-id 100006ipv6 nhrp holdtime 300ipv6 nhrp nhs 2001:db8:100::1tunnel source Serial1/0tunnel mode gre multipointtunnel protection ipsec profile PROF

!interface Ethernet0/0

ipv6 address 2001:db8:1::1/64ipv6 eigrp 1

!interface Serial1/0

ip address 172.16.1.1172.16.1.1 255.255.255.252!ipv6 router eigrp 1

no shutdown

SpokeHub

For YourReference


Secure Site to Site IPv6 Traffic over IPv6 Public Network

Since 12.4(6)T, IPsec also works for IPv6

Using the Virtual Interface

interface Tunnel0no ip addressipv6 address 2001:DB8::2811/64ipv6 enabletunnel source Serial0/0/1tunnel destination 2001:DB8:7::2tunnel mode ipsec ipv6tunnel protection ipsec profile ipv6


49


IPv6 for Remote Devices Solutions

Enabling IPv6 traffic inside the Cisco VPN Client tunnelNAT and Firewall traversal support

Allow remote host to establish a v6-in-v4 tunnel either automatically or manually

ISATAP—Intra Site Automatic Tunnel Addressing Protocol

Fixed IPv6 address enables server’s side of any application to be configured on an IPv6 host that could roam overthe world

Use of ASA 8.0 and SSL VPN Client AnyConnectCan transfer IPv6 traffic over public IPv4


ISATAP

IPv4

Secure RA IPv6 Traffic over IPv4 Public Network: ISATAP in IPsec

IPv6

Net

wor

k

IPsec with NAT-T Can Traverse NATISATAP Encapsulates IPv6 into IPv4

IPsec Protects IPv4 Unicast Traffic... The Encapsulated IPv6 Packets

IPsec

ISATAPTunnel Server

on Dual Stack Router

EnterpriseVPN Head-End (ASA,

Cisco IOS, ...)

See reference slides for more details

IPv6 PC


50


Secure RA IPv6 Traffic over IPv4 Public Network: AnyConnect SSL VPN Client

IPv4

IPv6

Net

wor

k

ASA 8.0SSL VPN

ConcentratorDual Stack

IPv6 PCAnyConnect

IPsec with NAT-T Can Traverse NATISATAP Encapsulates IPv6 into IPv4

IPv4 and IPv6 Transport in SSL


ASA 8.0 and AnyConnect 2.0 for IPv6 Transport

Since 8.0 ASA SSL VPN and AnyConnect can transport IPv6

same-security-traffic permit inter-interfacesame-security-traffic permit intra-interface

ipv6 local pool POOL_V6 2001:db8:5fff:81::1:1/64 8

tunnel-group DefaultWEBVPNGroup general-attributes...ipv6-address-pool POOL_V6

Ethernet adapter Cisco AnyConnect VPN Client Connection:

Connection-specific DNS Suffix . : cisco.comIP Address. . . . . . . . . . . . : 192.168.0.200Subnet Mask . . . . . . . . . . . : 255.255.255.0IP Address. . . . . . . . . . . . : 2001:db8:5fff:81::1:1IP Address. . . . . . . . . . . . : fe80::205:9aff:fe3c:7a00%13Default Gateway . . . . . . . . . : 192.168.0.1

2001:db8:5fff:81::


51


Conclusion


Key Take Away

So, nothing really new in IPv6Lack of operation experience may hinder security for a while

Security enforcement is possibleControl your IPv6 traffic as you do for IPv4

Leverage IPsec to secure IPv6 when possible

Beware of the IPv6 latent threat: Your network may be vulnerable to IPv6 attacks


52


Q and A


Related Sessions

BRKSEC-4003: Advanced IPv6 Security: Secure Neighbor Discovery

BRKRST-2301: Enterprise IPv6 deploymentBRKSEC-2105: Securing IP Network Traffic PlanesBRKSEC-2002: Understanding and Preventing

Layer 2 AttacksBRKSEC-4010: Advanced Concepts of Dynamic

Multipoint VPN


53


Recommended Reading

Continue your Cisco Live learning experience with further reading from Cisco Press®

Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store


Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes; winners announced daily

Receive 20 Passport points for each session evaluation you complete

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center

Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.

Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.


54



Reference Slides

For Reference Only


55


IP Mobility

Mobility Means:Mobile devices are fully supported while movingBuilt-in on IPv6

Any node can use it

Optimized routing means performance for end-usersFiltering challenges

Optimized RoutingNot Possible in IPv4

2001:db8:c18::1

2001:2:a010::5

Home Agent

Correspondent Node

Mobile Node

Mobile Node


Mobile IPv6 Security Features Overview

Protection of binding updates both to home agents and correspondent nodes

IPsec (specially for HA)

Or binding authorization data option through the return routability procedure

Protection of mobile prefix discoveryThrough the use of IPsec extension headers

Protection of data packets transportHome address destination option and type two routingheader specified in a manner which restricts their usein attacks


56


Mobile IPv6 Security

Provides reasonable assurance that the MN is addressable at its claimed CoA and at its HoA

Test whether packets addressed to the two claimed addresses are routed back to the MN

Mobile Node Home Agent Correspondent NodeHome Test Init (HoTI)

Care-of Test Init (CoTI)

Home Test (HoT) (Key Mat 1)

Care-of Test (CoT) (Key Mat 2)

Binding Update (Computed from Key Mat 1 and 2)

Return Routability Test


MIPv6 Security Protections

BU/BA to HA must be secured through IPsec

MN and HA should use an IPsec SA to protect the integrity and authenticity of the mobile prefix solicitations and advertisements

Payload packets exchanged with MN can follow the same protection policy as other IPv6 hosts

Specific security measures are defined to protect the specificity of MIPv6

Home address destination option

Type 2 Routing header

Tunnelling headers


57


MIPv6 Security Challenges

Unlike IPv4 Mobility, IPv6 enables the MN and the CN to communicate directly through Route Optimization

Security tools such as IDS/Firewall and Regulation implementation such as LI can be bypassed by design in the case of MIPv6


IPv6 for Remote Devices

ipv6 unicast-routing!interface FastEthernet0/0description TO VPN 3000ip address 20.1.1.1 255.255.255.0!interface FastEthernet0/1description TO Campus Networkipv6 address 2001:db8:C003:111C::2/64!interface Tunnel0no ip addressipv6 address 2001:db8:C003:1101::/64 eui-64no ipv6 nd suppress-ratunnel source FastEthernet0/0tunnel mode ipv6ip isatap

Dual-stack router configuration

Interface ID

IPv4 Addr.64-bit Unicast Prefix 0000:5EFE:32-bit32-bit

ISATAP Address Format:

2001:db8:c003:1101:0:5efe:20.1.1.1

IPsec Hub

CorporateNetwork

Dual-StackRouter

F0/0

F0/1

For YourReference

Router Configuration: ISATAP


58


Interface 2: Automatic Tunneling Pseudo-Interface

Addr Type DAD State Valid Life Pref. Life Address--------- ---------- ------------ ------------ -----------------------------Public Preferred 29d23h56m5s 6d23h56m5s 2001:db8:c003:1101:0:5efe:10.1.99.102

Link Preferred infinite infinite fe80::5efe:10.1.99.102

netsh interface ipv6>show routeQuerying active state...

Publish Type Met Prefix Idx Gateway/Interface Name------- -------- ---- ------------------------ --- ---------------------no Autoconf 9 2001:db8:c003:1101::/64 2 Automatic Tunneling Pseudo-Interface

no Manual 1 ::/0 2 fe80::5efe:20.1.1.1

IPv6 for Remote Devices

IPsec HubDual-Stack

RouterWindows XP

Client

10.1.99.102—VPN Address2001:db8:c003:1101:0:5efe:10.1.99.102—IPv6 Address

Does It Work?


192.1

68.20

4.0/30

Serial 0/0 Dynamic.22

Tunnel 4 (IPv6 in IPv4)

Spoke Hub

Loopback 0 192.168.52.4 Loopback 0 192.168.52.7

IPsec SAIPsec SA Protects All IPv6 in IPv4 Packets Between the Static

Loopbacks

Hub IPsec Is Using Dynamic Crypto Maps

2001

:DB

8:C

000:

1051

::/64

2001

:DB

8:C

000:

1053

::4/1

28 IPv6 Tunnel Is Between the

Two Static IPv4 Loopbacks

Secure Site-to-Site For YourReference

IPv6 Connectivity


59


Secure Site-to-Site IPv6 Connectivity

Requires a fixed IPv4 address for hub

IPv6-in-IPv4 tunnels are anchored on IPv4 loopbacksTunnels requires static sources and destinations

IPsec dynamic crypto maps are usedAllows for dynamic spoke IPv4 addresses

IPsec works on IPv4 packets (containing the IPv4 packets)

Traffic initiated from spokes (hub is using dynamic crypto maps)

Key Design Points


Spoke Configuration (1 of 2)

interface Loopback0ip address 192.168.52.4 255.255.255.255

interface Tunnel4no ip addressipv6 unnumbered FastEthernet0/0ipv6 enabletunnel source Loopback0tunnel destination 192.168.52.7tunnel mode ipv6ip

!ip route 192.168.52.0 255.255.255.0 Serial0/0

Static IPv4 Addresses

For YourReference

IPv6 Tunnels


60


Spoke Configuration (2 of 2)

crypto ipsec transform-set 3DES esp-3des !crypto map IPV6_SEC 10 ipsec-isakmp set peer 192.168.204.26set transform-set 3DES match address SELECTOR

!interface Serial0/0crypto map IPV6_SEC

!ip access-list extended SELECTORpermit 41 host 192.168.52.4 host 192.168.52.7

IPv4 Address of Hub

IPsec Traffic Selectors: Fixed IPv4 Loopback Addresses, i.e., Encapsulated IPv6 Traffic

For YourReference

IPv6 IPsec


Hub Configuration (1 of 2)

interface Loopback0ip address 192.168.52.7 255.255.255.255

!interface Tunnel4no ip addressipv6 unnumbered FastEthernet0/1ipv6 enabletunnel source Loopback0tunnel destination 192.168.52.4tunnel mode ipv6ip

… a lot more interfaces Tunnel…

ip route 192.168.52.0 255.255.255.0 Serial0/0

Static IPv4 Addresses

For YourReference

IPv4 Tunnels


61


Hub Configuration (2 of 2)

crypto ipsec transform-set 3DES esp-3des !crypto dynamic-map TEMPLATE 10set transform-set 3DES match address SELECTOR

! crypto map IPV6_SEC 10 ipsec-isakmp dynamic TEMPLATE!interface Serial0/0ip address 192.168.204.26 255.255.255.252crypto map IPV6_SEC

!ip access-list extended SELECTORpermit 41 host 192.168.52.7 192.168.52.0 0.0.0.255

Dynamic Crypto Map:Allow IPsec from Every IP Address with Correct IKE Authentication

IPsec Traffic Selectors: Fixed IPv4 Loopback Addresses, i.e., Encapsulated IPv6 Traffic

For YourReference

IPv4 IPsec


IPv6 Integration on MPLS VPN Infrastructure: 6VPE

MPLS/IPv4 Core Infrastructure is IPv6-unawarePEs are updated to support Dual Stack/6VPE IPv6 VPN can co-exist with IPv4 VPN—same scope and policies6VPE—RFC 4659—Cisco authored for IPv6 VPN over MPLS/IPv4 infrastructureShipping in:

12.2(33)SRB (Barracuda – C7600), Q1CY’0712.4(pi7)T (C7200, C7301, C2800, C3800), Q3CY’0712.2(x)SB (Exodus Rel5 – C10000), Q3CY’0712.2(33)SXI (Whitney 2.0 – C6500), Q4CY’07

Site-1

Site-2PE1PE2

P2P1CE2

VRF Red

VRF RedCE1

iGP-v4 (OSPF, ISIS) LDP-v4

MP-eBGP SessionAddress-family IPv4Address-family IPv6 MP-eBGP Session

Address-family IPv4Address-family IPv6

Dual-Stack Network

Dual-Stack Network

Dual-Stack Server

2001:101::/6410.101/16

MP-iBGP SessionAddress-family VPNv4Address-family VPNv6

vrf definition site1 rd 100:1route-target import 100:1route-target export 100:1address-family ipv4address-family ipv6

!interface ethernet0/0vrf forwarding site1ip address 10.100.1.2 255.255.0.0ipv6 address 2001:100::72b/64

2001:201::/6410.201/16

vrfAddress-family IPv4Address-family IPv6

Dual-Stackipv4 addresses: 10.100/16ipv6 addresses: 2001:100::/64

brksec-2003

Documents