IPv6 Deployment Planning and Security Considerations

bdnog 79 views 21 slides Jul 12, 2024

Slide 1 of 21

About This Presentation

This presentation includes planning and operational recommendations for IPv6 Deployment along with associated security best practices. As more as more networks are planning to deploy IPv6, this session could be a useful one to avoid gotchas and prevent re-doing the v6 deployment because of the known...

Size: 8.7 MB

Language: en

Added: Jul 12, 2024

Slides: 21 pages

Slide Content

1 v1.2

2 v1.2
IPv6 Deployment Planning
and Security Considerations
Md Abdul Awal | APNIC
[email protected]

3 v1.2
IPv6 in BD and Neighbouring Countries
https://stats.labs.apnic.net/ipv6
LK ~56%
PK ~18%
CN ~34%
IN ~79%
BT ~42%NP ~55%
BD ~16%
MM ~44%
TH ~47%
MV ~0.2%
AF ~4%
MY ~71%

4 v1.2
IPv6 Deployment Planning

5 v1.2
IPv6 Deployment – Where to Start?
Get IPv6 Address
from RIR / NIR /
ISP
Assess network
for IPv6
readiness
Prepare IPv6
address plan that
makes sense
Arrange dual-
stack peering
with upstream
Configure IPv6 in
your backbone
network
Test IPv6
connectivity
internally
Start providing
IPv6 to
customers
Monitor and
evaluate

6 v1.2
Subnet at the Nibble Bit Boundary
/36 slices (1 x 4 bits)
2001:db8:0000::/36
2001:db8:1000::/36
2001:db8:2000::/36
2001:db8:3000::/36
….
….
2001:db8:f000::/36
/40 slices (2 x 4 bits)
2001:db8:0000::/40
2001:db8:0100::/40
2001:db8:0200::/40
2001:db8:0300::/40
….
….
2001:db8:ff00::/40
/44 slices (3 x 4 bits)
2001:db8:0000::/44
2001:db8:0010::/44
2001:db8:0020::/44
2001:db8:0030::/44
….
….
2001:db8:fff0::/44
/48 slices (4 x 4 bits)
2001:db8:0000::/48
2001:db8:0001::/48
2001:db8:0002::/48
2001:db8:0003::/48
….
….
2001:db8:ffff::/48
Subnetting at the Nibble Bit is
simple and easy to manage
Nibble bit subnets of 2001:db8::/32

7 v1.2
IPv6 Addressing for Point-to-point Links
2001:db8:0:1::/ 127
2001:db8:0:1::1/127
R1R2IPv6 Address Plan
R1 – R2 Link2001:db8:0:1::/ 64
R3 – R4 Link2001:db8:0:2::/ 64
R3R4
/126 for MikroTik P2P Links
2001:db8:0:2::/126
2001:db8:0:2::1/ 126
2001:db8:0:2::2/ 126
2001:db8:0:2::3/126
/127 for P2P Links

8 v1.2
Address Assignment Plan
/34/34/34/34
Contiguous assignment
may not work in the
long run
Customer 1Customer 3Customer 2Customer 4
/32
Customer 1
Customer 3
Customer 2
Customer 4
Split assignment
works better for BGP
traffic engineering

9 v1.2
Customer Address Distribution
ISP
Enterprise Customer
::/127ISP plans a /64 for each
PE-CE peering, but
configures with /127::1/127
PE
CE
ISP
Broadband Customer
::1/64ISP assigns /64 for
customer WAN via
SLAAC/DHCPv6
BNG/
BRAS
CPE
ISP assigns at least
one /48 for enterprise
customer LAN
ISP assigns at least /60
(or bigger) for user LAN
via DHCPv6-PD

10 v1.2
Aggregated BGP Announcements
Aggregated BGP announcements
- Easy to configure and maintain
- Keep global routing table smaller
Long list of /48s may
not be helpful at all

11 v1.2
IPv6 Address Management
•phpipam.net
•github.com/netbox-community/netbox
•spritelink.github.io/NIPAP
Free and open
source IP Address
Management tool

12 v1.2
Dual-stack Vs IPv6-only Deployment
•Advantages
–Comparatively easier
–IPv4 experience can be reused
–Troubleshooting might be easier
•Challenges
–Still need IPv4 (and NAT)
–Everything runs twice
•Advantages
–Only one AF configuration
–Very minimum need of IPv4 space
•Challenges
–Multiple translation might be needed
–Additional challenges to run NAT64,
DNS64 and 464XLAT
Dual-stackIPv6-only
It is easier for ISPs to start deploying dual-stack network

13 v1.2
IPv6 Security Considerations

14 v1.2
Create Minimum ROA - Match Your BGP Announcements
Small number of
prefix announced
Prone to validated
BGP hijack
The Max Length covers
all possible BGP
prefixes (/32 - /48) !!!

15 v1.2
BGP Filters for IPv6 Longer Prefixes (>/48)
These /64s should NOT
exist in the global
routing table

16 v1.2
Inspect Extension Headers
•Attackers use the EH as a covert channel to exchange
information (payload) undetected
•Mitigation:
–Drop unknown EH
–Drop invalid EH (0, 43)
IPv6 Header
Next Header = 4
EH
Next header = 0
TCP header + data
EH
Hidden Data

17 v1.2
Is RA always necessary?
R1SW
Hosts with static IPv6 Addresses
RA should be disabledRA must be enabled
R1SW
Hosts with SLAAC / DHCPv6
R1R2P2P Links

18 v1.2
RA Guard – Block Rouge RAs (RFC6105/7113)

19 v1.2
Careful with ICMPv6 Filters
•Filtering ICMPv6 is not straight forward
–You block ICMPv6 => you break IPv6!
•RFC4890: “ICMPv6 Filtering Recommendations”
–Permit Error messages
•Destination Unreachable (Type 1) - All codes
•Packet Too Big (Type 2)
•Time Exceeded (Type 3) - Code 0 only
•Parameter Problem (Type 4) - Codes 1 and 2 only
–Permit Connectivity check messages
•Echo Request (Type 128)
•Echo Response (Type 129)
Or, rate limit
ICMPv6 packets

20 v1.2
And, Current Security Best Practices…
•uRPF / BCP38
•Bogon Filters
•RPKI Based Filters
•BGP Policies
•PTR Records / IPv6 Reverse DNS Delegation
•Filters applied for IPv4 should also make sense for IPv6

IPv6 Deployment Planning and Security Considerations

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

IPv6 Deployment Planning and Security Considerations

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Pray For The Peace Of Jerusalem and You Will Prosper

Don_t_Waste_Your_Life_God.....powerpoint

VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf

Fertility awareness methods for women in the society

Chapter 5 Arithmetic Functions Computer Organisation and Architecture

syakira bhasa inggris (1) (1).pptx.......