Download to read offline
Uploaded byBangladesh Network Operators Group
IPv6 Deployment Planning and Security Considerations
The document outlines IPv6 deployment planning and security considerations, emphasizing the importance of obtaining IPv6 addresses, preparing a network for IPv6 readiness, and using dual-stack configurations. It discusses subnetting strategies, address management tools, and explores security practices including ICMPv6 filtering and BGP announcement management. Additionally, it highlights challenges in transitioning to IPv6-only environments and best practices to secure IPv6 implementations.
More Related Content
![IPv6 Deployment Planning Tutorial, by Philip Smith [APNIC 38]](https://cdn.slidesharecdn.com/ss_thumbnails/apnic38-ipv6-deployment-planning1410239786-140916190200-phpapp02-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to IPv6 Deployment Planning and Security Considerations
More from Bangladesh Network Operators Group
IPv6 Deployment Planning and Security Considerations
- 1.
- 2. 2 v1.2 IPv6 DeploymentPlanning and Security Considerations Md Abdul Awal | APNIC awal@apnic.net
- 3. 3 v1.2 IPv6 inBD and Neighbouring Countries https://stats.labs.apnic.net/ipv6 LK ~56% PK ~18% CN ~34% IN ~79% BT ~42% NP ~55% BD ~16% MM ~44% TH ~47% MV ~0.2% AF ~4% MY ~71%
- 4. 4 v1.2 IPv6 DeploymentPlanning
- 5. 5 v1.2 IPv6 Deployment– Where to Start? Get IPv6 Address from RIR / NIR / ISP Assess network for IPv6 readiness Prepare IPv6 address plan that makes sense Arrange dual- stack peering with upstream Configure IPv6 in your backbone network Test IPv6 connectivity internally Start providing IPv6 to customers Monitor and evaluate
- 6. 6 v1.2 Subnet atthe Nibble Bit Boundary /36 slices (1 x 4 bits) 2001:db8:0000::/36 2001:db8:1000::/36 2001:db8:2000::/36 2001:db8:3000::/36 …. …. 2001:db8:f000::/36 /40 slices (2 x 4 bits) 2001:db8:0000::/40 2001:db8:0100::/40 2001:db8:0200::/40 2001:db8:0300::/40 …. …. 2001:db8:ff00::/40 /44 slices (3 x 4 bits) 2001:db8:0000::/44 2001:db8:0010::/44 2001:db8:0020::/44 2001:db8:0030::/44 …. …. 2001:db8:fff0::/44 /48 slices (4 x 4 bits) 2001:db8:0000::/48 2001:db8:0001::/48 2001:db8:0002::/48 2001:db8:0003::/48 …. …. 2001:db8:ffff::/48 Subnetting at the Nibble Bit is simple and easy to manage Nibble bit subnets of 2001:db8::/32
- 7. 7 v1.2 IPv6 Addressingfor Point-to-point Links 2001:db8:0:1::/ 127 2001:db8:0:1::1/127 R1 R2 IPv6 Address Plan R1 – R2 Link 2001:db8:0:1::/ 64 R3 – R4 Link 2001:db8:0:2::/ 64 R3 R4 /126 for MikroTik P2P Links 2001:db8:0:2::/126 2001:db8:0:2::1/ 126 2001:db8:0:2::2/ 126 2001:db8:0:2::3/126 /127 for P2P Links
- 8. 8 v1.2 Address AssignmentPlan /34 /34 /34 /34 Contiguous assignment may not work in the long run Customer 1 Customer 3 Customer 2 Customer 4 /32 Customer 1 Customer 3 Customer 2 Customer 4 Split assignment works better for BGP traffic engineering
- 9. 9 v1.2 Customer AddressDistribution ISP Enterprise Customer ::/127 ISP plans a /64 for each PE-CE peering, but configures with /127 ::1/127 PE CE ISP Broadband Customer ::1/64 ISP assigns /64 for customer WAN via SLAAC/DHCPv6 BNG/ BRAS CPE ISP assigns at least one /48 for enterprise customer LAN ISP assigns at least /60 (or bigger) for user LAN via DHCPv6-PD
- 10. 10 v1.2 Aggregated BGPAnnouncements Aggregated BGP announcements - Easy to configure and maintain - Keep global routing table smaller Long list of /48s may not be helpful at all
- 11. 11 v1.2 IPv6 AddressManagement • phpipam.net • github.com/netbox-community/netbox • spritelink.github.io/NIPAP Free and open source IP Address Management tool
- 12. 12 v1.2 Dual-stack VsIPv6-only Deployment • Advantages – Comparatively easier – IPv4 experience can be reused – Troubleshooting might be easier • Challenges – Still need IPv4 (and NAT) – Everything runs twice • Advantages – Only one AF configuration – Very minimum need of IPv4 space • Challenges – Multiple translation might be needed – Additional challenges to run NAT64, DNS64 and 464XLAT Dual-stack IPv6-only It is easier for ISPs to start deploying dual-stack network
- 13. 13 v1.2 IPv6 SecurityConsiderations
- 14. 14 v1.2 Create MinimumROA - Match Your BGP Announcements Small number of prefix announced Prone to validated BGP hijack The Max Length covers all possible BGP prefixes (/32 - /48) !!!
- 15. 15 v1.2 BGP Filtersfor IPv6 Longer Prefixes (>/48) These /64s should NOT exist in the global routing table
- 16. 16 v1.2 Inspect ExtensionHeaders • Attackers use the EH as a covert channel to exchange information (payload) undetected • Mitigation: – Drop unknown EH – Drop invalid EH (0, 43) IPv6 Header Next Header = 4 EH Next header = 0 TCP header + data EH Hidden Data
- 17. 17 v1.2 Is RAalways necessary? R1 SW Hosts with static IPv6 Addresses RA should be disabled RA must be enabled R1 SW Hosts with SLAAC / DHCPv6 R1 R2 P2P Links
- 18. 18 v1.2 RA Guard– Block Rouge RAs (RFC6105/7113)
- 19. 19 v1.2 Careful withICMPv6 Filters • Filtering ICMPv6 is not straight forward – You block ICMPv6 => you break IPv6! • RFC4890: “ICMPv6 Filtering Recommendations” – Permit Error messages • Destination Unreachable (Type 1) - All codes • Packet Too Big (Type 2) • Time Exceeded (Type 3) - Code 0 only • Parameter Problem (Type 4) - Codes 1 and 2 only – Permit Connectivity check messages • Echo Request (Type 128) • Echo Response (Type 129) Or, rate limit ICMPv6 packets
- 20. 20 v1.2 And, CurrentSecurity Best Practices… • uRPF / BCP38 • Bogon Filters • RPKI Based Filters • BGP Policies • PTR Records / IPv6 Reverse DNS Delegation • Filters applied for IPv4 should also make sense for IPv6
- 21.