1. IPv6 Autoconfiguration Plug & Play Dream or Security Nightmare

2. Review of IPv6 Autoconfig
Defined in RFC 2461
All hosts implicitly have an IPv6 Link-Local address for each interface they have
Host “I have a NIC, therefore I am”
FE08::(EIU-64)
Simple Corollary: therefore, a host without a NIC, is a non-entity

3. Review of IPv6 Autoconfig
Other network information obtained from the Router(s) on the local network
Host “Is there a router in the house”
ICMPv6 Type 133 – Router Solicitation
Router “I’m a router and here are the prefixs you can use” optionally “, and go talk to the DHCPv6 server”
ICMPv6 Type 134 – Router Advertisement

4. Review of IPv6 Autoconfig
The host combines the prefix information with a host address portion to form an IPv6 Address
Multiple Types of Host Addresses

5. IPv6 Address Types Stateless (EUI-64)
RFC 2462
Privacy Extensions (pseudorandom)
RFC 3041
Stateful (DHCPv6)
RFC 3315

6. So what’s the problem?
Well do you know the devices that says it’s the router is really suppose to be the router?
If you get multiple answers (which you can) which is the right one?

7. So what’s the problem? It could be a miss-configured host
LINUX, Widows, or what ever
Maybe with a tunnel that it want to HELP! other people use
More scary, could be a BAD guy claiming to be a router
Trying to setup a man-in-the-middle attack

8. But I’m not running IPv6! Are you sure?
OSes are coming with IPv6 by default
Windows Vista
Mac OSX
Many LINUX
Many other UNIX

9. But I’m not running IPv6!
So you probably have hosts asking for an IPv6 router on your network right now
All you need is a missconfigured host or a bad guy on your network and your hosts are doing IPv6

10. What about SEND? IPv6 Secure Neighbor Discovery
RFC 3971
It will Secure this, and more!
But!!!!
There are not many, if any, implementations
Certs & PKI
Do I need to say more

11. What about SEND? IPv6 Secure Neighbor Discovery
Will work in a well controlled mostly closed network
Not the definition of your typical University Network
Probably not workable on a visitor or guest network even if your primary network is securable in this way

12. A Solution
Block IPv6 Router Advertisements on ingress to access switch port for hosts
Can be done today with Cisco 3750, E, 3560, and 3560-E switches
IOS 12.2(25)SED Advanced IP Services (only) or greater code
I tested on 3750s with 12.2(40)SE AdvIPServ

13. IOS Config Snip ipv6 access-list v6_Access_IN
deny icmp any any router-advertisement
permit ipv6 any any
interface GigabitEthernet1/0/1
switchport access vlan 247
ipv6 traffic-filter v6_Access_IN in

14. A Different Problem I said “Advanced IP Services”
The upgrade from “IP Base” is $6,995 list per switch
We have about 3500 – 3750G-24TS
This is about $24M list
We’re talking to to the 3750 Business Unit at Cisco

15. Other Solutions Turn off IPv6 on your host if your not using it
Not a great solution
Not a solution at all, if you need/want to do IPv6
But can you really insure that you have done this

16. Other Solutions Monitor for bogus IPv6 Router Advertisements
Ala XArp type IPv4 ARP monitoring software
IPv6 Routers would be perfect device to do this, track the other router
maybe even do an SMNP trap – maybe not

17. Talk to you Switch Vendor
We all need to be talking to our Vendors
Talk to them about how you want IPv6 to work 1,2, or 3 years from now
Make IPv6 a requirement in all your purchases
Test the features

18. IPv6 Support Priority List for Vendors
Basic Functionality – you can pass IPv6 at all
Security – Comparable security feature to IPv4
IPv6 manageability
Full IPv4 feature parity

19. IPv6 Access Switch Features
IPv6 Aware Layer2 ACLs
DHCPv6 Snooping
IPv6 Neighbor Discovery Validation
MLD2 Snooping
IPv6 Aware QOS features

20. Conclusion Start thinking about IPv6 as part of your normal network
Think about it in the same ways as IPv4
However, take the opportunity to rethink how you are doing your normal networking
Talk to your Vendors early and often