The cisco software feature documentation in this configuration guide often includes information about features that are shared across software releases and platforms. To understand the scale of their undertaking, their implementation case study stated this. Ccna security 210260 official cert guide cisco press. To provide security and scalability, the ipv6 snooping feature bundles several layer 2 ipv6 firsthop security features, including ipv6 neighbor discovery nd inspection, ipv6 device tracking, ipv6 address glean, and ipv6 binding table recovery. He is actively involved in ipv6, serving as the cochair of the california ipv6 task force, and has been blogging and speaking at conferences worldwide about ipv6 since 2005. The transition to ipv6 affects the entire enterprise network, which connects 450 cisco offices in 90 countries. To support future business continuity, growth, and innovation, organizations must transition to ipv6, the next generation protocol for defining how computers communicate over networks. Another ipv6 security myth is that, thanks to the huge address space, an attacker cannot find targets by generating a random ipv6 address.
Cisco has confirmed the vulnerability in a security advisory and released software updates. It provides two security headers which can be used separately or together. Authentication header ah and encapsulating security payload esp, used in conjunction with security key exchange. Only tridentbased line cards on cisco asr 9000 series aggregation services. Author eric vyncke explains why the protocol is becoming a reality in this ipv6 implementation security video. Ipv6 security offers guidance for avoiding security problems prior to widespread ipv6 deployment. Securing ipv6 in the cisco space troopers itsecurity. He has worked primarily on policybased admission, incident. A vulnerability in the implementation of the ip version 6 ipv6 protocol stack in cisco ios software and cisco ios xe software could allow an unauthenticated, remote attacker to cause io memory depletion on an affected device that has ipv6 enabled. As you adopt technology solutions that address todays business transitions and migrate your network to scale ipv6, we can help you prioritize critical areas of your business and network, while proactively budgeting time, money, and resources.
Cisco ios and ios xe software ipv6 first hop security. Ipv4ipv6 security and threat comparisons sciencedirect. The book covers every component of todays networks, identifying specific security deficiencies that occur within ipv6 environments and demonstrating how to combat them. November29,2012 americas headquarters cisco systems, inc. Darrin is responsible for systemlevel security architecture.
Ipv6 security protection measures for the next internet protocol as the worlds networks migrate to the ipv6 protocol, networking professionals need a clearer understanding of the security risks, threats, and challenges this transition presents. Exploitation of this vulnerability can lead to information leakage on affected ios and ios xr devices, and may also result in a crash of the affected ios device. The ipv6 object groups for acls feature lets you classify users, devices, or protocols into groups and apply them to access control lists acls to create access control policies for those groups. Ccna security 640554 official cert guide cisco press. Cisco nexus 9000 series nxos security configuration guide. Ipv6 security impact many security issues in ipv6 remain the same as in ipv4, but v6 also has new features that affect system and network security, as well as potentially impacting on policies and procedures. Threats on the layer2 link p ipv4 has several threats against layer2. In some cases linklocal addresses ipv6 is slightly more secure, and in other cases difficulties to parse the extension headers ipv6 is slightly less secure. Ipv6 firsthop security configuration guide, cisco ios xe.
Cisco should be your valued business partner to help you securely deploy ipv6 to allow your. Both ciscos internal and external plans place a large emphasis on endtoend security and testing. Ipv6 security threats and mitigations psu wikispaces. The vulnerability is triggered when an affected device processes a malformed ipv6 packet. Cisco ios software ipv6 denial of service vulnerability. Configuring ipv6 interface addressing free ccna workbook. This exam tests a candidates knowledge and skills related to network fundamentals, network access, ip connectivity, ip services, security fundamentals, and automation and programmability. Basic ipv6 protocol security basic header, extension headers, addressing ipv6 associated protocols security icmpv6, ndp, mld, dns, dhcpv6 internetwide. Ccna security 210260 official cert guide ccna security 210260 official cert guide is a bestofbreed cisco exam study guide that focuses specifically on the objectives for the ccna security implementing cisco network security iins 210260 exam. Ipsec defines cryptographybased security for both ipv4 and ipv6 in rfc 4301. Its available for free via the university librarys safari subscription. Ipv6 has been available for years, and 2016 marked the year when ipv6 first reached. Ipv6 security reminded me of cisco router firewall security crfs by richard deal, which i also liked a lot. This session presents ipv6 security as contrasted with ipv4 from a threat and mitigation.
Crfs was ciscospecific and helped readers squeeze all the networklevel security features they could from their routers. Ipv6 fundamentals, second edition provides a thorough yet easytounderstand introduction to the new knowledge and skills network professionals and students need to deploy and manage ipv6 networks. Ipsec support is an optional addon in ipv4, but is a mandatory part of ipv6. Motivations discussions around ipv6 security have centered on ipsec though ipsec is mandatory in ipv6, the same issues with ipsec deployment remain from ipv4.
Its successor, ipv6, has the features and solutions the modern internet requires. Ipv6 firsthop security configuration guide, cisco ios xe release 3s first published. Cisco ipv6 first hop security fhs reduce downtime and cost of information theft. Chapter 1 introduction to ipv6 security 3 chapter 2 ipv6 protocol security vulnerabilities 15 chapter 3 ipv6 internet security 73 chapter 4 ipv6.
If youve read lab 121 the basics of internet protocol version 6 ipv6 then youre probably tired of reading about all the concepts, history and such and ready to get into the configuration configuring an ipv6 address is just as easy as configuring an ipv4 address on a cisco interface. Security cisco ios ipv6 acl cisco ios firewall ipv6 support standardextended ipv6 acl ios firewall since march 200412. Nevertheless, security of ipv6 protocol and ipv6 networks can still be improved, but this fact should not be an obstacle to its acceptance,usage and further development. Ipv6 mandates the implementation of ipsec some organisations believe that ipsec should be used to secure all flows 15 security expert, w. Cisco ios xr software ipv6 malformed packet denial of. Ipv6 security protection measures for the next internet protocol as. Cisco has released software updates that address this. An attacker could exploit this vulnerability by sending a flood of traffic consisting of specific ipv6 nd packets to an affected device where the ipv6 snooping feature is configured. This chapter summarizes the common themes discussed throughout the book. A vulnerability in the parsing of malformed internet protocol version 6 ipv6 packets in cisco ios xr software for asr 9000 series aggregation services routers could allow an unauthenticated, remote attacker to cause a lockup and eventual reload of a network processor np chip and a line card processing traffic.
Listen to this podcast interview with book author scott hogg on ipv6 security issues. Information theft can result from router impersonation maninthemiddle attacks, address theft, address spoofing, and remote address resolution cache exhaustion denial of service attacks. Commonalities between ipv4 security and ipv6 security are discussed. The ah header was designed to ensure authenticity and integrity of the. Cisco public 1 ipv6 security threats and mitigations brksec2003. The cisco security portal provides actionable intelligence for security threats and. Latif ladid president, international ipv6 forum the best vendorindependent ipv6 book available. The rise of ipv6 could give you some severe security headaches even if you have no current plans to implement the new networking protocol.
The topics of forensics, intrusion detection and prevention, security information management, and con. Ipv6 and ipv4 usually operate completely independently over the same layer 2 infrastructure, so additional and. Cisco security experts omar santos and john stuppi share preparation hints and testtaking tips, helping you identify areas of weakness and improve. This guide may contain information that is not specific to your particular platform or is not supported in your software release. Ipv6 security ituapnicmict ipv6 security workshop may 2016. Configuration complexity key management therefore, ipv6 will be deployed largely without cryptographic protections of any kind security in ipv6 is a much broader topic than just ipsec. Darrin miller is an engineer in the security technology group at cisco. Cisco nexus 9000 series nxos security configuration guide, release 7. While a random address will lead to nowhere, there are numerous ways for a malicious person to find targets.
980 584 49 149 615 939 736 675 930 596 656 1055 1441 1465 4 1218 364 1395 176 1260 429 1072 697 53 469 1258 632 530 570 165 602 999 216 635 1161