Cisco Blogs


Cisco Blog > Security

IPv6 First Hop Security (FHS) concerns

There are a growing number of large-scale IPv6 deployments occurring within enterprise, university, and government networks. For these networks to succeed, it is important that the IPv6 deployments are secure and the quality of service (QoS) must rival the existing IPv4 infrastructure. An important security aspect to consider is the local links (Layer 2). Traditional Layer 2 security differs between IPv4 and IPv6 because instead of using ARP—like IPv4—IPv6 moves the traditional Layer 2 operations to Layer 3 using various ICMP messages

IPv6 introduces a new set of technology link operations paradigms that differ significantly from IPv4. The changes include more end nodes that are permitted on the link (up to 2^64) and increased neighbor cache size on end nodes and the default router, which creates more opportunities for denial of service (DoS) attacks. There are also additional threats to consider in IPv6 including threats with the protocols in use, a couple of which are listed below:

  • Neighbor Discovery Protocol (NDP) integrates all link operations that determine address assignment, router discovery, and associated tasks.
  • Dynamic Host Configuration Protocol (DHCP) can have a lesser role in address assignment compared to IPv4.

Finally, non-centralized address assignment in IPv6 can create challenges for controlling address misuse by malicious hosts.

For more information on FHS concerns. read the new IPv6 FHS whitepaper.

Tags: , , ,

SNMP MIB Changes Related to IPv6

Simple Network Management Protocol (SNMP) is part of IETF’s Internet Protocol Suite that consists of four abstraction layers and defines a set of protocols used on the Internet. SNMP is mainly used for management and monitoring of networked devices. It can inform about the health of a network device or other reflections of its state (interfaces, IP addresses, traffic and more). SNMP is defined as part of IETF RFC 1157. For its function, it leverages Management Information Bases (MIBs), which define the structure of device information maintained. They represent a hierarchical namespace containing object identifiers (OIDs). Each OID identifies an object that holds the information of interest and can be polled or set via SNMP.

Read More »

Tags: , , ,

Securing IPv6 Transition Technologies

In the previous installment of our series of IPv6 security posts, we covered some of the basic things you need to consider when performing security testing on your IPv6 network. In this post, we will examine some of the things that you need to consider to secure the transition from IPv4 to IPv6. IPv6 is being deployed on more and more networks, but IPv4 is not going away any time soon. During this transition period, security is crucial since you will be running both IPv4 and IPv6, along with various tunneling protocols (even if you did not configure them explicitly) that enable communication between IPv4 and IPv6 networks (such as Teredo, ISATAP, and 6to4).

To begin with, the designers of IPv6 realized that the transition from IPv4 to IPv6 would not happen overnight. There was a hope that there would be a large push and the transition would go rather quickly, but as time moved on, that did not happen. The time for a quick transition has passed and we are in for a long and protracted transition. During this transition, nodes on your network will fit into one of the following buckets:

Read More »

Tags:

Securing IPv6

In the previous installment of our series of IPv6 security posts, we covered some of the ways addressing has changed in IPv6 compared to IPv4. In this post, we’ll talk about some of the things to consider when securing IPv6 compared to IPv4. Before digging into this topic, however, it is important to remember that while IPv6 may have different security concerns than IPv4, it is not necessarily any more secure than IPv4. Furthermore, the post will focus on those aspects that are different or unique to IPv6, since many of the common best practices for IPv4 networks also apply to IPv6 networks.

Read More »

Tags: , ,

IPv6 Addressing

In the previous installment of our series of IPv6 posts, we covered some of the ways ICMP has changed in IPv6 compared to IPv4. In this post, we’ll talk about how addressing has changed in IPv6 compared to IPv4.

While IPv4 addresses are 32 bits log, the IPv6 address space has been extended to 128 bits, which will make it virtually impossible to remember the numeric representation of the address for a given host. This will definitely lead to more reliance on DNS. It will be difficult to operate even very simple test networks  without relying on DNS to resolve host names to IPv6 addresses. Because of this, more attacks will be targeted against your DNS servers. Making sure your DNS configuration and servers are secure will be very more important in IPv6. DNS will also be targeted by attackers to attempt to locate systems on the network by trying to resolve “common host names,” since scanning a remote IPv6 network is essentially impossible due to the size of the IPv6 address space.

Read More »

Tags: , ,