Cisco Blogs


Cisco Blog > Security

IPv6 First Hop Security (FHS) concerns

There are a growing number of large-scale IPv6 deployments occurring within enterprise, university, and government networks. For these networks to succeed, it is important that the IPv6 deployments are secure and the quality of service (QoS) must rival the existing IPv4 infrastructure. An important security aspect to consider is the local links (Layer 2). Traditional Layer 2 security differs between IPv4 and IPv6 because instead of using ARP—like IPv4—IPv6 moves the traditional Layer 2 operations to Layer 3 using various ICMP messages

IPv6 introduces a new set of technology link operations paradigms that differ significantly from IPv4. The changes include more end nodes that are permitted on the link (up to 2^64) and increased neighbor cache size on end nodes and the default router, which creates more opportunities for denial of service (DoS) attacks. There are also additional threats to consider in IPv6 including threats with the protocols in use, a couple of which are listed below:

  • Neighbor Discovery Protocol (NDP) integrates all link operations that determine address assignment, router discovery, and associated tasks.
  • Dynamic Host Configuration Protocol (DHCP) can have a lesser role in address assignment compared to IPv4.

Finally, non-centralized address assignment in IPv6 can create challenges for controlling address misuse by malicious hosts.

For more information on FHS concerns. read the new IPv6 FHS whitepaper.

Tags: , , ,

IPv6 Hitting Closer to Home. Are You Ready?

Follow these 3 steps for preparing your network for the new Internet protocol

On June 6, currently being referred to as World IPv6 Day, several of the world’s largest ISPs and websites will permanently enable IPv6 —the next-generation Internet. With the explosive growth of Internet-enabled devices, the batch of IPv4 addresses that allows those devices to access the Internet have run out. The new Internet protocol, IPv6, provides a greater number of addresses to support more people, more companies, and more devices on the Internet. Consider this: By 2016, 39 percent of all global mobile devices could be capable of connecting to an IPv6 mobile network—that’s more than 4 billion devices.

Your current network running IPv4-based devices won’t be obsolete for some time. However, if you haven’t already started making plans for the transition to IPv6, you should. The first step you should take is determining how and when to transition to the new Internet protocol based on your business needs. For example, if you do business with others who are already on an IPv6 network, you may decide to migrate sooner rather than later.

Once you’ve made that decision, you can follow these steps for preparing your network for IPv6.

Read More »

Tags: , , ,

IPv6 Planning – Where Do I Start?

May 29, 2012 at 5:00 am PST

World IPv6 Day is on June 6, 2012 and organizations everywhere will be permanently enabling IPv6 for their products and services. With the date fast approaching, you might be wondering: where do I start with my IPv6 transition?

Integrating IPv6 into an existing network may seem like a daunting task. Big tasks can create ‘analysis paralysis’ to the point where nothing gets done because the perception is that the task is too big to take on.  The key in this scenario is to not think about the task as one big one, but rather a series of small tasks that can be handled independently.  Here are a few suggestions to get you started with IPv6:

Read More »

Tags: , ,

Cisco Helps Ensure that Bermuda is Connected to the Global Economy

Part of what makes the network so powerful is its ability to transform economies and enable countries to leverage their unique characteristics, no matter how remote. Recently on SP360, we discussed how Iceland is becoming a leader in green cloud computing because of its low-cost geothermal power and high speed connectivity back to Europe and North America.

Bermuda, another island nation, is also harnessing the power of the network to maintain its leading role in the international insurance, trading, and financial sectors. Earlier this month, Read More »

Tags: , , , , , , ,

Why Would Anyone Need an IPv6-to-IPv6 Network Prefix Translator?

The upcoming World IPv6 launch is stimulating a lot of conversation around IPv6 deployment and common deployment scenarios. People regularly ask “where’s my NAT,” which is something we have tried to address in architectural discussions in RFC 2993, RFC 4864, and RFC 6269. Margaret Wasserman and I have worried specifically about the implications of the multiplication of provider-independent addresses at the edge and the issues of multihoming, and described a model for IPv6 network prefix translation that we think addresses most of the issues and yet facilitates scalable multihoming without provider-independent addressing and the bloating of the route table it implies. Per-residential-customer multihoming is currently in use for NTT BFLETS in Japan.

My colleague Andrew Yourtchenko, whom many of you may know from IPv6 events, has a very different opinion about network address translation. If anything, he would like to get rid of it. Andrew has contributed to some 14 RFCs on the topic of transition and has much of value to say.

While I agree with Andrew on a number of issues, I don’t agree about  the model in which one deploys a prefix allocated by each of one’s upstreams providers on each of the LANs in a network.  I think that while we have reduced costs for ISPs in the smaller route table, we have significantly expanded the complexity faced by the edge network without giving them a benefit that they readily recognize. I agree with the end-to-end model and the ability to deploy new applications anywhere in the network, but I think that stateless prefix translation can meet those issues and help in managing the size of the route table. Andrew and I recently weighed the pros and cons of our different opinions and included our thoughts in this blog. What is your opinion on this topic? Read More »

Tags: , , , ,