The Secure Way to IPv6 – Use Your Proxy!
When asked about IPv6, many companies are aware that they must do something, but are not sure what is the best way to approach IPv6. In my talks with customers, I found that the unfamiliarity with IPv6 is one of the biggest obstacles. So, to gain experience with IPv6, there are several paths to go down, from the inside-out approach (start within an internal area and work outwards) to the outside-in (work from the internet towards the internal network). One very easy way to start with IPv6 is to use your existing proxy infrastructure. I want to show you how to do this by using the Cisco Web Security Appliance (WSA).
The first step is to assign an IPv6 address to the proxy. That will make it dual stack, because we do not want to cut off our IPv4 clients.
The second step is to assign an IPv6 default route, pointing to your IPv6 router. The third step is mandatory if you are deploying your WSA in explicit mode. In explicit mode, the WSA gets the URL from the client and has the task to resolve the URL to an IP address via DNS. So we need to tell our appliance what we should prefer if a website has an IPv4 and an IPv6 record available:
After those three steps, our proxy is able to work with IPv6. Just take one of your IPv4 clients and browse to websites like http://test-ipv6.com. This website will show you which IP address you are using.
If you are deploying the WSA in transparent mode, where you are redirecting the client requests via WCCP, a little bit more care needs to be taken. Unfortunately, WCCP v2.0 does not support IPv6. But, there has been a modified version called WCCP v2.01. This is the version you want to look for. Not many platforms are supporting it today, but one of the platforms that does support it is the Catalyst6500 Switch.
In transparent mode there is a bit of a different behavior as the DNS resolution is done on the client itself and not on the proxy.
If your clients are dual stack, the proxy will get IPv4 and IPv6 requests because the client is deciding, per URL, which protocol to use based on DNS. We also need to work in WCCP with a dual stack approach and have two WCCP redirection groups:
The corresponding configuration on a Catalyst 6500 Switch would look something like this, assuming the clients are incoming on interface vlan10:
If your clients are internally only on IPv4 , you can redirect your clients via WCCP v2.0 as before. But as the proxy does not resolve the DNS, your outgoing connections will also not use IPv6.
The approach to use your proxy has a lot of advantages:
- You are not required to change your internal infrastructure at the first point. All clients can stay on IPv4 and are using the proxy as before.
- You can get experience about websites that are already IPv6 enabled. This is important to learn!
- You can learn which websites are maybe having problems with IPv6, whether it is from the URL Category or general accessibility.
If you are interested to learn more about the WSA with dual stack, check out my talk from CiscoLive 2015 in Milan, visit me at CiscoLive 2015 in San Diego (BRKSEC-3771M), or, just send me a message and I am happy to discuss with you!