Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar
-
Upload
get-your-build-on-with-software-for-the-network-beyond -
Category
Technology
-
view
2.616 -
download
3
description
Transcript of Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar
© 2012 Cisco and/or its affiliates. All rights reserved. 1
Cisco TechAdvantage Webinars Preparing for IPv6 and BYOD with a Single Security Policy This webinar will provide an overview on how BYOD is challenging L2 domain security, and how in this scenario IPv6 requires others capabilities no present in IPv4 to face it. Andrew and Rafael will highlight what is new, what are the threats on the link layer and what solutions are available today at Cisco to mitigate them. Follow us @GetYourBuildOn
Andrew Yourtchenko Rafael Maranon-Abreu
© 2012 Cisco and/or its affiliates. All rights reserved. 2
Register for a Technical Seminar with our Cisco Software SMEs: http://www.ciscolive.com/london/registration-packages/
Session Title Session Number
Advanced LISP Techtorial TECIPM-3191 Advanced Network Automation TECNMS-3601
Application Awareness in the network; the Route to Application Visibility and Control TECRST-2672
Converged Access: Wired/Wireless System Architecture, Design and Operations TECCRS-2678
Enterprise QoS Design Strategy TECRST-2501
IP Mobility Deep Dive TECSPG-3668
IPv6 for Dummies: An Introduction to IPv6 TECMPL-2192
IPv6 Security TECRST-2680
Scaling the IP NGN with Unified MPLS TECNMS-3601
Software Defined Networking and Use Cases TECSPG-2667
Understanding and Deploying IP Multicast Networks TECIMP-1008
© 2012 Cisco and/or its affiliates. All rights reserved. 3
Panelists Speakers
Andrew Yourtchenko Technical Leader
Rafael Maranon-Abreu Product Manager
David Lapier Product Manager [email protected]
Ralph Schmieder Technical Engineer
© 2012 Cisco and/or its affiliates. All rights reserved. 4
• Submit questions in Q&A panel and send to “All Panelists” Avoid CHAT window for better access to panelists
• Please complete the post-event survey
• For WebEx audio, select COMMUNICATE > Join Audio Broadcast
• Where can I get the presentation? Or send email to: [email protected]
• Join us January 9th for our next TechAdvantage Webinar: Enhancing Application Performance with PfR www.cisco.com/go/techadvantage
• For WebEx call back, click ALLOW phone button at the bottom of participants side panel
© 2012 Cisco and/or its affiliates. All rights reserved. 5
• Introduction to BYOD, IPv6 and L2 Domain Security
• IPv6 vs IPv4, what is new?
• Threats on the link layer
• Mitigations
© 2012 Cisco and/or its affiliates. All rights reserved. 6
http://www.forbes.com/sites/sap/2012/03/05/cisco-the-biggest-mobile-byod-deployment-around/
© 2012 Cisco and/or its affiliates. All rights reserved. 7
• Two of five college students and young employees said they would accept a lower-paying job that had more flexibility with regard to device choice, social media access, and mobility than a higher-paying job with less flexibility.
• Regarding security-related issues in the workplace, three of five employees believe they are not responsible for protecting corporate information and devices.
The Cisco Connected World Technology Report 2011
Top two perceived benefits of BYOD:
• Improved employee productivity (more opportunities to collaborate)
• Greater job satisfaction (flexibility and work-life balance)
© 2012 Cisco and/or its affiliates. All rights reserved. 8
• 2+ BYOD per employee.
• 1 BYOD per employee.
• 0 BYOD per employee.
© 2012 Cisco and/or its affiliates. All rights reserved. 9
Source: Cisco VNI Global Forecast, 2011–2016
More Devices
More Internet Users
Faster Broadband Speeds
More Rich Media Content
Growth Catalysts
Nearly 19 Billion Connections 4-Fold Speed Increase
3.4 Billion Internet Users 1.2 M Video Minutes per Second
Launch activated 3000+ Websites 50 Network (ISPs) 4 Home Router Vendors
Public Sector in 1st 100 sign ups (3006 total) * National Library of Medicine NASA Department of State Department of Education REMS Doingwhatworks USGS U Penn, UNC, U Wisconsin, NCSU, U Utah USDA VA National Park Service US Census Bureau Source : http://www.worldipv6launch.org/participants/?q=1
© 2012 Cisco and/or its affiliates. All rights reserved. 11
Inside – Out • Globalization • Technology Leadership • Industry mandate • BYOD-Security-Visibility • Flatten management plane Dual-Stack Enterprise IPv4 Internet
Outside – In • Internet Evolution • Business Continuity • B2C, B2B
IPv4 Enterprise IPv6 Internet
http://www.cisco.com/en/US/netsol/ns817/networking_solutions_program_home.html
© 2012 Cisco and/or its affiliates. All rights reserved. 12
• No plans
• 24 months
• 12 months
• 6 months
• Done
© 2012 Cisco and/or its affiliates. All rights reserved. 13
0 10 20 30 40 50 60
In Progress
6 months
12 months
24 months
No plans
“When are you planning to deploy IPv6 in production”
July 2010
0 10 20 30 40 50 60
Done
6 months
12 months
24 months
No plans
March 2012
32%
40%
65%
15%
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Cisco Catalyst Switches
Cisco WLAN Controller
ISE
iOS or Android Devices
AD/LDAP
User X User Y
MDM Mgr
NCS Prime
ASA Firewall
CSM / ASDM
© 2012 Cisco and/or its affiliates. All rights reserved. 15
Operations contained within the link boundaries, necessary for a node to communicate with its neighbors, including the link exit points.
• It encompasses: • Address configuration parameters • Address initialization • Address resolution • Default gateway discovery • Local network configuration • Neighbor reachability tracking
© 2012 Cisco and/or its affiliates. All rights reserved. 16
Example of Inside Attacks exploiting IPv6 Link Operations
The attacker can become the local default gateway by sending rogue Router Advertisements
The attacker can disable the local IPv6 network by poisoning Duplicate Address Detection
IPv6 Link Operations can be easily attacked
inside the local network
The attacker can spoof a user address by snooping Neighbor Solicitation and poisoning Neighbor Advertisement
The Challenge Attacks Inside the network
Data Security at Edge
Authenticated Device SiSi SiSi
SiSi SiSi
© 2012 Cisco and/or its affiliates. All rights reserved. 17
• Catalyst Integrated Security Features (CISF)
For more info: http://www.cisco.com/web/strategy/docs/gov/turniton_cisf.pdf
© 2012 Cisco and/or its affiliates. All rights reserved. 18
Intelligent Perimeter at the edge
Monitor device address assignment with Binding Integrity Guard
Maintain a trustworthy database of IPv6 devices and block illegitimate IPv6 data traffic with Source Guard
IPv6 First Hop Security in the access switch
Block rogue advertisements from illegitimate routers and DHCP servers with RA Guard and DHCPV6 Guard
The Solution IPv6 Snooping and Guard
Data Security at Edge
Authenticated Device SiSi SiSi
SiSi SiSi
Intf IPv6 MAC VLAN State
g1/0/10 ::001A 001A 110 Active
g1/0/11 ::001B 001B 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/15 ::001D 001D 110 Active
g1/0/16 ::001E 001E 200 Verifying
g1/0/17 ::0020 0020 200 Active
g1/0/21 ::0021 0021 200 Active
… … … … …
Pre-configure port roles and dynamically learn a trusted domain of routers/DHCP servers
Track IPv6 devices by snooping neighbor and router solicitations, DHCP requests and query their status when they become inactive
NS ND RS
DAD NS DHCP
RA
© 2012 Cisco and/or its affiliates. All rights reserved. 19
IPv6 Snooping
Securing IPv6 Networks – Quick Intro
IPv6 FHS RA
Guard DHCPv6 Guard
Source/Prefix Guard
Destination Guard
Protection: • Rouge or
malicious RA • MiM attacks
Protection: • Invalid DHCP
Offers • DoS attacks • MiM attacks
Protection: • Invalid source
address • Invalid prefix • Source address
spoofing
Protection: • DoS attacks • Scanning • Invalid
destination address
*
* Previously referred to as ND Inspection/Binding Table Recovery/Address Glean/Device tracking Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table
RA Throttler
Facilitates: • Scale
converting multicast traffic to unicast
ND Multicast Suppress
Reduces: • Control traffic
necessary for proper link operations to improve performance
Core Features Advance Features Scalability & Performance
© 2012 Cisco and/or its affiliates. All rights reserved. 20
Prevent Rogue Router Advertisements from taking down the network
Before RA Guard After RA Guard
Host A First Hop Switch
RA
I am a router
Yea! Thanks
Host A First Hop Switch
RA
I am a router
Not according to me
© 2012 Cisco and/or its affiliates. All rights reserved. 21
Prevent Rogue DHCP responses from misleading the client Before DHCP Guard After DHCP Guard
Host First Hop Switch Host First Hop Switch
DHCP Request DHCP Request
DHCP Server DHCP Server
I am a DHCP Server
I am a DHCP Server
I am a DHCP Server
I am a DHCP Server
© 2012 Cisco and/or its affiliates. All rights reserved. 22
• Deep control packet Inspection • Address Glean (ND , DHCP, data) • Address watch • Binding Guard
Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table to ensure rogue users cannot spoof or steal addresses.
Intf IPv6 MAC VLAN State
g1/0/10 ::001A 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
IPv6 Binding Table
IPv6 Source Guard
IPv6 Destination
Guard Device Tracking
© 2012 Cisco and/or its affiliates. All rights reserved. 23
IPv6 Snooping
Securing IPv6 Networks – Quick Intro
IPv6 FHS RA
Guard DHCPv6 Guard
Source/Prefix Guard
Destination Guard
Protection: • Rouge or
malicious RA • MiM attacks
Protection: • Invalid DHCP
Offers • DoS attacks • MiM attacks
Protection: • Invalid source
address • Invalid prefix • Source address
spoofing
Protection: • DoS attacks • Scanning • Invalid
destination address
*
* Previously referred to as ND Inspection/Binding Table Recovery/Address Glean/Device tracking Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table
RA Throttler
Facilitates: • Scale
converting multicast traffic to unicast
ND Multicast Suppress
Reduces: • Control traffic
necessary for proper link operations to improve performance
Core Features Advance Features Scalability & Performance
© 2012 Cisco and/or its affiliates. All rights reserved. 24
• Very important.
• Important.
• Neutral.
• Not important.
© 2012 Cisco and/or its affiliates. All rights reserved. 25
Risk and Exposure • Exposed to end users, the access layer is inherently
vulnerable
Infrastructure Protection • Security at the network edge protects the network
infrastructure
Network Intelligence • Key data can only be gathered at the access layer
© 2012 Cisco and/or its affiliates. All rights reserved. 26
Threats are very much topology dependent: what is specific to IPv6 from topology standpoint?
• More addresses!
• More end-nodes allowed on the link (up to 264 !) • Bigger neighbor cache on end-nodes and on default-router • May lead to some dramatic topology evolution • Creates new opportunities for DoS attacks
Threats are also dependent on the protocols in use: what is different?
• More distributed and more autonomous operations
• Nodes discover automatically their default router • Nodes auto-configure their addresses • Nodes defend themselves (SeND) • Distributed address assignment creates more challenges for address security
© 2012 Cisco and/or its affiliates. All rights reserved. 27
DHCP-server
Router
– Assign addresses – Announces default router – Announces link parameters
“Old” IPv4 link model is very much DHCP-centric
© 2012 Cisco and/or its affiliates. All rights reserved. 28
DHCP-server
– Assign addresses
– Announces default router – Announces link parameters
– Assign addresses
– Assign addresses
– Assign addresses
IPv6 link model is essentially distributed, with DHCP playing a minor role
© 2012 Cisco and/or its affiliates. All rights reserved. 29
host
router
time server
web server
Trusted end-nodes un-trusted end-nodes
attacker DHCP server/relay • Distributed: security
verified between any pair of nodes
• Centralized: security verified between each node and the central switch
© 2012 Cisco and/or its affiliates. All rights reserved. 30
• Defined in RFC 4861, “Neighbor Discovery for IP Version 6 (IPv6)” and RFC 4862 (“IPv6 Stateless Address Autoconfiguration”)
• Used for: Router discovery IPv6 Stateless Address Auto Configuration (SLAAC) IPv6 address resolution (replaces ARP) Neighbor Unreachability Detection (NUD) Duplicate Address Detection (DAD) Redirection
• Operates above ICMPv6 Relies heavily on multicast (including L2-multicast)
• Works with ICMP messages and messages “options”
© 2012 Cisco and/or its affiliates. All rights reserved. 31
ICMP Type = 133 (Router Solicitation) Src = UNSPEC (or Host link-local address) Dst = All-routers multicast address (FF02::2) Query = please send RA
ICMP Type = 134 (Router Advertisement) Src = Router link-local address Dst = All-nodes multicast address (FF02::1) Data = router lifetime, retranstime, autoconfig flag Option = Prefix, lifetime
RS
RA
Use B as default gateway
Find default/first-hop routers
Discover on-link prefixes => which destinations are neighbors
Messages: Router Advertisements (RA), Router Solicitations (RS)
B A
© 2012 Cisco and/or its affiliates. All rights reserved. 32
Node A sending off-link traffic to C
• Attacker tricks victim into accepting him as default router • Based on rogue Router Advertisements • The most frequent threat by non-malicious user
Src = C’s link-local address Dst = All-nodes Data = router lifetime, autoconfig flag Options = subnet prefix, slla
RA
B
Src = B’s link-local address Dst = All-nodes Data = router lifetime=0
RA
C A
© 2012 Cisco and/or its affiliates. All rights reserved. 33
• Stateless, based on prefix information delivered in Router Advertisements Messages: Router Advertisements , Router Solicitations
ICMP Type = 133 (Router Solicitation) Src = UNSPEC (or Host link-local address) Dst = All-routers multicast address (FF02::2) Query = please send RA
ICMP Type = 134 (Router Advertisement) Src = Router link-local address Dst = All-nodes multicast address (FF02::1) Data = router lifetime, retranstime, autoconfig flag Options = Prefix X,Y,Z, lifetime
RS
RA
Source traffic with X::x, Y::y, Z::z
Computes X::x, Y::y, Z::z and DAD them NS
© 2012 Cisco and/or its affiliates. All rights reserved. 34
C
• Attacker spoofs Router Advertisement with false on-link prefix • Victim generates IP address with this prefix • Access router drops outgoing packets from victim (ingress filtering) • Incoming packets can't reach victim
Node A sourcing off-link traffic to B with BAD::A
Src = B’s link-local address Dst = All-nodes Options = prefix BAD, Preferred lifetime
RA
B
B filters out BAD::A
Computes BAD::A and DAD it
Src = B’s link-local address Dst = All-nodes Options = prefix X Preferred lifetime = 0
RA
Deprecates X::A
A
© 2012 Cisco and/or its affiliates. All rights reserved. 35
ICMP type = 135 (Neighbor Solicitation) Src = A Dst = Solicited-node multicast address of B Data = B Option = link-layer address of A Query = what is B’s link-layer address?
ICMP type = 136 (Neighbor Advertisement) Src = one B’s IF address Dst = A Data = B Option = link-layer address of B
NS
NA
A and B can now exchange packets on this link
B A C
• Resolves IP address into MAC address • Creates neighbor cache entry
Messages: Neighbor Solicitation, Neighbor Advertisement
© 2012 Cisco and/or its affiliates. All rights reserved. 36
• Attacker can claim victim's IP address
B
NS Dst = Solicited-node multicast address of B Query = what is B’s link-layer address?
Src = B or any C’s IF address Dst = A Data = B Option = link-layer address of C
NA
A C
© 2012 Cisco and/or its affiliates. All rights reserved. 37
ICMP type = 135 (Neighbor Solicitation) Src = UNSPEC = 0::0 Dst = Solicited-node multicast address of A Data = A Query = Does anybody use A already?
NS
Node A can start using address A
B A C
• Verify address uniqueness
• Probe neighbors to verify nobody claims the address Messages: Neighbor Solicitation, Neighbor Advertisement
© 2012 Cisco and/or its affiliates. All rights reserved. 38
• Attacker hacks any victim's DAD attempts • Victim can't configure IP address and can't communicate
Src = UNSPEC Dst = Solicited-node multicast address of A Data = A Query = Does anybody use A already? NS
Src = any C’s IF address Dst = A Data = A Option = link-layer address of C
NA “it’s mine !”
C A
39 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
SEND: SEcure Neighbor Discovery Distributed L2 Security Model
© 2012 Cisco and/or its affiliates. All rights reserved. 40
• Advantages – No central administration, no central operation – No bottleneck, no single-point of failure – Intrinsic part of the link-operations – No tying up to the L2 infra – Load distribution
• Disadvantages – Heavy provisioning of end-nodes – Only provisioned end-nodes are protected – Tied up to nodes capability – Bootstrapping issue – Complexity spread all over the domain
Provisioning Infrastructure
Configuration Server
DHCP Server
Time Server
Certificate Server
Hosts
L2/link Infrastructure
Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 41
WHAT SEND PROVIDES • Each node on the link takes care of its own security • Verifies router legitimacy • Verifies address ownership
WHAT SEND DOES NOT PROVIDE • It does not verify other key role legitimacy (DHCP server, NTP, etc.) • It only applies to link operations • It does not provide end-to-end security • It does not guarantee authorization (≠ 802.1X)
© 2012 Cisco and/or its affiliates. All rights reserved. 42
• SeND is NOT a new protocol
• SeND is “just” an extension to NDP with new messages (CPS/CPA) and more options (Signature, etc.)
• Therefore ND+SeND remains a protocol operating on the link
• SeND is a distributed mitigation mechanism • SeND does not provide any “end-to-end” security
• SeND specified in RFC3971 and RFC3972
© 2012 Cisco and/or its affiliates. All rights reserved. 43
ND-message
SIGN VERIFY
Address Src = My address!
Prefix Interface-id =
Computes Address
© 2012 Cisco and/or its affiliates. All rights reserved. 44
Router R host
Certificate Authority CA0 Certificate Authority Certificate C0
Router certificate request
Router certificate CR
Certificate Path Solicit (CPS): I trust CA0, who are you ?
Certificate Path Advertize (CPA): I am R, this is my certificate CR
1
2
3
4
5
6 Verify CR against CA0
7 Start using R as default gateway
Router Advertisement
© 2012 Cisco and/or its affiliates. All rights reserved. 45
A chain of trust is “easy” to establish within the administrative boundaries, but very hard outside
To benefit fully from SeND, nodes must be: Provisioned with CA certificate(s) Time synchronized/have access to the NTP server Have access to a CRL or OCSP server
ADMINISTRATIVE BOUNDARY CA
Router Host
CA
Router Host
CA
© 2012 Cisco and/or its affiliates. All rights reserved. 46
Due to transition realities and lack of pervasive support for SeND:
At best there will be a mix of CGA ,
Router Auth. and “old” ND support
More likely, a small number of SeND
capable nodes lost in the middle of many
non-capable.
This has almost no value because it’s a 2 player games: nodes with no SeND/CGA support can’t verify SeND/CGA credentials!
© 2012 Cisco and/or its affiliates. All rights reserved. 47
Trustee
Move to a different deployment model ?
48 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
Centralized L2 security model
© 2012 Cisco and/or its affiliates. All rights reserved. 49
• Advantages – central administration, central operation – Complexity and provisioning limited to first hop
– All nodes protected
– Transitioning much easier
• Disadvantages – Applicable only to certain topologies
– Requires first-hop to learn about end-nodes – First-hop can be a bottleneck and single-point of
failure
Provisioning Infrastructure
Configuration Server
DHCP Server
Time Server
Certificate Server
Hosts
L2/link Infrastructure
Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 50
WHAT IS IT? • Takes care of all nodes security, primarily from a link-operations standpoint • Leverages information gleaned by snooping link-operations • Arbitrates between different address assignment methods, different protocols,
different nodes, different ports, etc.
REQUIREMENTS • Must be “in the centre” or part of the security perimeter • Requires some provisioning • Must be versatile (NDP, SeND, DHCP, MLD, etc.)
© 2012 Cisco and/or its affiliates. All rights reserved. 51
First Hop Security (FHS)
FHS
FHS FHS
52 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
Centralized L2 security technology
© 2012 Cisco and/or its affiliates. All rights reserved. 53
host
Router Advertisement Option: prefix(s)
“I am the default gateway”
?
• Configuration- based • Learning-based • Challenge-based
Verification succeeded ?
Bridge RA
• Switch selectively accepts or rejects RAs based on various criteria • Can be ACL based, learning based or challenge (SeND) based • Hosts see only allowed RAs, and RAs with allowed content
Goal: to mitigate against rogue RA
© 2012 Cisco and/or its affiliates. All rights reserved. 54
ipv6 access-list ACCESS_PORT
remark Block all traffic DHCP server -> client
deny udp any eq 547 any eq 546
remark Block Router Advertisements
deny icmp any any router-advertisement
permit any any
Interface gigabitethernet 1/0/1
switchport
ipv6 traffic-filter ACCESS_PORT in
© 2012 Cisco and/or its affiliates. All rights reserved. 55
• Extension headers chain can be so large than it is fragmented!
• Finding the layer 4 information is not trivial in IPv6 Skip all known extension headers Until either known layer 4 header found => SUCCESS Or unknown extension header/layer 4 header found... => FAILURE Or end of extension headers => FAILURE
IPv6 hdr HopByHop Routing Destination Destination Fragment1
IPv6 hdr HopByHop Fragment2 ICMP Data
Layer 4 header is in 2nd fragment
© 2012 Cisco and/or its affiliates. All rights reserved. 56
host
Binding table
Address glean
– Arbitrate collisions, check ownership – Check against max allowed per box/vlan/port – Record & report changes
Valid?
bridge
Goal: to enforce address ownership and mitigates against address DoS
© 2012 Cisco and/or its affiliates. All rights reserved. 57
H1
Binding table
IPv6 MAC VLAN IF STATE
A1 MACH1 100 P1 STALE
A21 MACH2 100 P2 REACH
A22 MACH2 100 P2 REACH
A3 MACH3 100 P3 STALE
H2 H3
Address glean
DAD NS [IP source=UNSPEC, target = A1]
DAD NS [IP source=UNSPEC, target = A3]
NA [target = A1LLA=MACH1]
IPv6 MAC VLAN IF STATE
A1 MACH1 100 P1 REACH
A21 MACH2 100 P2 REACH
A22 MACH2 100 P2 REACH
– Keep track of device state – Probe devices when becoming stale – Remove inactive devices from the binding table – Record binding creation/deletion/changes
Goal: to track active addresses (devices) on the link
© 2012 Cisco and/or its affiliates. All rights reserved. 58
H1
Binding table
NS [IP source=A1, LLA=MACH1]
DHCP-server
REQUEST [XID, SMAC = MACH2]
REPLY[XID, IPA21, IPA22]
H2 H3
data [IP source=A3, SMAC=MACH3]
DAD NS [IP source=UNSPEC, target = A3]
NA [IP source=A1, LLA=MACH3]
IPv6 MAC VLAN IF
A1 MACH1 100 P1
A21 MACH2 100 P2
A22 MACH2 100 P2
A3 MACH3 100 P3
DHCP LEASEQUERY
DHCP LEASEQUERY_REPLY
Goal: to monitor address allocation and store bindings
© 2012 Cisco and/or its affiliates. All rights reserved. 59
H1
Binding table IPv6 MAC VLAN IF
A1 MACA1 100 P1
A21 MACA21 100 P2
A22 MACA22 100 P2
A3 MACA3 100 P3
H2 H3
Address glean
– Allow traffic sourced with known IP/SMAC – Deny traffic sources with unknown IP/SMAC
P1:: data, src= A1, SMAC = MACA1
P2:: data src= A21, SMAC = MACA21
P3:: data src= A3, SMAC = MACA3
P3 ::A3, MACA3
DAD NS [IP source=UNSPEC, target = A3]
NA [target = A1LLA=MACA3]
DHCP LEASEQUERY
DHCP LEASEQUERY_REPLY
Goal: to validate source address of IPv6 traffic sourced from the link
© 2012 Cisco and/or its affiliates. All rights reserved. 60
host
Forward packet
• Mitigate prefix-scanning attacks and Protect ND cache • Useful at last-hop router and L3 distribution switch • Drops packets for destinations without a binding entry
Lookup D1
found
B
NO
L3 switch
Src=D1
Internet
Address glean Scanning {P/64}
Src=Dn
Binding table Neighbor cache
Goal: to validate destination address of IPv6 traffic reaching the link
© 2012 Cisco and/or its affiliates. All rights reserved. 61
• ~8660 MAC addresses seen
• ~90% MAC addresses dualstack - capable
• More info: http://blogs.cisco.com/borderless/ipv6-at-ciscolive-san-diego/
© 2012 Cisco and/or its affiliates. All rights reserved. 62
BYOD brings new security and scalability challenges to L2 domain.
Modern devices support and prefer IPv6 connectivity.
Securing the access layer with a single policy mitigate vulnerabilities in L2 Mobility environments.
IPv6 FHS Cisco solution provides solid protections from rogue or mis-configured users in IPv6 or dual-stack networks, and efficiently handle wireless scalability.
© 2012 Cisco and/or its affiliates. All rights reserved. 63
First Hop Security white paper http://www.cisco.com/en/US/partner/prod/collateral/iosswrel/ps6537/ps6553/
whitepaper_c11-602135.html
First Hop Security documentation http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html
Cisco Support IPv6 Community: https://supportforums.cisco.com/community/netpro/network-infrastructure/ipv6-transition
Product Manager: Rafael Maranon-Abreu [email protected]
Technical Leader Engineering: Andrew Yourtchenko [email protected]
© 2012 Cisco and/or its affiliates. All rights reserved. 64
• Thank you! • Please complete the post-event survey • Join us January 9th for our next webinar:
Enhancing Application Performance with PfR Register: www.cisco.com/go/techadvantage Follow us @GetYourBuildOn