© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents may contain confidential information and are not to be copied.

Tribal Telecom 2015IPv6 Forum: Infrastructure

Scott Hogg, CTO GTRI, Chair Emeritus RMv6TF, IPv6 COE InfobloxCCIE #5133, CISSP #4160

© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents may contain confidential information and are not to be

copied.

• Even if an organization hasn’t started using IPv6 yet, they already have some IPv6 running on their networks and didn’t realize it.– We all use Linux, Apple OS X (iOS), Android, BSD, and Microsoft

Windows 7/8/Win2K8/Win2012 systems.– They all come with IPv6 capability enabled by default and prefer

IPv6 connectivity .– They may try to use IPv6 first and then fall-back to IPv4.– Or they may create IPv6-in-IPv4 tunnels to Internet resources to

reach IPv6 content.– These techniques take place regardless of user input or

configuration or notification.• IPv6 support is pervasive in our networking equipment, operating

systems, and many software and services.

IPv6 Support is Pervasive

© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents may contain confidential information and are not to be

copied.

• IPv6 has been under development for 20 years.– IPv6 has had time to mature and become gracefully adopted.– IPv6 will never be “finalized” just like IPv4 keeps evolving.

• Security researchers and attackers have been actively exploring IPv6, they still look for weaknesses in IPv4.

• All leading vendors have had to publish patches due to IPv6-related security vulnerabilities.

• The industry will continue to discover and fix new IPv6 vulnerabilities as they are discovered.

• Keeping our software patched and updated is critical.

IPv6 Security Evolution

© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents may contain confidential information and are not to be

copied.

• Larger IPv6 address space, no need for NAT• ICMPv6 and the Neighbor Discovery Protocol

(NDP)• DHCPv6 and IPv6 address management• IPv6 Extension Headers (Option Headers)• Visibility to our dual-protocol network

connections– Dual-protocol security operations (SIEMs)– Content filtering of dual-protocol connections

New Conventions in IPv6

© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents may contain confidential information and are not to be

copied.

• Dual-stack (Dual-protocol) is the predominant migration strategy (add IPv6, eventually turn off IPv4).

• During this phase we have twice as much work to do.– IP address management, dual-protocol network devices, DNS,

DHCP, servers, firewalls, testing, configuration, troubleshooting• http://www.networkworld.com/article/2222870/cisco-subnet/dual-

stack-will-increase-operating-expenses.html– You are only as strong as the weakest of the two stacks.

IPv6 Deployment Models

IPv4 IPv6

© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents may contain confidential information and are not to be

copied.

• We will still have . . . on IPv6 networks– Spam and phishing– Malware and command & control networks– DDoS attacks, botnets– Application vulnerabilities– Network and OS infrastructure threats

• Many of the same techniques we use to secure IPv4 networks are applicable to securing IPv6 networks– Firewalls, IPS, Unicast RPF, bogon filtering, RTBH, content

filtering, sandboxes, endpoint security, DLP, SIEMs, NAC

IPv6 (Same old, Same old)

© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents may contain confidential information and are not to be

copied.

• IPv6 is already embedded in many of our systems.• IPv6 is no more or less secure than IPv4, our security

focus should be at the applications and in our software.• One way to control IPv6 is to enable it and be aware of

it.• We all must learn about IPv6 and strive to achieve

equal capabilities for IPv6 as with IPv4.• Ask our vendors about IPv6-capable products and

assess “feature parity”.

IPv6 Security Summary

© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents may contain confidential information and are not to be

copied.

• IPv6 Security, By Scott Hogg and Eric Vyncke, Cisco Press, 2009.– ISBN-10: 1-58705-594-5 , ISBN-13: 978-1-58705-594-2

• ARIN IPv6 Info Center– https://www.arin.net/knowledge/ipv6_info_center.html

• Internet Society (ISOC) Deploy360 Programme– http://www.internetsociety.org/deploy360/ipv6/

• Rocky Mountain IPv6 Task Force– http://www.rmv6tf.org/

• Infoblox IPv6 Center of Excellence (COE)– https://community.infoblox.com/taxonomy/term/281

• NetworkWorld Blog– http://www.networkworld.com/blog/core-networking-and-security/

IPv6 References

© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents may contain confidential information and are not to be copied.

Thank YouScott Hogg303-949-4865 | shogg@gtri.com@scotthogg