IPv6 Security
IPv6 Security
IPv6 Security
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
firewalls519ERs (edge routers), 110ESPs (Encapsulated <strong>Security</strong> Payloads)capabilities of, 320defining RFC, 320IKE with, 321<strong>IPv6</strong> over IPv4 example, 329<strong>IPv6</strong> tunneling example, 346NAT issues, 325null encryption, 321purpose of, 320SAs for, 324SPIs, 324tunnel mode, 322EUI-64 (Extended Unique Identifier 64)address configuration, 159, 205ISATAP generation of, 429explicitly configured BGP peers, 92extended ACLs, 139extension headersACL example for, 28-29application layer attacks using, 55chain size vulnerability, 28defining RFC, 24Destination Options headers, 25, 29-32dual-stack attacks, 55formats, 24fragment headers, 25, 43, 47-52future of, 507fuzzing, 33Hop-by-Hop Options header, 25, 29-32inspection issues, 27IPsec, 320-321mobile, types of, 379Next Header field. See NHnext-header numbers, 25, 27NH check problem, 47order of, 25overview, 24-25policies for, 504purpose of, 24router alert attacks, 33-36routing. See routing headersrules of, 25types requiring special attention, 28unknown headers, 52-54vulnerabilities, 28Ffake_advertise6, 189fake_router6, 185, 200, 202FAs (Foreign Agents), 379fast external fallover, 104Fast Handover for Mobile <strong>IPv6</strong> (FM<strong>IPv6</strong>), 407FCAPS model, 467FHRPs (first-hop redundancy protocols)GLBPv6, 260-262HSRPv6, 257-259NHD (Neighbor Unreachability Detection),255-257purpose of, 255FIB (Forwarding Information Base), 119filtering. See also firewallsACLs compared to, 164allocated addresses, permitting, 129BGP peer interfaces, 97deny lists for addresses, 129-132extended ACLs for, 139header issues, 133-134ICMPv6 messages, 20-22ingress/egress. See ingress/egress filteringinternally allocated addresses at perimeter, 132link-local addresses, 131M<strong>IPv6</strong>. See M<strong>IPv6</strong> filteringmulticasting address guidelines, 131PIX/ASA/FWSM firewalls for, 164-166reserved space, 131unallocated addresses at firewalls, 128-133firewalls. See also filteringallocated addresses, permitting, 129antispoofing requirement, 128ASA. See PIX/ASA/FWSM firewallsavailability of, 12basic policy rule, 128BSD, 303-312Cisco IOS. See IOS firewallsdeny lists for addresses, 129-132FWSM. See PIX/ASA/FWSM firewallsheader issues, 133-134host. See host firewallsICMP filtering issues, 18ICMP unreachable messages, 136inspecting tunneled traffic, 134-135internally allocated addresses, blocking, 132
Change language