IPv6 Security

522iACLs (infrastructure ACLs)IiACLs (infrastructure ACLs)blocking inbound router control packets,263-264purpose of, 97IBGP. See BGPICMPv6 (Internet Control Message Protocolversion 6)ACL syntax for, 165ACLs, specifying for, 139attacks and mitigation, 20-22blocking all packets, 18Cisco planned feature set for, 204defense in depth strategy, 283defining RFC, 17DoS attacks based on, 21Duplicate Address Detection, 190, 192Echo Request packet attacks, 20-21error messages, 19, 21-22, 505error-interval command, 22filtering by function, 21firewall policy example, 166forged RAs, 185-186functions provided by, 18-19guidelines for host packet monitoring, 283history of, 18hop limit issues, 19-20, 195host processing, 282-283icmp error-interval command, 269IETF working group on, 203interface policy, 165Layer 2 vulnerability overview, 182message structure, 19MIPv6 filtering of, 393-394NDP attack mitigation, 201-204neighbor discovery, 187-190. See alsoneighborsNeighbor functions, 18normal router advertisement mechanism, 183Packet Too Big messages, 45packet-flooding attack vulnerability, 76permitted message type recommendations, 282protocol protection mechanisms, 195-199QoS traffic limiting, 271redirection issues, 193-195reducing attack scope, 203rogue nonmalicious RAs, 185rogue RA attack detection, 199-200Router Advertisements, 183. See also RAsSEND, 196-199SLACC issues, 183, 185-186source address restrictions, 195source and destination address issues, 20stateless autoconfiguration addresses, 20type numbers, 19unallocated message types, 20unreachable messages, 136unreachable packets, preventing, 223ICS (Internet Connection Sharing), 461IDS (inline intrusion detection), 158IDSs (Intrusion Detection Systems), 485IEE 802.16e, 411IETF (Internet Engineering Task Force), 3ifconfig command for tunnel detection, 291-292IGPs (interior gateway protocols), 106. See alsoIS-ISIKE (Internet Key Exchange)configuration for IPv6 tunnels, 344-345ICV fields, 321IPv6 over IPv4 configuration, 329mechanics of, 323purpose of, 321-322SAs with, 324SPDs with, 323tunneling parameters, viewing, 333versions, 324image verification of IOS, 221-222indirect mode mobile tunneling, 381Information Technology Infrastructure Library(ITIL), 493infrastructure ACLs. See iACLsingress/egress filteringaddress prefix list for, 88-89allocated addresses, on, 85-86bogon filtering, 87-90DDoS attacks, 81-82importance of, 85Internet Routing Registries, 90locations for, 85spoofing attacks, preventing, 66unallocated addresses, 87injection attacks on tunnels, 444-446inspect command, IOS firewalls, 150-153