IPv6 Security

More documents

Recommendations

Info

98 Chapter 3: IPv6 Internet SecurityExample 3-6BGP neighbor. The concept is that if link-local addresses are used, there would be no wayfor any other attacker to try to create a peering session with the routers. The attacker couldnot communicate with either peer in the first place. Furthermore, the attacker would notknow the IPv6 addresses of either peer and, as shown in Chapter 2, the reconnaissance ofthese addresses would not be feasible. Because many organizations might question whetherto use global addresses or link-local addresses for BGP peering, it is important to cover thisin more detail. The following sections review the positive and negative aspects of usinglink-local addresses instead of global addresses.When using link-local addresses for BGP peers, you must explicitly configure the link-localaddress of the neighbor. Because DNS is not used for link-local addresses, you mustmanually enter these addresses. As a result, you could easily make a mistake that might takesome time to troubleshoot.Also be aware that the link-local address of a router can be shared among multipleinterfaces. Therefore, you must configure the router for the neighbor’s link-local addressand specify the interface that is being used for the directly connected addresses. There aretwo ways of doing this. In earlier software versions, you would specify the interfaceidentifier following the link-local address (for example,FE80::C800:17FF:FE88:0%Serial1/0). Another newer technique uses the update-sourceneighbor parameter to specify the interface. Example 3-6 shows how this configuration canappear.BGP Peering Using Link-Local Addresseshostname R1!interface Serial1/0description ISP interconnectipv6 address 2001:DB8:12::1/64ipv6 traffic-filter ALLOWBGP in!router bgp 100bgp router-id 1.1.1.1neighbor FE80::C801:15FF:FE44:0 remote-as 200neighbor FE80::C801:15FF:FE44:0 ttl-security hops 1neighbor FE80::C801:15FF:FE44:0 password cisco123neighbor FE80::C801:15FF:FE44:0 update-source Serial1/0!address-family ipv4no neighbor FE80::C801:15FF:FE44:0 activateexit-address-family!address-family ipv6neighbor FE80::C801:15FF:FE44:0 activateneighbor FE80::C801:15FF:FE44:0 prefix-list FILTERV6ISPIN inneighbor FE80::C801:15FF:FE44:0 prefix-list FILTERV6ISPOUT outneighbor FE80::C801:15FF:FE44:0 route-map SETNEXTHOP outneighbor FE80::C801:15FF:FE44:0 maximum-prefix 250000network 2001:DB8:1::/48
Page 2:
iiIPv6 SecurityScott Hogg and Eric
Page 6:
xxWho Should Read This BookThis boo
Page 10: C HAPTER3IPv6 Internet SecurityMany
Page 14: Large-Scale Internet Threats 75Exam
Page 18: Large-Scale Internet Threats 77Figu
Page 22: Large-Scale Internet Threats 79Worm
Page 26: Large-Scale Internet Threats 81DDoS
Page 30: Large-Scale Internet Threats 83Trac
Page 34: Ingress/Egress Filtering 85Ingress/
Page 38: Ingress/Egress Filtering 87Bogon Fi
Page 42: Ingress/Egress Filtering 89Example
Page 46: Securing BGP Sessions 91the routing
Page 50: Securing BGP Sessions 93Leveraging
Page 54: Securing BGP Sessions 95Figure 3-3I
Page 58: Securing BGP Sessions 97Example 3-5
Page 64: 100 Chapter 3: IPv6 Internet Securi
Page 112:
124 Chapter 3: IPv6 Internet Securi
Page 116:
514address spacesaddress spaces. Se
Page 120:
516CBAC (Context-Based Access Contr
Page 124:
518distributed denial of service at
Page 128:
520firewallsIPFilter, 310-313ipfire
Page 132:
522iACLs (infrastructure ACLs)IiACL
Page 136:
524IOS firewallsUDP connection sett
Page 140:
526Layer 2neighbor discovery, 187-1
Page 144:
528MIPv6 (Mobile IPv6)MEXT Working
Page 148:
530neighborsWindows neighbor caches
Page 152:
532PIX/ASA/FWSM firewallsfragmentat
Page 156:
534Remotely Triggered Black Holes (
Page 160:
536SEND (SEcure Neighbor Discovery)
Page 164:
538switchesTswitchesACLs with, 139L
Page 168:
540vulnerabilities of IPv6headers,
show all

IPv6 Security

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?