IDNIC OPM 2023: IPv6 deployment planning and security considerations
0 likes426 views
The document outlines IPv6 deployment strategies and security considerations, emphasizing the need for ISPs to plan address allocation, assess network readiness, and consider dual-stack versus IPv6-only configurations. It details subnet management, address assignment for customers, aggregated BGP announcements, and security best practices including BGP filtering and ICMPv6 handling. Essential tools for IP address management and the adoption of measures to mitigate security risks are also discussed.
IDNIC OPM 2023: IPv6 deployment planning and security considerations
- 1. 1 v1.2
- 2. 2 v1.2 IPv6 Deployment Planning and Security Considerations Md Abdul Awal | APNIC awal@apnic.net
- 3. 3 v1.2 IPv6 in South East Asian Countries https://stats.labs.apnic.net/ipv6 MM ~40% TH ~45% VN ~58% MY ~70% PH ~16% SG ~23% ID ~14%
- 4. 4 v1.2 IPv6 Deployment Planning
- 5. 5 v1.2 IPv6 Deployment – Where to Start? Get IPv6 Address from RIR / NIR / ISP Assess network for IPv6 readiness Prepare IPv6 address plan that makes sense Arrange dual- stack peering with upstream Configure IPv6 in your backbone network Test IPv6 connectivity internally Start providing IPv6 to customers Monitor and evaluate
- 6. 6 v1.2 Subnet at the Nibble Bit Boundary /36 slices (1 x 4 bits) 2001:db8:0000::/36 2001:db8:1000::/36 2001:db8:2000::/36 2001:db8:3000::/36 …. …. 2001:db8:f000::/36 /40 slices (2 x 4 bits) 2001:db8:0000::/40 2001:db8:0100::/40 2001:db8:0200::/40 2001:db8:0300::/40 …. …. 2001:db8:ff00::/40 /44 slices (3 x 4 bits) 2001:db8:0000::/44 2001:db8:0010::/44 2001:db8:0020::/44 2001:db8:0030::/44 …. …. 2001:db8:fff0::/44 /48 slices (4 x 4 bits) 2001:db8:0000::/48 2001:db8:0001::/48 2001:db8:0002::/48 2001:db8:0003::/48 …. …. 2001:db8:ffff::/48 Subnetting at the Nibble Bit is simple and easy to manage Nibble bit subnets of 2001:db8::/32
- 7. 7 v1.2 IPv6 Addressing for Point-to-point Links 2001:db8:0:1::/ 127 2001:db8:0:1::1/127 R1 R2 IPv6 Address Plan R1 – R2 Link 2001:db8:0:1::/ 64 R3 – R4 Link 2001:db8:0:2::/ 64 R3 R4 /126 for MikroTik P2P Links 2001:db8:0:2::/126 2001:db8:0:2::1/ 126 2001:db8:0:2::2/ 126 2001:db8:0:2::3/126 /127 for P2P Links
- 8. 8 v1.2 Address Assignment Plan /34 /34 /34 /34 Contiguous assignment may not work in the long run Customer 1 Customer 3 Customer 2 Customer 4 /32 Customer 1 Customer 3 Customer 2 Customer 4 Split assignment works better for BGP traffic engineering
- 9. 9 v1.2 Customer Address Distribution ISP Enterprise Customer ::/127 ISP plans a /64 for each PE-CE peering, but configures with /127 ::1/127 PE CE ISP Broadband Customer ::1/64 ISP assigns /64 for customer WAN via SLAAC/DHCPv6 BNG/ BRAS CPE ISP assigns at least one /48 for enterprise customer LAN ISP assigns at least /60 (or bigger) for user LAN via DHCPv6-PD
- 10. 10 v1.2 Aggregated BGP Announcements Aggregated BGP announcements - Easy to configure and maintain - Keep global routing table smaller Long list of /48s may not be helpful at all
- 11. 11 v1.2 IPv6 Address Management • phpipam.net • github.com/netbox-community/netbox • spritelink.github.io/NIPAP Free and open source IP Address Management tool
- 12. 12 v1.2 Dual-stack Vs IPv6-only Deployment • Advantages – Comparatively easier – IPv4 experience can be reused – Troubleshooting might be easier • Challenges – Still need IPv4 (and NAT) – Everything runs twice • Advantages – Only one AF configuration – Very minimum need of IPv4 space • Challenges – Multiple translation might be needed – Additional challenges to run NAT64, DNS64 and 464XLAT Dual-stack IPv6-only It is easier for ISPs to start deploying dual-stack network
- 13. 13 v1.2 IPv6 Security Considerations
- 14. 14 v1.2 Create Minimum ROA - Match Your BGP Announcements Small number of prefix announced Prone to validated BGP hijack The Max Length covers all possible BGP prefixes (/32 - /48) !!!
- 15. 15 v1.2 BGP Filters for IPv6 Longer Prefixes (>/48) These /64s should NOT exist in the global routing table
- 16. 16 v1.2 Inspect Extension Headers • Attackers use the EH as a covert channel to exchange information (payload) undetected • Mitigation: – Drop unknown EH – Drop invalid EH (0, 43) IPv6 Header Next Header = 4 EH Next header = 0 TCP header + data EH Hidden Data
- 17. 17 v1.2 Is RA always necessary? R1 SW Hosts with static IPv6 Addresses RA should be disabled RA must be enabled R1 SW Hosts with SLAAC / DHCPv6 R1 R2 P2P Links
- 18. 18 v1.2 RA Guard – Block Rouge RAs (RFC6105/7113)
- 19. 19 v1.2 Careful with ICMPv6 Filters • Filtering ICMPv6 is not straight forward – You block ICMPv6 => you break IPv6! • RFC4890: “ICMPv6 Filtering Recommendations” – Permit Error messages • Destination Unreachable (Type 1) - All codes • Packet Too Big (Type 2) • Time Exceeded (Type 3) - Code 0 only • Parameter Problem (Type 4) - Codes 1 and 2 only – Permit Connectivity check messages • Echo Request (Type 128) • Echo Response (Type 129) Or, rate limit ICMPv6 packets
- 20. 20 v1.2 And, Current Security Best Practices… • uRPF / BCP38 • Bogon Filters • RPKI Based Filters • BGP Policies • PTR Records / IPv6 Reverse DNS Delegation • Filters applied for IPv4 should also make sense for IPv6