Christopher Werny leads the network security team for ERNW and since 2005 he is involved in numerous IPv6 projects where he is responsible for planning, implementation and troubleshooting existing projects.
The first topic he approached was “How to build a conference WLAN Network in General”. The very first suggestion was to put it to the 5GHz channel because there could be a lot of interferences in the 2.4 GHz channel. The basic idea here is to disable 802.11b completely if it´s possible in your environment and no-one is using it anyway. Further you should also consider nearby Wi-Fi signals and on which channels they reside. His next recommendation was about setting the inactivity timer to short intervals, this will avoid unnecessary resource spending from the APs when they try to track down moved or shut down devices. His last general recommendation from him was regarding a central DHCP Server. This will enable the roaming from mobile devices without getting a new IP-Address when bridged mode is enabled for the APs.
The next part of his talk was about the specifics of IPv6 in (802.11) Wi-Fi Networks. The key point is that wireless networks are shared half-duplex. Hence when a station transmits all others need to be silent. This characteristic will cause that even a multicast transmission from an AP will be physically transmitted to all Wi-Fi clients. In an IPv6 Network multicast is used in many cases like Duplicate Address Detection, Router Solicitations and Neighbor solicitations. To be more precise, he explained how the multicast distribution on a Cisco Wi-Fi Network controller works.
Another topic was the reduction of chatter inside of an IPv6 Wi-Fi Network. This can be achieved by an NDP Proxy where the controller act as a proxy and respond to all the Neighbor solicitation queries it is able to resolve. This is possible leveraging the underlying neighbor binding table which is implemented in the controller. Another technique was to throttle the Router advertisement of the IPv6 Network. He recommended the following parameter to reduce the multicast traffic:
- increase the router lifetime to 9000 seconds
- increase reachable lifetime to 900 Seconds
- use Unicast solicited RAs.
In addition, he explained how to properly secure an IPv6 Wi-Fi Network with the Cisco First-Hop-Security features on the Wireless LAN Controller. He talked about the following Features:
- RA Guard
- DHCPv6 Guard
- IPv6 Source Guard
- IPv6 ACLs
Last but not least he demonstrated the Troopers Network Infrastructure. He explained how the network was constructed via a Network diagram and how NAT64 was implemented. Further he presented how the monitoring of the Troopers network was implemented by using Influxdb as the Database and Grafana for the frontend. He wrapped his talk up with some Troopers Network statistics (e.g. total uplink bandwidth).
Please check out Christopher’s slides from this talk here
Thanks,
Raphael Pavlidis