IPv6 – Page 6 – Insinuator.net

January 11, 2016 by Enno Rey

Things to Consider When Starting Your IPv6 Deployment

Hi,

today I’m going to suspend the “Developing an Enterprise IPv6 Security Strategy” series for a moment and discuss some other aspects of IPv6 deployment.
We’ve been involved in a number of IPv6 projects in large organizations in the past few years and in many of those there was a planning phase in which several documents were created (often these include a road map, an address concept/plan and a security concept).
Point is: at some point it’s getting real ;-), read: IPv6 is actually enabled on some systems. Pretty much all enterprise customers we know start(ed) their IPv6 deployment “at the perimeter”, enabling IPv6 (usually in dual-stack mode) on some systems/services facing the Internet and/or external parties.
Unfortunately there’s a number of (seemingly small) things that can go wrong in this phase and “little errors” made today are probably meant to stay for a long time (in German we have the nice phrase “Nichts ist so dauerhaft wie ein Provisorium”, and I’m sure people with an IT operations background will understand this even without a translator…).
In this post I will hence lay out some things to consider when you enable IPv6 on perimeter elements for the first time. Continue reading “Things to Consider When Starting Your IPv6 Deployment”

Building

December 31, 2015 by Enno Rey

Developing an Enterprise IPv6 Security Strategy / Part 5: First Hop Security Features

In the previous parts of this series (part 1, part 2, part 3, part 4) we covered several aspects of IPv6 security, mainly on the infrastructure level. In today’s post I will follow up by briefly discussing so-called First Hop Security features.

Continue reading “Developing an Enterprise IPv6 Security Strategy / Part 5: First Hop Security Features”

Events

December 23, 2015 by Enno Rey

#TR16 IPv6 Security Summit – New Talks Added

In the interim we’ve worked on the agenda of next year’s IPv6 Security Summit (for those not familiar with the event, here’s the 2015 edition and here the one of 2014), and some new talks have been added.

Continue reading “#TR16 IPv6 Security Summit – New Talks Added”

Building

December 22, 2015 by Enno Rey

Developing an Enterprise IPv6 Security Strategy / Part 4: Traffic Filtering in IPv6 Networks (II)

In this part of our little series (part 1, part 2, part 3) we continue discussing IPv6 specific filtering of network traffic, namely at intersection points.

As stated in the 1st part, a number of potential security problems in IPv6 networks are related to Extension Headers of IPv6, in particular when combined with fragmentation. At the same time, as of today (December 2015) there is no Internet service or application that actually needs those headers.

Continue reading “Developing an Enterprise IPv6 Security Strategy / Part 4: Traffic Filtering in IPv6 Networks (II)”

Building

December 14, 2015 by Enno Rey

Developing an Enterprise IPv6 Security Strategy / Part 3: Traffic Filtering in IPv6 Networks (I)

So this is the third part of our little series on securing IPv6 in enterprise environments. In the first part we tried to develop an understanding of threats in IPv4 networks as a kind-of baseline while analyzing the main differences induced by IPv6 and in the second part we laid out protection strategies on the infrastructure level, focusing on network isolation on the routing layer. Today I’ll dive into discussing IPv6-specific filtering of network traffic.

Continue reading “Developing an Enterprise IPv6 Security Strategy / Part 3: Traffic Filtering in IPv6 Networks (I)”

Building

December 7, 2015 by Enno Rey

Developing an Enterprise IPv6 Security Strategy / Part 2: Network Isolation on the Routing Layer

In the first part of this series we tried to identify which risks related to network-related threats actually change when IPv6 gets deployed and hence which ones to take care of in a prioritized manner (as opposed to those which one might be tempted to [initially] disregard with a “has been there in IPv4 already and we did not address it then, why now?” stance). Let’s assume we went through this step and, for those most relevant risks we identified, we want to come up with infrastructure level controls first, before tackling controls to be deployed on the host level (as in many organizations the sysowners of “hosts” like servers in datacenters tend to expect “the network/infrastructure guys to provide the 1st layer of defense against threats”, in particular once those originate from an apparent network layer protocol, that is IPv6).

Continue reading “Developing an Enterprise IPv6 Security Strategy / Part 2: Network Isolation on the Routing Layer”

Building

December 2, 2015 by Enno Rey

Developing an Enterprise IPv6 Security Strategy / Part 1: Baseline Analysis of IPv4 Network Security

We’ve been involved in some activities in this space recently and I thought it could be a good idea to share a couple of things we’ve discussed & displayed. Furthermore some time ago – in the Is IPv6 more Secure than IPv4? Or Less? post – I announced to come up with (something like) an “IPv6 threats & controls catalogue” at some point… so here we go: in an upcoming series of a few blogposts I will lay out some typical elements of an “Enterprise IPv6 Security Strategy” incl. several technical pieces (and I plan to give a talk on the exact topic at next year’s IPv6 Security Summit).

Continue reading “Developing an Enterprise IPv6 Security Strategy / Part 1: Baseline Analysis of IPv4 Network Security”

Building

November 3, 2015 by Enno Rey

Some Notes on the “Drop IPv6 Fragments” vs. “This Will Break DNS[SEC]” Debate

Some readers will probably be aware that we are amongst the proponents of a quite strict stance when it comes to filtering IPv6 packets with (certain) Extension Headers and/or fragmentation, because those can be the source of many security problems (as laid out here, here or here). Actually I still think it was a very good idea of, amongst others, Randy Bush and Ron Bonica to suggest the deprecation of IPv6 fragmentation in the IETF.
On the other hand there are voices arguing that fragmented IPv6 packets will be needed in some cases, namely DNS[SEC]-related ones.
In this post I will discuss some details of this debate (taking place in many circles, incl. this thread on the ipv6-hackers mailing list which, btw, you should subscribe to). Continue reading “Some Notes on the “Drop IPv6 Fragments” vs. “This Will Break DNS[SEC]” Debate”

Building

October 5, 2015 by Enno Rey

The Strange Case of $SOME_SOFTWARE Adding an IPv6 Extension Header, and an Internet Router Dropping Them

Last week Christopher and I were the instructors of an IPv6 workshop. In this one we usually build a lab with the participants incl. a variety of routed segments and native IPv6 Internet access. Once the latter part is implemented people start poking around and surfing the Internet from their laptops, not least to find out which sites they can actually reach from an v6-only network (please note that actually there are many).

Continue reading “The Strange Case of $SOME_SOFTWARE Adding an IPv6 Extension Header, and an Internet Router Dropping Them”

Events

September 14, 2015 by Jayson Salazar

IPv6@MRMCD2015

Greetings everyone,

On Saturday last week I had the pleasure of delivering a workshop on IPv6 networking at the MRMCD2015 conference in Darmstadt, Germany. It goes without saying that the atmosphere was quite amicable; as usual at CCC-related events. What definitely impressed me the most was the diversity of the audience. There were around thirty attendees representing several age groups and all with seemingly differing backgrounds.

Continue reading “IPv6@MRMCD2015”