15. Dual-Stack Network Security

Question 1

IPv4 vs IPv6 Differences

Address Length

Answer 1

IPv4 - 32 bits

IPv6 - 128 bits

Question 2

IPv4 vs IPv6 Differences

Default Prefix length

Answer 2

IPv4 - varies, typically /24

IPv6 - /64 in host subnets

Question 3

IPv4 vs IPv6 Differences

Address configuration

Answer 3

IPv4 - DHCPv4

IPv6 - Stateless Autoconfiguration, DHCPv6

Question 4

IPv4 vs IPv6 Differences

Addresses used

Answer 4

IPv4 - Private OR Global

IPv6 - Link-local AND Global

Question 5

IPv4 vs IPv6 Differences

Address resolution

Answer 5

IPv4 - ARP

IPv6 - Neighbour Solicitation (NS) / Neighbour Advertisement (NA)

Question 6

IPv4 vs IPv6 Differences
Minimum MTU (Maximum Transmission Unit)

Answer 6

IPv4 - 576

IPv6 - 1280

Question 7

IPv4 vs IPv6 Differences

Fragmentation

Answer 7

IPv4 - by hosts or routers

IPv6 - only by hosts

Question 8

IPv4 vs IPv6 Differences

Host Path MTU discovery

Answer 8

IPv4 - Optional

IPv6 - Required

Question 9

IPv4 vs IPv6 Differences

IPsec

Answer 9

IPv4 - optional

IPv6 - ‘SHOULD’

Question 10

IPv4 vs IPv6 Differences

Private addressing

Answer 10

IPv4 - RFC1918

IPv6 - Unique Local Addresses (ULA) (not for use with NAT)

Question 11

Dual Stack Network

Answer 11

Means running IPv4 and IPv6 on the same infrastructure
- managing two protocols as one network
DS is preferable today in campus sites rather than running IPv6 only with NAT64/DNS64 at the edge
- UN unis early adopters of DS
Introducing IPv6 should not subvert IPv4 security
- need to understand required policies
- have equivalent implementations where appropriate

Question 12

New risks added by IPv6

Answer 12

New attack paths
- IPv6 is a new protocol, not just IPv4 with 128-bit addresses
Growing pains
- lack of wide-scale operational experience
- immature security implementations (firewalls, IDS…)
- many IPv6-specific security advisories published
Lack of admin staff knowledge and training
- need to ‘think IPv6’ for security & troubleshooting
IPv6 incidents/issues not detected
- most sites prob not looking for IPv6 traffic, native or tunnelled
- there is support for IPv6 Netflow & others

Question 13

Address scopes

Answer 13

IPv4

• usually just one address
• global or private (rfc1918 or NAT)

IPv6

• link-local (under fe80::/10, not routed)
• Unique Local Addresses (under fc00::/7)
• Global

Question 14

Address scope issues

Answer 14

IPv6 hosts are naturally multi-addressed

• in dual stack networks have an IPv4 address too
• hosts need a way to decide which addresses to use
• management/monitoring tools must cope

Question 15

Address management

Answer 15

Most IPv6 deployments are dual stack

• IPv4 address config by DHCPv4
• IPv6 Stateless Autoconfiguration (SLAAC)

Question 16

SLAAC autoconfigures basic network settings by

Answer 16

soliciting/receiving IPv6 Router Advertisements (RAs)
- hosts form their own address by combining 64-bit network prefix in the RA with MAC address + 16bits of padding
In addition, hosts may have IPv6 privacy addresses
Voila, mucho addresses!

Question 17

SLAAC operation

Answer 17

Totally dependent on Router Advertisements

• RA is multicast on local subnet
• (link-local) RA source address implies default router

Question 18

Implications of RAs

Answer 18

Host autoconfiguration is nice, but
Hosts can send RAs too
 - accidental or malicious
 Networks should mitigate this
 - use RA Guard 
 - Filter ICMPv6 Type 134 on non router switch ports
 - Deploy RAmond

Question 19

RAmond

Answer 19

Monitors IPv6 networks for router advertisements. When an advert is received, a configurable action occurs.
The tool was designed to `clear’ (by sending spoofed zero lifetime adverts) rogue-routes sent by users running 6to4 gateways on a campus network.

Question 20

ND cache exhaustion

Answer 20

Possibly rapid scans to non existent IP addressed in a /64 subnet can fill a router’s ND cache before the ND operations complete