[afripv6-discuss] What have you done for IPv6 lately, since the 1st of January, 2013?

Sun Feb 17 16:19:04 SAST 2013

Hi Hisham,

We’re actually facing an interesting challenge with a client of mine around V6 and security, and the next major challenge is going to be to secure the network.  Now, I would argue that securing v6 can actually be a little more tough than v4, since the technology is not quite as advanced, at the same time however, v6 offers some interesting possibilities on a security level that we’re exploring.

If you look at v4, you can pvlan and do port isolation into aggregated vlans on the distribution layers, and things work out ok.  However, v6 lets you take this is a step further, where you can actually do complete port isolation with a /64 *per port* and static it.  (Using scripts to generate the configs).  This produces a lot of config I will admit, and it requires reasonably large FIB’s at the distribution layer if it’s a last distribution site, however, it does resolve issues associated with RA and makes things very easy to tie back to a port.  With proper aggregation the vast number of FIB entries also will not propogate past the distribution point.  This is something we’re currently exploring and testing in the lab as one potential option.

Sadly, we’ve found that DHCPv6 hasn’t been a terribly viable option because of a wide range of clients and lack of support on the client side in many devices, RA is still the more mature of the options in terms of end point support, so, it’s now about securing the RA.  

We’re also still investigating IPS options under IPv6, and this is proving to be a MAJOR challenge.   Using a device from Palo Alto, we tapped the network firstly with v4, using port mirroring, and we got some fairly interesting IPS data back out of that.  However, mirroring the v6 traffic, while there was a couple of hundred meg of traffic on the port, we were not getting ANY IPS hits.  This either means that by some miracle there was nothing the device was seeing that was nasty (yeah, right), or the device simply wasn’t able to see the V6 properly.  We’re raising that one with the vendor at the moment to see if we can figure it out.  Any advice though from the community about v6 IPS devices that can act as network taps would be hugely appreciated.  (We’re looking for IPS devices that can handle 10gig+ of traffic per device).

Anyway, that’s the news from my side.

Andrew

From: afripv6-discuss-bounces at afrinic.net [mailto:afripv6-discuss-bounces at afrinic.net] On Behalf Of Hisham
Sent: Sunday, February 17, 2013 3:48 PM
To: IPv6 in Africa
Subject: [afripv6-discuss] What have you done for IPv6 lately, since the 1st of January, 2013?

Dear all,

With the near launch of the IPv6 portal,

There will be a segment for initiatives and projects that happen on a national and / or a regional 

level to help with the IPv6 uptake in Africa. The idea is to get these initiatives recognized so that 

others can share ideas, suggestions and even resources.

This email will be sent on the 15th of every month, to share what has changed within this month,

be it a prefix being advertised, a site turning on AAAA, to larger national and/or regional projects.

As mentioned these efforts will be featured on the IPv6 portal and shall be used as further input 

to some of the other global and regional initiatives the IPv6 program coordinates such as:

* "IPv6 in the African region workshop" that is co-organized with IANA during the ICANN meetings 

held in Africa.

 The first of these workshops was held in 2011 in Dakar, http://dakar42.icann.org/node/26999

The second will be in 2013 in the Durban ICANN meeting.

** Also these initiatives and projects will be featured in the NRO documentation for the global 

Internet Governance Forum, "IPv6 around the world"

nro.net/wp-content/uploads/NRO_AroundTheWorld.pdf

Regards 

IPv6 Program 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/afripv6-discuss/attachments/20130217/7fc8360e/attachment-0001.htm