[afripv6-discuss] What have you done for IPv6 lately, since the 1st of January, 2013?

Mon Feb 18 09:01:09 SAST 2013

On 17 Feb 2013, at 4:19 PM, Andrew Alston <alston.networks at gmail.com> wrote:

> Hi Hisham,
>  
> We’re actually facing an interesting challenge with a client of mine around V6 and security, and the next major challenge is going to be to secure the network.  Now, I would argue that securing v6 can actually be a little more tough than v4, since the technology is not quite as advanced, at the same time however, v6 offers some interesting possibilities on a security level that we’re exploring.

hi andrew,

>  If you look at v4, you can pvlan and do port isolation into aggregated vlans on the distribution layers, and things work out ok.  However, v6 lets you take this is a step further, where you can actually do complete port isolation with a /64 *per port* and static it.  (Using scripts to generate the configs).  This produces a lot of config I will admit, and it requires reasonably large FIB’s at the distribution layer if it’s a last distribution site, however, it does resolve issues associated with RA and makes things very easy to tie back to a port.  With proper aggregation the vast number of FIB entries also will not propogate past the distribution point.  This is something we’re currently exploring and testing in the lab as one potential option.

could you contexualise your situation please?  would this be a university campus/dormitory/corporate use case/... ?
do you tie these to one user/vlan via radius;  presumably not one device per /64?
could you explain what the "issues associated with RA" are - particularly, anything that isn't necessarily solved by a somewhat tools like RAGuard ? 

> Sadly, we’ve found that DHCPv6 hasn’t been a terribly viable option because of a wide range of clients and lack of support on the client side in many devices, RA is still the more mature of the options in terms of end point support, so, it’s now about securing the RA.

could you perhaps provide us with a list of devices where you've seen dhcp6 client support not work?  you could hopefully save others valuable operational time.

> We’re also still investigating IPS options under IPv6, and this is proving to be a MAJOR challenge.  

> Using a device from Palo Alto, we tapped the network firstly with v4, using port mirroring, and we got some fairly interesting IPS data back out of that.  However, mirroring the v6 traffic, while there was a couple of hundred meg of traffic on the port, we were not getting ANY IPS hits.  This either means that by some miracle there was nothing the device was seeing that was nasty (yeah, right), or the device simply wasn’t able to see the V6 properly.  We’re raising that one with the vendor at the moment to see if we can figure it out.  Any advice though from the community about v6 IPS devices that can act as network taps would be hugely appreciated.  (We’re looking for IPS devices that can handle 10gig+ of traffic per device).

my, admittedly poor, google-fu returns hits for freebsd+10gb+pfsense.

--n.

my opinions are mine.