IPv6 網絡的安全操作.pdf

《IPv6 網絡的安全操作.pdf》由會員分享，可在線閱讀，更多相關《IPv6 網絡的安全操作.pdf（53頁珍藏版）》請在三個皮匠報告上搜索。

1、#CiscoLive#CiscoLiveric Vyncke,Distinguished EngineerevynckeBRKSEC-2044RFC 9099 in 60 minutesSecure Operations for an IPv6 Network 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhats Inside This SessionNowadays,IPv6 is in all networks as all hosts have IPv6 enabled by de

2、fault.While network operators are experienced with secure operations in the IPv4 world,what are the specific challenges and techniques to be used to specific challenges and techniques to be used to securely operate an IPv6 networksecurely operate an IPv6 network?This session by one author of the rec

3、ent RFC 9099,will present the main differences between IPv4 and IPv6 with respect to security,how to prevent attacks,what about extension headers,how to run audit and event correlation in a dual-stack network(from Data Center to wireless network).BRKSEC-20444 2023 Cisco and/or its affiliates.All rig

4、hts reserved.Cisco Public#CiscoLiveIn 60 MinutesDecent knowledge of IPv6 is requiredBRKSEC-20445Source:Microsoft Stock Images 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveReferences.There are more slides in the hand-outs than presented during the class Those slides are

5、mainly for reference and are indicated by the book icon on the top right corner(as on this slide)Some slides have also a call-out to another session(see below)Highlighted text is recommendationBRKSEC-3003For YourReferenceBRKSEC-20446 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#

6、CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHow

7、Webex spaces will be moderated by the speaker until June 9,2023.12348https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-20448Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicMajor deviations from IPv4AddressingExtension HeadersLink-Layer SecurityCo

8、ntrol Plane SecurityRouting SecurityLogging/MonitoringTransition/Coexistence MechanismsSummaryBRKSEC-20449Addressing1stbig difference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPv6 Addressing is not IPv4 AddressingMultiple,changing IPv6 addresses per hostBTW,randomiz

9、ed/changing MAC addresses are coming.Common use of link-local addressesEven in absence of IPv6 global connectivityUsed by OSPFv3,RIPng,see RFC 7404,no need for global address on P-P linksAddressing plan is important(semantic can be added to addresses)Facilitate your ACL with a/64 for all loopbacks,s

10、pecific prefix for the infrastructureBRKSEC-204411 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUnique Local Addresses-ULA(RFC 4193)fc00:/7 is NOT the equivalent of RFC 1918fd00:/8 is for locally assigned prefix(using random number)IPv4 is preferred to ULA per RFCThere

11、is no need to use NAT for IPv6No need save address space(get your own/48 or shorter)NAT does not provide securityNetwork Prefix Translation(NPTv6 RFC 6296)is a 1:1 mappingLimit use of ULA to specific casesLab use(or any never connected network)Stable addresses in residential(cable lab modems)even in

12、 the absence of Internet connectivityBRKSEC-204412 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIs there NAT for IPv6?-“I need it for security”Network Prefix Translation,RFC 6296,1:1 stateless prefix translation allowing all inbound/outbound packets.Main use case:multi-

13、homingElse,IETF has not specified any N:1 stateful translation(aka overload NAT or NAPT)for IPv6Do not confuse stateful firewall and NAPT*even if they are often co-locatedNowadays,NAPT(for IPv4)does not help securityHost OS are way more resilient than in 2000Hosts are mobile and cannot always be beh

14、ind your controlled NAPTMalware are not injected from outside but are fetched from the inside by visiting weird sites or installing any trojanized applicationNAPT=Network Address and Port TranslationBRKSEC-204413 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePCI DSS 3.0

15、Compliance and IPv6Payment Card Industry Data Security Standard(since revision November 2013):Requirement 1.3.8Requirement 1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties.Note:Methods to obscure IP addressing may include,but are not limited to:Network Addre

16、ss Translation(NAT).the controls used to meet this requirement may be different for IPv4 networks than for IPv6 networks.how to comply with PCI DSSApplication proxies or SOCKSStrict data plane filtering with ACLStrict routing plane filtering with BGP route-mapsCisco IPv6 design for PCI with IPv6http

17、:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSteinthor Bjanarson,Arbor Networks,DEFCON 25NAT does not Protect IoT“The call is coming from inside the house!Are you ready for the next evolution in DDoS attacks?”“Early 2017,a multi-stage Windows Trojan containing code t

18、o scan for vulnerable IoT devices and inject them with Mirai bot code was discovered.The number of IoT devices which were previously safely hidden inside corporate perimeters,vastly exceeds those directly accessible from the Internet,allowing for the creation of botnets with unprecedented reach and

19、scale.”BRKSEC-204415 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOther Addressing ConsiderationsTemporary addresses by hosts,RFC 8981,conflict with auditing/monitoring DHCPv6 is not always possible(e.g.,Android does not support it)Need new tools Cannot do host ACL for

20、SLAAC hosts using those addresses Dont be afraid to use easy-to-remember static addressesE.g.,2001:db8:53 for a DNS server or fe80:1 for the routerWhile IPv6 scanning is mostly impossible,there are other ways to find you,so what?And simple operations are also critical for securityBRKSEC-204416Extens

21、ion Headers2nd big differenceBRKSEC-3200Online 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveParsing the Extension Header Chain 1/3Every extension header contains:The type of the next header Its length(if not always the same)IPv6 hdrTCPDataBRKSEC-204418NH=0HopByHopNH=43H

22、L=32RoutingNH=60HL=256DestinationNH=6HL=1300 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveParsing the Extension Header Chain 2/3Finding the layer 4 information is not trivial in IPv6Skip all known extension headersUntil either known layer 4 header found=MATCH can be don

23、e on layer-4 infoOr unknown extension header/layer 4 header found.=NO MATCH can be doneBRKSEC-204419IPv6 hdrTCPDataNH=0HopByHopNH=43HL=32RoutingNH=60HL=256DestinationNH=6HL=1300 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveParsing the Extension Header Chain 3/3Layer-4 i

24、nformation could be in 2nd fragmentBut stateless firewalls could not find it if a previous extension header is fragmentedIPv6 hdrHopByHop RoutingDestination Fragment1Layer 4 header is in 2ndfragment,Stateless filters have no clue where to find it!IPv6 hdrHopByHopFragment2TCPDataRouting DestinationRF

25、C 8200:“If the first fragment does not include all headers through an UpperRFC 8200:“If the first fragment does not include all headers through an Upper-Layer header,then that Layer header,then that fragment should be discarded”fragment should be discarded”Drop those fragments,if possible,at the edg

26、e:With a firewallWith IOS ACL:deny ipv6 any any undetermined-transport BRKSEC-204420 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExtension Header Security PolicyPermit list approach for your trafficOnly allow the LOCALLY-REQUIRED extension headers(and types),for exampl

27、e:Fragmentation headerRouting header type 2&destination option(when using mobile IPv6)IPsec AH and ESPAnd layer 4 next-headers/transports:ICMPv6,UDP,TCP,GRE,OSPF,.If your router/firewall is capable,then drop packets with:1stfragment without layer-4 headerOut-of-order extension headersrouting header

28、type 0hop-by-hop(drop or ignore)Filter routing header type 4(SRv6)at your edgeedge if you use itSee also RFC 9288Source:Tony Webster,FlickrBRKSEC-204421Link-layer Security3rdbig difference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNDP ARPNDP cache could contain up to

29、 264entries per interfaceNeed to protect the cache to prevent DoS(local/remote)Rate limiting+size limit(default in most OS)NDP is as“secure”as ARP.No authentication,NDP messages can be spoofedIPv6 does not need DHCPv6 with StateLess Address AutoConfiguraton(SLAAC)Not centralized/trustable source of

30、truth for IPv6 addressesSource:Library of CongressBRKSEC-204423 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecurity the Link-LayerThe abandoned crypto way:SEND(SEcure Neighbor Discovery)Point-to-point links:LLA-only or a/127 to prevent NDP cache exhaustion attackBroad

31、cast media:First hop security:RA guard,DHCP guard,source guard,device tracking,.Snoop DHCPv6(if available)and NDP(but stateless)to build a device-tracking tableDrop packets whose violate the device-tracking tableThis table will be useful also for monitoring/auditing BRKENT-3002BRKSEC-204424Control P

32、lane Security 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEasy:Do Like in IPv4Edge ACL(to be localized of course):Drop OSPFv3,EIGRP,RIPng,SRv6Allow BGP from known peers onlyTraffic to your management interfaces(SSH,NETCONF,.)easier if a specific/64 is used for all the

33、loopback interfacesRate limiting for packet exceptions:hop-limit expired,packet too big,destination unreachableBut NEW FOR IPv6:ignore/rate-limit hop-by-hop options extension headerBRKSEC-204426Source:Microsoft Stock ImagesRouting Security 2023 Cisco and/or its affiliates.All rights reserved.Cisco P

34、ublic#CiscoLiveProtocol AuthenticationBGP(RFC 7454),IS-IS,EIGRP no change:An MD5 authentication of the routing updateOSPFv3 two optionsIPsec in transport mode,the original RFC 4552(could also provide confidentiality)Authentication trailer(like OSPFv2),RFC 7166=use authenticated routing protocols!Sam

35、e as in IPv4:no peer authentication,just membership of a trusted group(shared key)BRKSEC-204428 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOSPFv3 or EIGRP Authenticationinterface Ethernet0/0ipv6 ospf 1 area 0ipv6 ospf authentication ipsec spi 500 sha1 1234.6789DFor Yo

36、urReferenceinterface Ethernet0/0ipv6 authentication mode eigrp 100 md5ipv6 authentication key-chain eigrp 100 MYCHAINkey chain MYCHAINkey 1key-string 1234567890ABCDEF1234567890ABCDEF accept-lifetime local 12:00:00 Dec 31 2016 12:00:00 Jan 1 2018send-lifetime local 00:00:00 Jan 1 2017 23:59:59 Dec 31

37、 2017BRKSEC-204429 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPv6 IPv6 IntranetIntranetIPv6 Bogon and Anti-Spoofing FilteringSame as in IPv4Bogon filtering(data plane&BGP route map):https:/www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txtAnti-spoofing:uRPFInterI

38、nter-Networking Device Networking Device with uRPF Enabledwith uRPF EnabledIPv6 Unallocated IPv6 Unallocated Source AddressSource AddressXIPv6 IPv6 Intranet/InternetIntranet/InternetNo Route to No Route to SrcAddrSrcAddr=Drop=DropBRKSEC-204430 2023 Cisco and/or its affiliates.All rights reserved.Cis

39、co Public#CiscoLiveRemote Triggered Black HoleRFC 5635 RTBH is as easy in IPv6 as in IPv4uRPF is also your friend for black holing a sourceRFC 6666 has a specific discard prefix100:/64http:/ CommonsBRKSEC-3200BRKSEC-204431Logging&Monitoring 2023 Cisco and/or its affiliates.All rights reserved.Cisco

40、Public#CiscoLiveMultiple Facets to IPv6 AddressesEvery host can have multiple IPv6 addresses simultaneouslyNeed to do correlation!Alas,not all Security Information and Event Managements(SIEM)support IPv6Usually,a customer is identified by its/48 or/64 Every IPv6 address can be written in multiple wa

41、ys2001:0DB8:0BAD:0DAD2001:DB8:BAD:0:0:0:0:DAD2001:db8:bad:dad(this is the canonical RFC 5952 format)=Grep cannot be used anymore to sieve log filesBRKSEC-204433 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInformation SourcesLog files,beware:the same IPv6 address can be

42、 written in different waysTry to use the canonical format,RFC 5952:2001:db8:badIPFIX(Netflow v9),NETCONF/SNMP for live information(esp.NDP cache for bindings or used extension headers)RADIUS accounting is useful for bindingsDHCPv6 leases do not include client MAC addresses and not always usedInforma

43、tionlogsIPFIXRADIUSBRKSEC-204434 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRADIUS Accounting with IEEE 802.1X(WPA)Interesting attribute:Acct-Session-Id to map username to IPv6 addressesCan be sent at the begin and end of connectionsCan also be sent periodically to ca

44、pture privacy addressesNot available through GUI,must use CLI to configureconfig wlan radius_server acct framed-ipv6 both35BRKSEC-2044username=joeexample.org Acct-Session-Id=xyz Acct-Status-Type=Start Framed-IP-Address=192.0.2.1 Framed-IPv6-Address=fe80:cafeusername=joeexample.org Acct-Session-Id=xy

45、z Acct-Status-Type=Alive Framed-IP-Address=192.0.2.1 Framed-IPv6-Address=fe80:cafe Framed-IPv6-Address=2001:db8:cafe Framed-IPv6-Address=2001:db8:babeusername=joeexample.org Acct-Session-Id=xyz Acct-Status-Type=Stop Framed-IP-Address=192.0.2.1 2023 Cisco and/or its affiliates.All rights reserved.Cis

46、co Public#CiscoLiveHow to Find the MAC Address of an IPv6 Address?DHCPv6 address or prefix the client DHCP Unique ID(DUID)can beMAC address:trivialTime+MAC address:simply take the last 6 bytesVendor number+any number:no luck next slide can helpNo guarantee of course that DUID includes the real MAC a

47、ddress.#show ipv6 dhcp binding Client:FE80:225:9CFF:FEDC:7548 DUID:000100010000000A00259CDC7548Username:unassignedInterface:FastEthernet0/0IA PD:IA ID 0 x0000007B,T1 302400,T2 483840Prefix:2001:DB8:612:/48preferred lifetime 3600,valid lifetime 3600expires at Nov 26 2010 01:22 PM(369)BRKSEC-204436 20

48、23 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDHCPv6 in Real LiveNot so attractive Only supported in Windows Vista,and Windows 7,Max OS/X Lion,iOSNot in Linux(default installation),Android,Windows does not place the used MAC address in DUID but any MAC address of the PCSee

49、 also:https:/knowledge.zomers.eu/misc/Pages/How-to-reset-the-IPv6-DUID-in-Windows.aspx#show ipv6 dhcp binding Client:FE80:FDFA:CB28:10A9:6DD0 DUID:0001000110DB0EA6001E33814DEEUsername:unassignedIA NA:IA ID 0 x1000225F,T1 300,T2 480Address:2001:DB8:D09A:95CA:6918:967preferred lifetime 600,valid lifet

50、ime 600expires at Oct 27 2010 05:02 PM(554 seconds)Actual MAC address:0022.5f43.6522BRKSEC-204437 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow to Find the MAC Address of an IPv6 Address?Last resort look in the live NDP cache(CLI or SNMP)If no more in cache,then you

51、should have scanned and saved the cacheFirst-Hop Security phase II can generate a syslog event on each new bindingipv6 neighbor binding logging#show ipv6 neighbors 2001:DB8:6DD0IPv6 Address Age Link-layer Addr State Interface2001:DB8:6DD0 8 0022.5f43.6522STALE Fa0/1BRKSEC-204438 2023 Cisco and/or it

52、s affiliates.All rights reserved.Cisco Public#CiscoLiveUsing Collected InformationUser accountability/tracingRADIUS logs are the top choiceFirst Hop Security event logging to learn new mappingElse,NETCONF/SNMP poll of NDP cachesInventorytoo many IPv6 addresses to scan your network.IPFIX can collect

53、source addresses or see aboveLocal ping to ff02:1(all-node link-local)Correlation(for SIEM)Must support dual-stack hosts and multiple IPv6 addresses per host39BRKSEC-2044informationaction 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFIREpower NG IPS and IPv6 FIREsight p

54、assive network discovery correlates Events&Host IP Very easy to find out the sender/destination in Dual Stacked environments!BRKSEC-204440 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive20+Years AgoSource:John WrightBRKSEC-204441 2023 Cisco and/or its affiliates.All right

55、s reserved.Cisco Public#CiscoLiveVulnerability Scanning in a Dual-Stack WorldFinding all hosts:Address enumeration does not work for IPv6Need to rely on DNS or NDP caches or NetFlowVulnerability scanningIPv4 global address,IPv6 global address(es)(if any),IPv6 link-local addressSome services are sing

56、le stack only(currently mostly IPv4 but who knows.)Personal firewall rules could be different between IPv4/IPv6IPv6 vulnerability scanning MUST be done for IPv4&IPv6 even in an IPv4IPv6 vulnerability scanning MUST be done for IPv4&IPv6 even in an IPv4-only networkonly networkIPv6 link-local addresse

57、s are active by default42BRKSEC-2044Transition/Coexistence Mechanisms 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDual-Stack:IPv4 and IPv6 togetherSimplify your task!Use congruent security policiesEasy with dual-stack object groupingNot so easy with IOS ACL though Appl

58、ications firewalls/IPS/anti-spam do not care about IP versions Vulnerability scanning on IPv4 AND IPv6 (including link-local addresses!)Even if you do not run IPv6 yetLong-term or specific use case:IPv6 onlyBRKSEC-204444 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTunn

59、elsSome were automated host-initiated circa 2010.Should be disabled by default now Block IPv4 protocol 41(ISATAP,6to4,.)and UDP 3544(Teredo)over IPv4BRKSEC-204445Source:Microsoft Stock Images 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTranslation NAT64/464XLATStateful

60、 NAT64 usually relies on DNS64DNS64 synthetizes a DNS answer,but it breaks DNSEC by defaultExcept if DNS64 is the designated validatorAs plain NAT44,it breaks IPsec if UDP encapsulation is not doneAnd it has all NAT issues:logging for auditing,.BRKSEC-204446Summary 2023 Cisco and/or its affiliates.A

61、ll rights reserved.Cisco Public#CiscoLiveIPv4&IPv6:similar but differentSimilarities:control plane,routing security,network monitoring tools,fragments are an issueBUT:Multiple&changing addresses per host ULA is not RFC 1918 addresses Enough bits in addresses to insert some security semantics=easier

62、ACL Fragmented header chain=“undetermined-transport”ACL DHCP not always used=MUST track devices with First Hop Security Dual-stack:two inventories,two vulnerability scanning,stitching dual logsBRKSEC-204448 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit

63、 the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFor E

64、ven More InformationBRKENT-3002 IPv6 Security in the Local Area with First Hop SecurityRFC 9099:Operational Security Considerations for IPv6 NetworksRFC 7404:Using Only Link-Local Addressing inside an IPv6 NetworkRFC 6105:IPv6 Router Advertisement GuardRFC 6620:First-Come,First-Server Source Address

65、 Validation Improvement for Locally Assigned IPv6 AddressesBRKSEC-204450 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAll IPv6-Related ContentBRKENT-2109 Lets Deploy IPv6 NOW5 Jun 202308:30 AM Level 2,Oceanside EBRKSEC-2044 Secure Operations for an IPv6 Network5 Jun 202

66、309:30 AM Level 2,Surf CDIBOIPV-1000What should we do about the IPv6-only mandate by Governments?5 Jun 202311:00 AM Level 2,Lagoon BBRKMER-1752 Experience the Journey to IPv6-Only With Cisco Meraki5 Jun 202311:00 AM Level 3,South Seas JBRKIPV-2191IPv6:Its Happening!5 Jun 202301:00 PMLower Level,Mari

67、ners ABLTRENT-2052 IPv6 Routing,SD-WAN and Services Lab5 Jun 202301:00 PMLuxor-Level 1,Egyptian Ballroom BCBRKENT-2122 IPv6-Powering the World of IoT5 Jun 202303:00 PMLevel 3,Palm CIBOENT-2811Everything you wanted to know about IPv6 but were afraid to ask!5 Jun 202304:00 PMLevel 2,Lagoon DBRKIPV-200

68、0Verifying your Systems Transition to IPv66 Jun 202310:30 AM Level 2,Oceanside FBRKIPV-2751IPv6 with Cisco IOS Routing and Meraki Access-A Practical Guide6 Jun 202301:00 PMLevel 2,Breakers FLBRKENT-2008 Goodbye Legacy,the move to an IPv6-Only Enterprise6 Jun 202302:30 PMLevel 2,Mandalay Bay KBRKIPV-

69、1616IPv6-What Do you Mean there isnt a Broadcast?6 Jun 202303:00 PMLevel 2,Breakers EKBRKENT-3340 HitchHikers Guide to Troubleshooting IPv66 Jun 202303:00 PMLevel 2,Mandalay Bay FBRKENT-3002 IPv6 Security in the Local Area with First Hop Security6 Jun 202303:00 PMLevel 2,Reef DEBRKIPV-3927Deploying

70、IPv6 in the Cloud7 Jun 202310:30 AM Level 2,Reef DEBRKDCN-2682Routing IPv6 In VXLAN BGP EVPN Fabrics7 Jun 202302:30 PMLevel 3,South Seas CIBOIPV-2000Sharing Experience on IPv6 Deployments in Enterprise7 Jun 202304:00 PMLevel 2,Lagoon BIBOIPV-2002Discussing IPv6 in a Cloud-managed World with the Cisc

71、o Meraki Platform8 Jun 202311:00 AM Level 2,Lagoon BIBOENT-2811Everything you wanted to know about IPv6 but were afraid to ask!8 Jun 202301:00 PMLevel 2,Lagoon D51Session ID 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill ou

72、t a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every su

73、rvey completed.BRKSEC-204452Thank you#CiscoLive#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive55Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123455 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-2044