具有第一跳安全性的本地 IPv6 安全性.pdf

1、#CiscoLive#CiscoLiveric Vyncke,Distinguished EngineerevynckeBRKENT-3002IPv6 Security in the IPv6 Security in the Local Area with First Local Area with First Hop Security(FHS)Hop Security(FHS)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSession Objectives(from the Abstra

2、ct)A big difference in the security between IPv4 and IPv6 is all the layer-2/layer-3 interactions as DHCP is optional in IPv6 and ARP is replaced by Neighbour Discovery Protocol(NDP).Legacy IPv4 attacks such as ARP spoofing have their equivalent in IPv6.Cisco has developed for many years techniques

3、to secure this interaction in the local area(being WLAN,LAN,SD-Access,Meraki,ACI,etc).This session explains what are the attacks and how Cisco can protect your networks.BRKENT-30024 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex A

4、pp Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until

5、June 9,2023.12346https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKENT-30026#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaSecuring StateLess Address Auto-Configuration(SLAAC)Integrity of Addresses BindingsAddress AvailabilityMore Informat

6、ion on First Hop Security(FHS)FHS in a SD-Access FabricIPv6 Security Beyond Local AreaSummaryKnowledge of IPv6,NDP,fragmentation,network security is assumed BRKENT-30027Securing StateLessAddress Auto-Configuration(SLAAC)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveState

7、Less Address Auto Configuration SLAAC:Rogue Router AdvertisementRouter Advertisements(RA)Router Advertisements(RA)contains:-Prefix to be used by hosts-Data-link layer address of the router-Miscellaneous options:MTU,DHCPv6 use,2.RA:Data=options,prefix,lifetime,A+M+O flags2.RA2.RA1.RS1.RSRA w/o Any Au

8、thentication RA w/o Any Authentication Gives Exactly Same Level of Gives Exactly Same Level of Security as DHCPv4(None)Security as DHCPv4(None)2.RARADoSMITM1.RS:Data=Query:please send RABRKENT-30029 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMitigating Rogue RA:Host I

9、solationPrevent Node-Node Layer-2 communication by using:Private VLANs(PVLAN)where nodes(isolated port)can only contact the official router(promiscuous port)WLAN in AP Isolation Mode 1 VLAN per host(SP access network with Broadband Network Gateway)Link-local multicast(RA,DHCP request,etc.)sent only

10、to the local official router:no harmSide effect:breaks Duplicate Address Detection(DAD)Isolated PortRARARARARAPromiscuous PortBRKENT-300210 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRAguard since 2010 (RFC 6105)Port ACL Port ACL blocks all ICMPv6 RA from hostsinterfa

11、ce FastEthernet0/2ipv6 traffic-filter ACCESS_PORT inaccess-group mode prefer portACLRARARARARANo ACLBRKENT-300211 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveParsing the Extension Header Chain 1/2Every extension header contains:The type of the next header Its length(if

12、 not always the same)IPv6 hdrICMPv6:type=134 NH=0HopByHopNH=43HL=32RoutingNH=60HL=256DestinationNH=58HL=1300BRKENT-300212 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveParsing the Extension Header Chain 2/2Finding the layer 4 information is not trivial in IPv6Skip all kn

13、own extension headersUntil either known layer 4 header found=MATCH can be done on layer-4 infoOr unknown extension header/layer 4 header found.=NO MATCH can be doneIPv6 hdrICMPv6:type=134 NH=0HopByHopNH=43HL=32RoutingNH=60HL=256DestinationNH=58HL=1300BRKENT-300213 2023 Cisco and/or its affiliates.Al

14、l rights reserved.Cisco Public#CiscoLiveFragmented RA and stateless ACLICMPv6 code/type information could be in 2ndfragmentBut stateless firewalls could not find it if a previous extension header is fragmentedIPv6 hdrHopByHop RoutingDestination Fragment1ICMPv6 code/type is in 2ndfragment,Stateless f

15、ilters have no clue where to find it!IPv6 hdrHopByHopFragment2ICMPv6:type=134 Routing DestinationBRKSEC-3200BRKENT-300214 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIs it the End of the World?RFC 6980 nodes MUST silently ignore NDP.if packets include a fragmentation h

16、eader;-)RFC 8200 If the first fragment does not include all headers through an Upper-Layer header,then that fragment should be discardedFor IOS-based switchesfragment keyword matches Non-initial fragments(same as IPv4)undetermined-transport keyword does not matchIf non-initial fragment,only for deny

17、BRKENT-300215 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPv6 Fragmentation&IOS ACL Fragment KeywordThis makes matching against the first fragment nonnon-deterministicdeterministic:layer 4 header might not be there but in a later fragmentNeed for stateful inspectionfr

18、agment keyword matches Non-initial fragments(same as IPv4)undetermined-transport keyword does not matchIf non-initial fragmentOr if TCP/UDP/SCTP and ports are in the fragmentOr if ICMP and type and code are in the fragmentEverything else matches(including OSPFv3,RSVP,GRE,ESP,EIGRP,PIM)Only for deny

19、ACEBRKENT-300216 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFirst Hop Security:RAguard RevisitedRAguardRAguardipv6 nd raguard policy HOSTdevice-role hostipv6 nd raguard policy ROUTERdevice-role routervlan configuration 1ipv6 nd raguard attach-policy HOSTinterface Ethe

20、rnet0/0ipv6 nd raguard attach-policy ROUTERHOSTDevice-roleRARARARARAROUTERDevice-roleBRKENT-300217 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGeneral principles on FHS command interfaceEach FH feature provides commands to attach policies to targets:global,VLAN,port vl

21、an configuration 100ipv6 nd raguard attach-policy hostdevice-trackinginterface Ethernet 0/0ipv6 nd raguard attach-policy routerPackets are processed by the lowest-level matching policy for each featurefor each feature1.Two RA guard policies are configured:policy“hosthost”and device-tracking on VLAN

22、100,policy“routerrouter”on interface Ethernet 0/0(part of VLAN 100)2.Packets received on Ethernet 0/0 are processed by policy“routerrouter”AND by policy device-tracking“defaultdefault”3.Packets received on any other port of VLAN 100 are processed by policy“hosthost”AND by policy device-tracking“defa

23、ultdefault”BRKENT-300218 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConfiguration examplesStep1:Configure policiesStep2:Attach policies to targetVlanPortipv6 nd raguard policy HOSTdevice-role hostvlan configuration 100-200ipv6 nd raguard attach-policy HOSTipv6 nd ragu

24、ard policy ROUTERdevice-role routerinterface Ethernet0/0ipv6 nd raguard attach-policy ROUTERdevice-tracking policy NODE tracking enablelimit address-count 10security-level guardvlan configuration 100,101ipv6 snooping attach-policy NODEdevice-tracking policy SERVERtrusted-porttracking disablesecurity

25、-level gleaninterface Ethernet1/0device-tracking attach-policy SERVEROlder CLI for NDP snooping was ipv6 snooping it is now device-trackingBRKENT-300219 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDevice RolesFor RA-guard,devices can have different rolesHost(default):o

26、nly receives RA from valid routers,no RS are received,no RA can be sentRouter:receives all RS and can send RAMonitor:receives valid and rogue RA,and all RS,cannot send RA/RSSwitch:all RA are trusted and flooded to synchronize states,all RS also forwardedFor device-tracking,device can have different

27、rolesNode(default):Received ND are inspected(=gleaned)Only valid ND are sentSwitch:all valid ND are flooded to port to synchronize statesreceived ND from port are trustedBRKENT-300220 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRA-Guard Demo TopologySwitch 1HostVillain

28、RouterE0/0E0/2E0/1https:/youtu.be/1kwCaY4H9Tw(4 min 24 sec)BRKENT-300221 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMeraki MR RA GuardWireless Firewall&traffic shapingRA guard on by default!BRKENT-300223 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publi

29、c#CiscoLiveMeraki MS RA Guard Early AccessSwitching DHCP servers&ARP*RA guard listening globally for all switches in the networkOrganization Early Access*Menu navigation name subject to changeBRKENT-300224Integrity of MAC-IPv6 Addresses Bindings 2023 Cisco and/or its affiliates.All rights reserved.C

30、isco Public#CiscoLiveICMP type=136(Neighbor Advertisement)Src=one Bs I/F address,Dst=A target=BOption=Target link-layer address(MACB)NABACdataAddress Resolution protocol:ResolveOperations:discover the MAC address of a given IP addressB MAC BREACH MAC BICMP type=135(Neighbor Solicitation)Source=A,SLL

31、A=MACADst=Solicited-node multicast address of B(SOLB)target=BQuery=what is Bs Link-Layer Address?NSNeighbor cacheB -INCMPL A MACAPROBENeighbor cacheMAC ABRKENT-300226 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivedataICMP type=135(Neighbor Solicitation)Destination=B,targ

32、et=B Query=Are U still there?NS(NUD Neighbor Unreachability Detection)Address Resolution protocol:confirmOperations:maintain mapping fresh in the cacheICMP type=136(Neighbor Advertisement)Source=B,Destination=A,target=BYes!NAB MAC BREACH B MAC BSTALEBACMAC BdataTraffic sent even while entry is not y

33、et confirmedNeighbor cacheBRKENT-300227 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAddress Resolution protocol:updateOperations:update the mapping in the cacheB MAC BREACHBACMAC BMAC BBB MAC BBREACH NA-override unsolicitedICMP type=136(Neighbor Advertisement)Source=BD

34、estination=ALL-NODEStarget=BOption=Target link-layer address(MACBB)Neighbor cacheAnd unauthenticated.BRKENT-300228 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAddress/Identity Theft(and session hijacking!)Vulnerability:attacker claim victims IP addressBACSession establ

35、ishedSession re-establishedBAddress resolution flowMAC B(unsolicited)NAB MAC CSource=B,Destination=ALL-NODES Target=BOption:SLLA=MACCNeighbor cacheMAC CBRKENT-300229 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDHCPDHCP-serverserverH1H1H2H2H3H3DAD NS target=A1,SMAC=MACH

36、1REPLYXID,IPA21,IPA22REQUEST XID,SMAC=MACH2data IP source=A3,SMAC=MACH3DHCP LEASEQUERYDHCP LEASEQUERY_REPLYBinding tableADDRADDRMACMACVLANVLANIF IFA1MACH1100P1A21MACH2100P2A22MACH2100P2A3MACH3100P3Discover Endpoint Addresses(no animation)NS target=A3NA A3=MACH3BRKENT-300231 2023 Cisco and/or its aff

37、iliates.All rights reserved.Cisco Public#CiscoLiveDHCPDHCP-serverserverH1H1H2H2H3H3Binding tableADDRADDRMACMACVLANVLANIF IFA1MACH1100P1A21MACH2100P2A22MACH2100P2A3MACH3100P3PreferencePreferenceXYYZDiscover Endpoint Addresses:PreferenceEach entry has a preference based on:Configuration:server,nodeLea

38、rning method:static,DHCP,DAD,.Credentials:802.1XBRKENT-300232 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnforce/Validate Endpoint AddressesH1CBinding tableADDRADDRMACMACVLANVLANIF IFA1MACH1100IF1Pref.Pref.XNA target=A1,LLA=MACCKnownIPSame anchorYInstallNRefreshYCompu

39、te PCompare P and XNDropYReplaceNDropPXH1 alive?P=XIF1IF2H1ADDRADDRMACMACVLANVLANIF IFA1MACC100IF2BRKENT-300233 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnforce/Validate Endpoint AddressesH1CBinding tableADDRADDRMACMACVLANVLANIF IFA1MACH1100P1PreferencePreferenceXNA

40、 target=A1,LLA=MACCKnownIPSame anchorYInstallNRefreshYCompute PCompare P and XNDropYReplaceNDropPXH1 alive?P=XIP theft,equal trustIP theft,thief less trustedIP moveBRKENT-300234 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConfiguration Exampledevice-tracking policy NOD

41、Etracking enablelimit address-count 10security-level inspectdevice-tracking policy SERVERtrusted-porttracking disablesecurity-level gleanvlan configuration 1device-tracking attach-policy NODEinterface Ethernet0/3device-tracking attach-policy SERVERSecurity level:-glean:only build the binding table-i

42、nspect:as glean+drop wrong NA-guard:as inspect+drop RA&DHCP server messagesBRKENT-300235 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDevice-Binding Demo TopologySwitch 1HostVillainServer2001:db8:cafe:80E0/3E0/2E0/1https:/youtu.be/REL1AmqnFFc(5 min 17 sec)BRKENT-300236A

43、ddress Availability 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNormal Duplicate Address Detection FailureAddress cannot be usedX XNA,target=ARSICMP Type=134(Router Advertisement)Destination=ALL-NODESOptions=Prefix X,lifetimeRAICMP Type=133(Router Solicitation)Source=U

44、NSPEC or I/F link-local addressDestination=ALL-ROUTERSComputes HOSTIDBuilds A=DAD A XHOSTIDA AEUI-64CGAPrivacyNS-DADICMP type=135(Neighbor Solicitation)Source=UNSPEC,Destination=SOL A,target=AQuery=Does anybody use A already?hostrouterManual intervention required in most caseshostmulticastBRKENT-300

45、239 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDenial of Address InitializationICMP Type=134 Destination=ALL-NODESOptions=Prefix PRAA ANS-DAD,target=AICMP type=135(Neighbor Solicitation)Source=UNSPEC,Destination=SOL A,target=AQuery=Does anybody use A already?hostattac

46、kerrouterA AC CNA,target=A“its mine!”Address cannot be usedVictim cant configure IP address and cant communicateComputes A=P,HOSTIDBRKENT-300240 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMitigating Denial of Address InitializationA AhostattackerA AC CIFAIFCNS-DAD,tar

47、get=AICMP DAD-Neighbor SolicitationSource=UNSPEC,Destination=SOL Atarget=AQuery=Does anybody use A already?A MACAIFAINCPLaddress A ready to useNA,target=A“its mine!”anchorRun IP theft algorithm(FCFS)BRKENT-300241 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDoS attack:d

48、enial of Address assignmentVulnerability:attacker hacks DHCP server roleA ArelayserverREPLY,NoAddrsAvailREQUESThostrouterattackerC CREPLY,IA=BOGUSSOLICIT(ALL_SERVERS_AND_RELAY)ADVERTISE,preference=255ADVERTISEBRKENT-300242 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDo

49、S attack mitigation:DHCP Guard Denial of address assignmentPort ACL:Port ACL:blocks all DHCPv6“server”messages on client-facing portsinterface FastEthernet0/2ipv6 traffic-filter CLIENT_PORT inaccess-group mode prefer portDHCP guard:DHCP guard:deep DHCP packet inspectionipv6 dhcp guard policy CLIENTd

50、evice-role clientipv6 nd raguard policy SERVERdevice-role servervlan configuration 100ipv6 dhcp guard attach-policy CLIENT vlan 100interface FastEthernet0/0ipv6 dhcp guard attach-policy SERVERSOLICITDHCPDHCP-serverserverADVERTISE-Source-Prefix list-CGA credentialsSOLICITADVERTISEADVERTISEBRKENT-3002

51、43 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMeraki MR DHCPv6 GuardWireless Firewall&traffic shapingDHCP guard:same toggle for IPv4/IPv6BRKENT-300244 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMeraki MS IPv6 ACL for DHCPv6Rogue DHCPv6

52、blockingSwitch ACLBRKENT-300245 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMeraki MS DHCPv6 Guard Early AccessSwitching DHCP servers&ARP*Menu navigation name subject to changeDHCPv6 guard listening globally for all switches in the networkOrganization Early AccessBRKEN

53、T-300246 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive3 3 seconds seconds historyhistoryDoS attack:denial of address resolution 2001:db8:/642001:db8:/64X XX scanning 2 64addresses(ping 2001:db8:a,2001;db8:b,2001:db8:z)Neighbor cacheA ANSNSDst=Multicast SOL:aQuery=Where

54、is 2001:db8:a?Session to ArouterNSNSDst=Multicast SOL:bQuery=Where is 2001:db8:b?NSNSDst=Multicast SOL:zQuery=Where is 2001:db8:z?Max Max capacity capacity reachedreachedSTOP!BRKENT-300247 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive-Mitigate prefix-scanning attacks an

55、d Protect ND cache-Useful at last-hop router and L3 distribution switch-Drops packets for destinations without a binding entry hosthostB BDo resolutionLookup D1 foundfoundNOL3 switchInternetAddress gleanBinding tableNeighbor cacheDST=D1Scanning P/64DST=DnDestination GuardrouterBRKENT-300248More Info

56、rmation on FHS 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMonitoring(done via SYSLOG)Address Theft(IP)%SISF-4-IP_THEFT:IP Theft A=2001:DB8:1 V=100 I=Et0/0 M=0000.0000.0000 New=Et1/0Address Theft(MAC)%SISF-4-MAC_THEFT:MAC Theft A=2001:DB8:1 V=100 I=Et1/0 M=0000.0000.00

57、00 New=Et1/0Address Theft(MAC/IP)%SISF-4-MAC_AND_IP_THEFT:MAC_AND_IP Theft A=2001:DB8:1 V=100 I=Et0/0 M=0000.0000.0000 New=Et1/0DHCP Guard%SISF-4-PAK_DROP:Message dropped A=2001:DB8:1 G=2001:2DB:2 V=2 I=Gi3/0/24 P=DHCPv6:REP Reason=Packet not authorized on portRA Guard%SISF-4-PAK_DROP:Message droppe

58、d A=2001:DB8:2 G=-V=1 I=Gi3/2 P=NDP:RA Reason=Message unauthorized on portBRKENT-300250 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRA-GuardOnly trusted routers can send RADevice trackingLearn the MAC/IP addresses binding and enforce it(first talker wins)DHCPv6 GuardBl

59、ock DHCP packet from non trusted DHCP serversDestination GuardBlock ingress packet whose destination is unknown(not in the binding table learned by device tracking)Many FHS FeaturesSource Guardblock packets with invalid source IPv6 addresses(learned from device tracking of NDP&DHCP),mainly for layer

60、-2 switchesPrefix Guardblock packets with invalid source IPv6 addresses(learned DHCP prefix delegation),mainly for CPERA ThrottlerReduce the amount of multicast RA as multicast is bad for Wi-Fi(battery lifetime,reliance,and performance)ND Suppress Multicast:Rewrite the destination MAC address from m

61、ulticast to unicast for some traffic(also based on the binding learned by device tracking)BRKENT-300251 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPv6 First Hop Security Platform SupportAvailable NowAvailable NowNot AvailableNot AvailableRoadmapRoadmapFeature/Platfor

62、mCatalyst 6500SeriesCatalyst4500 SeriesCatalyst 2K/3K SeriesASR1000 Router7600 RouterCatalyst 3850Wireless LAN Controller (Flex 7500,Flex 7500,5508,2500,5508,2500,WISMWISM-2)2)Nexus 7kNexus 3k/Nexus 9kNexus ACIMerakiMRMerakiMSRA Guard15.0(1)15.0(1)SYSY15.1(2)15.1(2)SGSG15.0.(2)SE 15.0.(2)SE 15.2(4)S

63、15.2(4)S15.0(1)EX15.0(1)EX7.27.2NXNX-OS 8.0OS 8.07.0(3)7.0(3)3.03.0MR 28MR 28MS 16MS 16Device-tracking15.0(1)15.0(1)SYSY1 115.1(2)15.1(2)SGSG15.0.(2)SE15.0.(2)SEXEXE 3.9.0S3.9.0S15.2(4)S15.2(4)S15.0(1)EX15.0(1)EX7.27.2NXNX-OS 8.0OS 8.07.0(3)7.0(3)3.03.0MR 27MR 27MS 6MS 6DHCPv6 Guard15.2(1)15.2(1)SYS

64、Y15.1(2)15.1(2)SGSG15.0.(2)SE15.0.(2)SE15.2(4)S15.2(4)S15.0(1)EX15.0(1)EX7.27.2NXNX-OS 8.0OS 8.07.0(3)7.0(3)3.03.0MR 29MR 29MS 16MS 16Source/Prefix Guard15.2(1)15.2(1)SYSY15.2(1)E15.2(1)E15.0.(2)SE15.0.(2)SE2 2XEXE 3.9.0S3.9.0S15.3(1)S15.3(1)S7.27.2Destination Guard15.2(1)15.2(1)SYSY15.1(2)15.1(2)SG

65、SG15.2(1)E15.2(1)EXEXE 3.9.0S3.9.0S15.2(4)S15.2(4)SRA Throttler15.2(1)15.2(1)SYSY15.2(1)E15.2(1)E15.2(1)E15.2(1)E15.0(1)EX15.0(1)EX7.27.2MR 29MR 29ND Multicast Suppress15.2(1)15.2(1)SYSY15.1(2)15.1(2)SGSG15.2(1)E15.2(1)EXEXE 3.9.0S3.9.0S15.0(1)EX15.0(1)EX7.27.2MR 28MR 28Note 1:IPv6 Snooping support

66、in 15.0(1)SY does not extend to DHCP or data packets;only ND packets are snooped Note 2:Only IPv6 Source Guard is supported in 15.0(2)SE;no support for Prefix Guard in that releaseNote 3:No support on virtual switchesBRKENT-300252FHS in a SD-Access Fabric 2023 Cisco and/or its affiliates.All rights

67、reserved.Cisco Public#CiscoLiveLayer-2 vs layer-3 OverlaysLayer 2 Overlays Emulates a LAN segment Transport Ethernet Frames(IP&Non-IP)Single subnet mobility(L2 domain)Exposure to Layer 2 flooding Useful in emulating physical topologiesLayer 3 Overlays Abstract IP connectivity Transport IP Packets(IP

68、v4&IPv6)Full mobility regardless of Gateway Contain network related failures(floods)Useful to abstract connectivity and policyLayer-3 overlayLayer-2 overlayBRKENT-300254 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSD-Access FabricFEFEFEcoreController:DNACcorecoreLANFab

69、ric EdgeCoreUnderlayEPEPEPEPEnd PointoverlayEncapsulation in VXLAN and LISPBRKENT-300255 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRouter Theft:Mitigate with RA-guard&DHCP-guardUse case#1:no exterior routerUse case#1:no exterior routerIPv4:IPv4:blocks all incoming DH

70、CP-ackIPv6:IPv6:block incoming RA and DHCP-replyUse case#2:exterior router allowedUse case#2:exterior router allowedIPv4:IPv4:authorize DHCP server on portIPv6:IPv6:authorize router and DHCP server on portipv6 nd raguard policy ROUTERdevice-role routerIpv6 dhcp guard policy SERVERdevice-role serveri

71、nterface FastEthernet0/0ipv6 nd raguard attach-policy ROUTERipv6 dhcp guard attach-policy SERVERFABRICLayer-2 switch EPFEEPFEEPFERADHCPRADHCPRADHCPBRKENT-300256 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRA-guard on by default on SD-Access#show device-tracking policy

72、LISP-DT-GUARD-VLANPolicy LISP-DT-GUARD-VLAN configuration:security-level guard(*)device-role nodegleaning from Neighbor Discovery gleaning from DHCPgleaning from ARPgleaning from DHCP4NOT gleaning from protocol unknlimit address-count for IPv4 per mac 4(*)limit address-count for IPv6 per mac 12(*)tr

73、acking enable Policy LISP-DT-GUARD-VLAN is applied on the following targets:Target Type Policy FeatureTarget rangevlan 101 VLAN LISP-DT-GUARD-VLAN Device-tracking vlan allnote:Binding entry Down timer:10 minutes(*)Binding entry Stale timer:30 minutes(*)BRKENT-300257 2023 Cisco and/or its affiliates.

74、All rights reserved.Cisco Public#CiscoLiveAddress Ownership IPv46 AddressEP1EP2EP3FE1FE2FE3Fabric DBDADIP1DeviceMACFEIPEP1MAC1FE1-EP2MAC2FE2IP2EP3MAC3FE3IP1Whereis IP1?DAR IP1,dst=MAC4,PARPrsp/NAIP1DAC DUPDuplicate AddressAssumption:end-points addresses are discovered and stored in fabric DBEP4FE4EP

75、2MAC2IP2Device MACIPPrefEP3MAC3IP1PEP4MAC4IP4At FE3,MAC3ARPreq/NSIP1Compute PARPrsp/NAIP1Compare P&PControllerSyslog IP theftAre U still there?Yes!BRKENT-300258 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAddress Ownership Fast Roaming in SD-AccessEP1EP2FE1FE2FE3Fabric

76、 DBDeviceMACFEIPEP1MAC1FE1IP11IP12EP2MAC2FE2IP2EP3MAC3FE3IP3Assumption:end-points addresses are discovered and stored in fabric DBEP2MAC2IP2EP3DeviceMACFEIPEP1MAC1FE1IP11IP12DeviceMACFEIPEP3MAC3FE3IP3EP1/MAC1 is at FE3DeviceMACFEIPEP1MAC1FE3IP11IP12EP2MAC2FE2IP2EP3MAC3FE3IP3DeviceMACFEIP.DeviceMACFE

77、IPEP3MAC3FE3IP3EP1MAC1FE1IP11IP12Delete EP1 Add EP1 w.IP11&IP12pktsrc IP11,MAC1BRKENT-300260IPv6 Security Beyond the Local Area?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPv6 Security Beyond the Local Area?IPv6 differs from IPv4 mainly in:NDP vs.ARP:this class was ab

78、out securing the differenceExtension Headers:a large topic,see also BRKSEC-2044“Secure operations of an IPv6 network”I.e.,beyond local area,normal security BCP are similar:Anti-spoofing with uRPF checksInfrastructure ACLRouting securityVPN,firewalls,IDS,.BRKENT-300262Summary 2023 Cisco and/or its af

79、filiates.All rights reserved.Cisco Public#CiscoLiveSummaryIPv6 NDP/DHCP are vastly different than IPv4 ARP/DHCPA common approach can work for bothTrusted devices(AP,switches,fabric,.)can learn dynamic states and enforce the bindingDo not forget that an IPv6 network exists as soon as you have an IPv6

80、 host,no need for IPv6 InternetIf there are 2 IPv6 hosts,then one can attack the other oneI.e.,please deploy IPv6 FHS NOWBRKENT-300264 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engine

81、er meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFor Even More InformationBRKENT-300266 2023 Cisco and/or its affiliates.All r

82、ights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!These points help you get on the leaderboard and increase your chances of winning daily and

83、grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.BRKENT-300267 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAll IPv6-Related ContentBRKENT-2109 Lets Deploy IPv6 NOW5 Jun 202308:30 AM Level 2,Oceanside EBRKSEC-2044 Se

84、cure Operations for an IPv6 Network5 Jun 202309:30 AM Level 2,Surf CDIBOIPV-1000What should we do about the IPv6-only mandate by Governments?5 Jun 202311:00 AM Level 2,Lagoon BBRKMER-1752 Experience the Journey to IPv6-Only With Cisco Meraki5 Jun 202311:00 AM Level 3,South Seas JBRKIPV-2191IPv6:Its

85、Happening!5 Jun 202301:00 PMLower Level,Mariners ABLTRENT-2052 IPv6 Routing,SD-WAN and Services Lab5 Jun 202301:00 PMLuxor-Level 1,Egyptian Ballroom BCBRKENT-2122 IPv6-Powering the World of IoT5 Jun 202303:00 PMLevel 3,Palm CIBOENT-2811Everything you wanted to know about IPv6 but were afraid to ask!

86、5 Jun 202304:00 PMLevel 2,Lagoon DBRKIPV-2000Verifying your Systems Transition to IPv66 Jun 202310:30 AM Level 2,Oceanside FBRKIPV-2751IPv6 with Cisco IOS Routing and Meraki Access-A Practical Guide6 Jun 202301:00 PMLevel 2,Breakers FLBRKENT-2008 Goodbye Legacy,the move to an IPv6-Only Enterprise6 J

87、un 202302:30 PMLevel 2,Mandalay Bay KBRKIPV-1616IPv6-What Do you Mean there isnt a Broadcast?6 Jun 202303:00 PMLevel 2,Breakers EKBRKENT-3340 HitchHikers Guide to Troubleshooting IPv66 Jun 202303:00 PMLevel 2,Mandalay Bay FBRKENT-3002 IPv6 Security in the Local Area with First Hop Security6 Jun 2023

88、03:00 PMLevel 2,Reef DEBRKIPV-3927Deploying IPv6 in the Cloud7 Jun 202310:30 AM Level 2,Reef DEBRKDCN-2682Routing IPv6 In VXLAN BGP EVPN Fabrics7 Jun 202302:30 PMLevel 3,South Seas CIBOIPV-2000Sharing Experience on IPv6 Deployments in Enterprise7 Jun 202304:00 PMLevel 2,Lagoon BIBOIPV-2002Discussing

89、 IPv6 in a Cloud-managed World with the Cisco Meraki Platform8 Jun 202311:00 AM Level 2,Lagoon BIBOENT-2811Everything you wanted to know about IPv6 but were afraid to ask!8 Jun 202301:00 PMLevel 2,Lagoon DBRKENT-300268Thank you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pub

90、lic#CiscoLiveGamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123470 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKENT-300270#CiscoLive