IPv6 in the Network

Jeffry Handal, Principal Architect

Harold Ritter, Sr Technical Leader
Éric Vyncke, Distinguished Engineer

TECIPV-2265
Abstract of “IPv6 in your Network”
• ...by way of a continuation and extension of the exploration of the IPv6
world, in the afternoon, we continue our journey with 'IPv6 in your Network'.
You might have already joined us for the morning session covering 'IPv6 on
the Host' ?
• In this next session, you will continue to learn how to further the deployment
of IPv6 in your Enterprise. We will highlight transition technologies but will
not stop there and we will go on to cover address-planning, routing
protocols, and security-related considerations.
• We will also help to provide a roadmap for the rest of your time at Cisco Live
with pointers to specific breakouts where you can learn more your journey to
IPv6-only!

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
 Session Assumptions

2001 : 0db8 : 0100 : 1111 : 0000 : c15 : c0 : 0001

Base knowledge on the following:

• IPv6 address structure and address types
• IPv4 routing concepts
• Principles of cyber security
• Public cloud concepts

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
 • Address Planning
• DNS
• The Multiple Addresses Paradigm
• Source/Destination Address Selection
• Happy Eyeballs
• NAT in IPv6?

Agenda • Routing Protocols

• Multi-Prefix Multi-Link
• Transition Technologies
• Security
• The Cloud
• Take the Challenge
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Cisco Webex App

Questions?
Use Cisco Webex App to chat
with the speaker after the session

How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here

4 Enter messages/questions in the Webex space

Webex spaces will be moderated

until February 24, 2023.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Address
Planning
Mindset
“Begin with the end in mind”
Dr. Stephen Covey (The 7 Habits of Highly Effective People)

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Addressing Plan Goals
• Develop definition for different
parts of the network
• Physical - WAN/Core, Campus, DC,
Internet Edge
• Logical – Guest, Voice, Employee,
Organization

• Encoding of information
• Ease of aggregation
• Leave space for growth
• Involve other teams
• Facilities, Information Security

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Why is an IPv6 Addressing Plan So Valuable?
• IPv6 is a second chance for redemption
• Do not repeat mistakes/inherited mistakes from IPv4
• It’s an opportunity involve the business
• Structure/Services
• Hierarchy/Security
• Well thought-through addressing plan
• Reduce fear of unknown
• Help achieve MTT in long run

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
The IPv6 Address – Practical View

• IPv6 addresses are 128 bits long

• Segmented into 8 groups of four HEX characters
• Separated by a colon (:)
• Default is 50% for network ID, 50% for interface ID

2001 : 0db8 : c15 : c0 : 0000 : 0000 : 0000 : 0001

Control Influence
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
IPv6 – The Creativity Opportunity
Cisco

FE80::C15:C0:500:1 Facebook
or
2a03:2880:f134:183:face:b00c

Functional and fun vanity in an address

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Explaining BIG Numbers With Math

• The standard LAN size has been set at a /64

• 18,446,744,073,709,600,000 IPv6 addresses

• Let’s attempt to exhaust all the available addresses

• We will allocate 10,000,000 addresses per second
• Hint: there are 31,536,000 seconds per year
• 10,000,000 x 31,536,000 = 315,360,000,000,000

18,446,744,073,709,600,000/ 315,360,000,000,000 =
58,494 years
Attribution: Ed Horley

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
In other words, do not worry about the
number of hosts!
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
The True Plan

Deploy IPv6
Retire IPv4

IPv4 and IPv6 are not directly compatible

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
IPv6-Only: The Production Target

"Forty years ago, Bob Kahn and I

did the design of the Internet. Thirty
years ago, we turned it on. Just last
year [2012], we turned on the
production Internet. You've been
using the experimental version for
the last 30 years. The production
version, it uses IP version 6.”
– Vint Cerf

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Mindset of Success (Part I)

1. Simplicity
• IPv6 has inherent simplicity, leverage it
• You don’t want to spend weeks explaining an address plan.

2. Embed Information
• To help troubleshooting and operation of the network
• Examples: location, country, PIN, VLAN, IPv4 addresses in Link Local and/or Global
Addresses

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Mindset of Success (Part II)

3. Build-in Reserve
• Cater for future growth, mergers & acquisitions, new locations
• Reserved vs. assigned
4. Aggregatable
• Good aggregation is essential, just one address block (per location), we can take
advantage of this (unlike in IPv4!)
• Ensures scalability and stability
5. It’s a secret…

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
There is no such thing
as wasted IPv6 space.
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Building Blocks
Reigning in the Abundance
• Do we get PI or PA?
• PI space is great for organizations who want to multi-home to different SPs
• PA if you are single-homed or plan to NAT/Proxy everything with IPv6 (not likely)

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
PA/PI Space Example

Source: RIPE Database Source: RIPE Database

Provider Aggregatable (PA) Provider Independent (PI)

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
PA Space
• Operating Options for PA
• IPv6-as-a-Service operating model
• Mature Zero Trust operating model (IP addresses do not matter)

IPv6

IPv4
IPv6
IPv4

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
PI Space

• Operating Options for PI

• Get one large global block from local RIR and subnet out per region
• Get a separate block from each of the RIR you have presence in

• Most organizations are going down the PI path

• Getting assignments across regional registries provides “insurance” against
changing policies
• More economical than IPv4
• Traffic Engineering

Get as much as you can! >/40

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Types of Unicast IPv6 Addresses
• Link-Local Address
• First 64 bits are fixed
• Interface Identifier can be modified
• Encoding external identifiers for
troubleshooting FE80::C15:C0:500:1
• VLAN number
• Router IDs
• IPv4 address

• Possible to leverage for IGP routing

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Types of Unicast IPv6 Addresses
• Unique Local Address
• Not recommended for end-point
addressing Link-Local Address

• Needs Translation (NPTv6 or Global Address

Unique Local Address

NAT66) on Internet Edge

• Global Unicast Address

• Vast number of prefixes

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Prefix Magic
• Prefix length
• Enterprise range typically /32 to /48 (32 to16 “subnet” bits)
• SPs start at /32 (32 “subnet” bits)
Hosts Core
• Network Infrastructure links, Host/End System LAN
/64 /64 or
• Avoid breaking the nibble boundary /127

• Think of # of prefixes at each level

• Hierarchy is key Servers
/64 WAN
• Templates will be your friends
Loopback
/128
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Methodology
Methodology - Inventory

• Analyze, where will IPv6 be deployed?

• Addressing plan needs to be designed globally

• Identify the structure of the addressing plan

• Based on building blocks and considerations discussed earlier
• Top-down approach

NOTE: This is different from the IPv4 days when

the # of hosts per subnet was important

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Treat IPv6 prefixes like containers
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Methodology - Targets

• Where and how many locations?

• Countries, regions, locations, buildings, etc…
• Needs to map onto the physical / logical network topology’

• Which services, applications and systems connected in each location?

• E.g., Fixed networks, mobile networks, end-users, ERP, CRM, R&D, etc…

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Methodology - Timeline

• When should services be up and running with IPv6? IPv6-only?

• For each area/zone/site, create individual timelines and roadmaps
• Set expectations of steps and outcomes before, during, and after the
migration

• How do dependencies (e.g., tools, software, security concerns) affect

timelines?
• Leverage your partners (Cisco SE community)
• Invest in analysis tools (e.g., NMAP, Snort)

Refine, Refine, Refine

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Prefixes per Level

Always put aside

a reserve

• How many prefixes will you need at each level of the addressing plan?
• Example: the number of interconnects (P2P) in your network
• How many /64 prefixes (subnets) will you need to deploy at a location?
• Example: desktops, WI-FI, guest, sensors, CCTV, network infrastructure….

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
A Prefix Visual

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Encoding Intelligence – Troubleshooting Ease
Encode information in particular portions of the IPv6 prefix
• VLANs in the prefix
VLAN 4092 → 2001:db8:1234:4092::/64 (alternatively in hex ☺)

• ISATAP is a thing of the past – “Let it Go!”

IPv4 address 10.0.13.1 → 2001:db8:1234:100::10:0:13:1

Kerckhoffs' Principle

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Encoding Intelligence Example

Site ID Interface ID

2620:c15:c0:2180:949b:72c:127a:e814
Assigned block VLAN ID
/40

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Building the Key
Assigned a /48
4 bits = Locations (Region, Country, States, Counties, Agencies, etc.)
4 bits = Function (Admin, Guest, Voice, etc.)
4 bits = Buildings or sub levels within a location
4 bits = Floors or directional pointers VLAN ID Host ID

4 bits = VLAN ID
48 bits = Host ID 2001:db8:4646:xxxx:yyyy:zzzz:zzzz:zzzz

0110 0001 1000 0011

2001:db8:4646:6183:100:1234:5678:90ab
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Network Infrastructure
Router Interconnects (P2P Links)
• First recommendations: configured /64, /112 or /126,
• RFC 3627 (Sept. 2003 - /127 considered harmful) – moved to historic by RFC
6547 (Feb. 2012)
• Since April 2011, RFC 6164 recommends /127 on inter-router links
• Current recommendation /64, /126 or /127 – (/127 mitigates ND
exhaustion attacks)
• Allocate /64 from a block (e.g., /54) for infrastructure links but configure
/127
• Example: 2001:420:1234:1:1::0/127 and 2001:420:1234:1:1::1/127

Consider using only Link-Local Addressing inside

(RFC7404)
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Infrastructure using Link-Local Addressing

Internet
fe80::/64 ULA/GUA

fe80::/64
ULA/GUA WAN/MAN ULA/GUA
fe80::/64
ULA/GUA

RFC7404
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Loopbacks
Carve out dedicated /64s for Loopback addresses
• Allocate /64 per Loopback but configure /128

2001:420:1234:100:1::1/128
2001:420:1234:101:1::1/128

Warning: Avoid a potential overlap with reserved

address space (e.g., Embedded RP address)

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
 Prefix Length Recommendations
Hosts
/64 Core
• Anywhere a host exists /64 /64 or /127
• Point-to-Point /127
Pt 2 Pt
• Loopback or Anycast /128 /127
• RFC 7421 /64 is here Servers
/64 Loopback WAN
• RFC 6164 /127 cache exhaust /128

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
A Benefit of Proper Prefix Allocation

Improved summarization

Less memory Longer life of existing

on routers infrastructure

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Prefix Length – The Real Deal
• External peering
• Maximum length is /48
• Obtain more than a /48 for resiliency
peering
• Other options
• Work with ISP

• Use tools like route servers and

looking glasses

Source: https://labs.ripe.net/Members/stephen_strowes/visibility-of-prefix-lengths-in-ipv4-and-ipv6 - (2019)

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
The Gameplan
Tools for Managing IPv6 Addressing Plan
• Not just a spreadsheet, please!
Prone to error 
• There are many IP Address Management tools on the market
• Cisco Prime Network Registrar
• Other IPAM tools include Infoblox, BlueCat, BT Diamond

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Friend, not Foe: IPv6 Calculators

Subnet Calculators Allocation Tools

Migrating to IPv6 book

Getioip.net

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Example - How Many Subnets in a Location?
22 = 4 /54 Interconnects 1024x /64 P2P links /127 per P2P link
/54s

/54 Loopbacks 1024x /64 Loopbacks /128 per Loopback

24 = 16 /52 Infrastructure
/52s 1024 /127 p-t-p links
/54 reserve 210 = 1024 /64s
Allocated 1024 /128 loopbacks
/48 location
/54 reserve

/52 Desktops 212 = 4096 /64 subnets

/52 Wireless 212 = 4096 /64 subnets • Follow the logical flow
• How many subnets in each location?
/52 etc.
• What does sit under infrastructure?
• How many point-to-point links?
• Where is the reserve?

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Example of an IPv6 Prefix Breakdown (ISP)
/32 for Private Addressing /40 for Core Network
/64 for Loopbacks (/128s)
Internal Services

/40 for Enterprise DC

/30
Internal

/32 for Internal Addressing

/40 for Enterprise Campus
External

/40 for Core Network

External Services
/29 from RIPE
/32 for External Addressing /40 for Enterprise DC
(non-Subsribers) External

/40 for Enterprise

Infrastructure External

/32 as a reserve /40 for Enterprise Campus

External

/30 for Subscribers /36 per PoP /40 per BNG /56 per Subscriber

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Where Do We Start?
• Core-to-Access – Gain experience with IPv6
Access
• Turn up your servers – Enable the experience Internet
Edge
• Access-to-Core – Securing and monitoring
• Internet Edge – Business continuity ISP ISP

Campus
Core

WAN
Servers

Branch
Access
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
The end hosts are ready!

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Targeted Scope of Deployment
• Find your champions
• Learning potential

• Choose a segment
• Physical: Building, site, campus
• Applications: subdomains, non-essential apps

• Impact
• Business: Potential to enable new services
• Technical: Getting published

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
IPv6 Buzz Podcast

Wireless Networks:
A good place to make it real

Listen here

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Planning for Success
• Define timeline
• Create metrics, testing criteria
• E.G., Use less memory for IPv6 routing than IPv4
• Develop best practices
• Have a lab environment
• “Beta in production”

• Have a play for legacy devices and applications

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Build a plan
that frees
the network

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
DNS
IPv6 and DNS
• Add an IPv6 address to a host, create AAAA record in DNS zone
• IPv4
Only global or unique local, do not use link-local addressesIPv6
• Uses PTR records in “ip6.arpa” for reverse mapping
• Clients receive DNS info from manual configuration, DHCPv6, RA

Function IPv4 IPv6

Hostname A Record AAAA Record (Quad A)
to www.example.com. A 192.168.30.1 www.example.com AAAA 2001:db8:c18:1::2
IP Address
IP Address PTR Record PTR Record
To 1.30.168.192.in-addr.arpa. PTR 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.
Hostname www.example.com. 0.8.b.d.0.1.0.0.2.ip6.arpa PTR
www.example.com.

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
IPv6 and DNS

IPv4 IPv6

Hostname to A Record: AAAA Record:

IP Address www.abc.test. A 192.168.30.1 www.abc.test AAAA 2001:db8:C18:1::2

PTR Record: PTR Record:

IP Address to 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.
1.30.168.192.in-addr.arpa. PTR
Hostname 8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test*
www.abc.test.

*http://rdns6.com/nibble

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
DNS Resource Records Over IP
• IPv6-only networks require IPv6 DNS recursive servers
• IPv4
Dual stack networks can IPv6
use either protocol as transport
• IPv6 results can be carried over IPv4 and vice-versa

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
IPv6 DNS Operation
• Successful DNS lookups over IPv6 require:
• Each zone provide at least one authoritative name server IPv6
with an IPv6
address
• Clients often do DNS resolution via recursive servers
• Recursive request your DNS info on behalf of the client
NS1.example.com

example.com Government Agencies

recursive server A 198.51.100.10
AAAA 2001:db8:4646:1::a

example.com
Internet

Who is www.example.com?
www.example.com
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Open IPv6 Recursive DNS Servers
• Cisco Umbrella (OpenDNS but also with policies)
• 2620:119:35::35 and 2620:119:53::53
• Cloudflare
• 2606:4700:4700::1111 and 2606:4700:4700::1001
• DNS64 2606:4700:4700::64 and 2606:4700:4700::6400
• Google
• 2001:4860:4860::8888 and 2001:4860:4860::8844
• DNS64 2001:4860:4860::6464 and 2001:4860:4860::64

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Let’s DIG into it ;-)
evyncke $ dig +short @1.1.1.1 cisco.com aaaa
2001:420:1101:1::185
evyncke $ dig +short @2620:119:53::53 cisco.com aaaa
2001:420:1101:1::185
evyncke $ dig +short @2620:119:53::53 cisco.com a
72.163.4.185
evyncke $ dig +short ks4.vyncke.org a
94.23.9.178
evyncke $ dig +short ks4.vyncke.org aaaa
evyncke $ dig +short @2606:4700:4700::64 ks4.vyncke.org aaaa
64:ff9b::5e17:9b2

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
The Multiple
Address
Paradigm
Source &
Destination
Address
Selection
Why ?
• In legacy IPv4, most clients/servers have a unique IPv4 address
• Nowadays, they:
• One IPv6 link-local
• Several IPv6 addresses: stable, privacy extensions (preferred or
deprecated)
• Sometimes from multiple prefixes
• Sometimes still IPv4

• Which <src, dst> to use without trying all of them ?

• Dst: is selected by the application
• Src: is often selected by the kernel except for specific apps
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
RFC 6724 Source Address Selection for a
Destination
• Find the most suitable source among
• a set of address candidates: global, link-local, host-local, IPv4, IPv6, ...
• How ?
• Compare all addresses to each other to find the best of the two
• Select the one that is ‘better’ than all the other ones
• Comparaison is done by 8 rules ! Applied from 1st to last one until a tie-
break
• Example for addresses A, B, and C
• Comparaison: A < B, A > C, B > C
• Or B > A > C ➔ select address B
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
RFC 6724 Rules for Source Address Selection
Between the pair of candidate addresses A and B for destination D
1. If A (resp. B) is D, then the preferred is A (resp. B)
2. Prefer the larger scope
3. Prefer a ”preferred” address as opposed to a ”deprecated” one
4. If mobile IP is used, then prefer the home address not the C/O one
5. Prefer outgoing interface
6. Prefer label matching with D (e.g., Teredo to Teredo, ULA to ULA)
7. Prefer temporary/privacy address
8. Longuest prefix match with D
• Bonus 5.5: if several routers, prefer a prefix advertised by the next-hop to D router

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
RFC 6724 Destination Address Selection
• getaddressinfo() => an ordered list of IP address(es)
• For a specific source...so m*n problem (caching is recommended)
• The first address is to be tried
• But 2nd, 3rd, ... Can also be tried (in parallel, with a small delay, or in
sequence after time-out)
• Also a set of 10 rules: avoid unreachable address, matching scope,
prefer a destination where the source is not deprecated, prefer
home address, ...

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
RFC 6724 Examples
• Destination: ff05::1
• Candidate Source Addresses: 2001:db8:3::1 or fe80::1
• Result: 2001:db8:3::1 (prefer appropriate scope)
• Destination: 2002:c633:6401::1
• Candidate Source Addresses: 2002:c633:6401::d5e3:7953:13eb:22e8 (temporary)
or 2001:db8:1::2
• Result: 2002:c633:6401::d5e3:7953:13eb:22e8 (prefer matching label)
• Candidate Source Addresses: 2001:db8:1::2 or fe80::1 or 10.1.2.4
• Destination Address List: 2001:db8:1::1 or 10.1.2.3
• Result: 2001:db8:1::1 (src 2001:db8:1::2) then 10.1.2.3 (src 10.1.2.4) (prefer
higher precedence)

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
 RFC 8305
Happy Eyeballs

IPv6 or IPv4 ?
Dualstack: Always remember both protocols
Type “example.com”
and press Enter

AAAA?
A? “example.com”
“example.com”

connect connect
192.0.43.10 2001:db8:88:200::10

GET / HTTP/1.1
Host: example.com
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Dual-Stack : What if IPv6 is Broken or slower to a
certain website ?

Unhappy
users 

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
RFC 8305: Happy Eyeballs: Better Connectivity
Using Concurrency

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
 Actually more complex
when having multiple
Happy Eyeballs Optimization DNS recursive servers
and multiple IP
addresses ;-)

Happy
users ☺

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Session Cookie and IP Address Change
• User starts a transaction with IP address A
• Server allocates cookie C
• Server stores address A and checks it for all HTTP requests having cookie C
• The CRUX:
• Happy Eyeball (RFC 8305) switches address family and use address B
• CGN change address to IPv4 B (non-RFC 6888 compliant)
• New temporary IPv6 address B’
• Next requests from user still uses cookie C but comes from address B
• Server checks the address, A != B and server refuses the request

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
 Session Cookies Changing Address
John Doe with IPv6 address A Server
Log “John Doe” in, here are my credentials

Credentials valid, logged in, here is a new cookie

Cookie C is for:
• John Doe
• Address A
• Authorized
John Doe with IPv4 address B • Shopping Cart:

I want to add item FOO to my cart, here is my cookie

You are not authorized

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Preventing Session Cookie Stealing
• Working with OWASP to fix:
https://www.owasp.org/index.php Session_Management_Cheat_Sheet

• Checking IPv4 address is kind of useless in CGN world anyway

• Prevent cookie stealing on the path
• Encrypt with HTTP2 or TLS
• Prevent cookie stealing by hostile script
• Add “secure; HttpOnly” in Set-Cookie

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Address
Translation for
IPv6 Networks
RFC 6296: NPTv6 1:1Translation
• RFC 6296 – Network Prefix Translation
Internet
• Swaps Leftmost Bits of Address
• Equal length Prefixes
• Some math on IID to keep TCP/UDP checksum unchanged

• Typical use case Small-to-Medium Enterprise

• Unique Local Addressing (ULA) inside (no PI addresses)
• Provider allocated addressing outside
2001:db8:46::/48
interface GigabitEthernet0/0/0
nat66 inside fd07:18:4c::/48
interface GigabitEthernet0/0/1
nat66 outside
!
nat66 prefix inside fd07:18:4c::/48 outside 2001:db8:46::/48

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
 NAT66 N:1
IPv6-to-IPv6 stateful translation
FW(config)# object network inside_v6
FW(config-network-object)# subnet 2001:db8:122:2091::/96
FW(config-network-object)# nat(inside,outside) dynamic interface ipv6

The configuration above allows for N:1 translation using PAT

Sourcefire
https://www.cisco.com/c/en/us/td/docs/security/firepower/610/fdm/fptd-fdm-config-guide-610/fptd-fdm-nat.html#concept_5FBE69B32F8E4A499276904DF6A2BB21
ASA
https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/firewall/asa-94-firewall-config/nat-reference.html#concept_5FBE69B32F8E4A499276904DF6A2BB21

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Routing
Protocols
Address Types
• Link Local addresses (LLA) are only significant to local interfaces
(FE80::/10)
• Global Unicast addresses (GUA) are globally routable on the Internet
(2000::/3)
• Unique Local (ULA) are sometimes wrongly compared to IPv4 RFC1918
addresses (FC00::/7)
• Anycast addresses (same ranges as unicast addresses)
• Multicast addresses (FF00::/8)

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Available routing protocols

Static RIPng EIGRP OSPFv3

IS-IS BGP PIMv6

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Static Routes
Static Routes configuration example
• ipv6 route ::/0 2001:db8:12ff:12::1
• ipv6 route ::/0 GigabitEthernet 0/1 FE80::1
• ipv6 route ::/0 GigabitEthernet 0/1
(not allowed on broadcast interface due to the lack of proxy ND support)
ipv6 unicast-routing
!recursive
ipv6 route 2001:db8:5::/48 2001:db8:4::1
!fully qualified
ipv6 route 2001:46::/32 ethernet0/0 fe80::9
!default
ipv6 route ::/0 ethernet0/2 fe80::2

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Static Routes on Cloud-Managed Platforms

Cisco Meraki MX

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
BGP
BGP

• Multi Protocol BGP (MP-BGP) can support many protocols (AF)

• IPv6 support was introduced as part of MP-BGP
• Peering using GUA of LLA?
• Using the same BGP transport for both IPv4 and IPv6?

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
BGP Session over Link Local Addresses

• Peering using GUA of LLA?

• Using the same BGP transport for both IPv4 and IPv6?
interface GigabitEthernet0/0 interface GigabitEthernet0/0
ipv6 address FE80::1 link-local ipv6 address FE80::2 link-local
! !
router bgp 1 router bgp 2
neighbor FE80::2%GigabitEthernet0/0 remote-as 2 neighbor FE80::1%GigabitEthernet0/0 remote-as 1
! !
address-family ipv6 address-family ipv6
neighbor FE80::2%GigabitEthernet0/0 activate neighbor FE80::1%GigabitEthernet0/0 activate
exit-address-family exit-address-family

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
BGP v4 and v6 over v4 (not recommended)
interface GigabitEthernet0/0
ip address 192.168.12.1 255.255.255.0
ipv6 address 2001:db8:12ff:12::1/64
! !
router bgp 1
neighbor 192.168.12.2 remote-as 2
! !
address-family ipv4 unicast
neighbor 192.168.12.2 activate
exit-address-family
address-family ipv6 unicast
neighbor 192.168.12.2 activate
neighbor 192.168.12.2 route-map setNH in
exit-address-family
!
route-map setNH permit 10
set ipv6 next-hop 2001:db8:12ff:12::2
interface GigabitEthernet0/0
ip address 192.168.12.2 255.255.255.0
ipv6 address 2001:db8:12ff:12::2/64
router bgp 2
neighbor 192.168.12.1 remote-as 1
address-family ipv4 unicast
neighbor 192.168.12.1 activate
exit-address-family
address-family ipv6 unicast
neighbor 192.168.12.1 activate
neighbor 192.168.12.2 route-map setNH in
exit-address-family
!
route-map setNH permit 10
set ipv6 next-hop 2001:db8:12ff:12::1
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
BGP v4 over v4 and BGP v6 over v6
(recommended)
interface GigabitEthernet0/0 interface GigabitEthernet0/0
ip address 192.168.12.1 255.255.255.0 ip address 192.168.12.2 255.255.255.0
ipv6 address 2001:db8:12ff:12::1/64 ipv6 address 2001:db8:12ff:12::2/64
! !
router bgp 1 router bgp 2
neighbor 2001:db8:12ff:12::2 remote-as 2 neighbor 2001:db8:12ff:12::1 remote-as 1
neighbor 192.168.12.2 remote-as 2 neighbor 192.168.12.1 remote-as 1
! !
address-family ipv4 unicast address-family ipv4 unicast
neighbor 192.168.12.2 activate neighbor 192.168.12.1 activate
exit-address-family exit-address-family
address-family ipv6 unicast address-family ipv6 unicast
neighbor 2001:db8:12ff:12::2 activate neighbor 2001:db8:12ff:12::1 activate
exit-address-family exit-address-family
! !

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
BGP on Cloud-Managed Platforms

Cisco Meraki MX

Concentrator mode MX18

Security & SD-WAN > Routing

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
BGP Security at the “Edge”
• Use edge filter policies
• Prefix lists
• Bogon filters (Team Cymru)

• Monitor and alerting highly recommended

• NOTE: Cisco BGPMon is now part of Cisco Crosswork Cloud

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
OSPFv3
OSPFv3

• OSPFv2 only support IPv4

• OSPFv3 supports both IPv4 and IPv6 (not supported on XR)
• OSPFv3 uses link local addresses (LLA) to form adjacency and exchange
routing information
• Uses multicast FF02::5 and FF02::6 (224.0.0.5 and 224.0.0.6 for ospfv2)
• A whole network can be built using only LLA on inter router links. GUA
would only be need on loopback interface (RFC7404)

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
OSPFv3 configuration example
interface GigabitEthernet0/0
ip address 192.168.12.1 255.255.255.0
ipv6 address 2001:db8:12ff:12::1/64
!
router bgp 1
neighbor 192.168.12.2 remote-as 2
!
address-family ipv4 unicast
neighbor 192.168.12.2 activate
exit-address-family
address-family ipv6 unicast
neighbor 192.168.12.2 activate
neighbor 192.168.12.2 route-map setNH in
exit-address-family
!
route-map setNH permit 10
set ipv6 next-hop 2001:db8:12ff:12::2

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
OSPFv3 neighborship
R2#sh ospfv3 neighbor

OSPFv3 109 address-family ipv4 (router-id 192.168.100.2)

Neighbor ID Pri State Dead Time Interface ID Interface

192.168.100.4 0 FULL/ - 00:00:36 2 GigabitEthernet0/0

OSPFv3 109 address-family ipv6 (router-id 192.168.100.2)

Neighbor ID Pri State Dead Time Interface ID Interface

192.168.100.4 0 FULL/ - 00:00:38 2 GigabitEthernet0/0

R2#sh ipv6 ro 2001:db8:12ff::4/128

Routing entry for 2001:DB8:12FF::4/128
Known via "ospfv3 109", distance 110, metric 1, type intra area
Route count is 1/1, share count 0
Routing paths:
FE80::4, GigabitEthernet0/0
From FE80::4
Last updated 00:00:24 ago

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
OSPFv3 neighborship
R2#sh ospfv3 nei det

OSPFv3 109 address-family ipv4 (router-id 192.168.100.2)

Neighbor 192.168.100.4, interface address 192.168.24.4

In the area 0 via interface GigabitEthernet0/0
Neighbor: interface-id 2, link-local address FE80::4
Neighbor priority is 0, State is FULL, 12 state changes
Options is 0x000112 in Hello (E-Bit, R-Bit, AF-Bit)
Options is 0x000112 in DBD (E-Bit, R-Bit, AF-Bit)
Dead timer due in 00:00:39
Neighbor is up for 00:12:40
Index 1/1/1, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
…

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
 OSPFv3 on Cloud-Managed Platforms
Concentrator mode

Cisco Meraki MX18

MX

Security & SD-WAN > Routing

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
IS-IS
IS-IS

• IS-IS has native IPv6 support

• One of the first routing protocols to integrate IPv6
• IS-IS operates directly over L2 and doesn’t use IP to form an adjacency
• Single topology or multi topology?

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
IS-IS single vs multi topology

• Multi topology is required If some links are IPv4 or IPv6 only

• Single topology is the default in IOS and IOS-XE
• Multi topology is the default in IOS-XR
• Needs to adjust for interoperability

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
IS-IS configuration example
interface Loopback0
ip address 192.168.100.5 255.255.255.255
IS-IS
• router
ip isishas
test native IPv6 support
ipv6 address 2001:DB8:12FF::5/128
• One
ipv6 routerof
isisthe
test first RP to integrate IPv6
!
• Uses
interface ISO addresses to form adjacency
GigabitEthernet0/0
ip address 192.168.35.5 255.255.255.0
Single
• router
ip topology or multi topology
isis test
ipv6 address 2001:db8:12ff:35::5/64
ipv6 router isis test
isis network point-to-point
!
router isis test
net 49.0001.1921.6810.0005.00
is-type level-2-only

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
EIGRPv6
EIGRPv6

• Enterprise networks can use eigrpv6, if they are already familiar with eigrp
• Uses link local addresses to form adjacency and exchange routing
information
• Uses multicast address FF02::A (224.0.0.10 for eigrp)

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
EIGRPv6 configuration example
interface Loopback0
ipv6 address 2001:DB8:12FF::1/128
ipv6 eigrp 109
!
interface GigabitEthernet0/0
ipv6 address 2001:DB8:12FF:15::1/64
ipv6 eigrp 109
!
ipv6 router eigrp 109

R1#sh ipv6 eigrp nei

EIGRP-IPv6 Neighbors for AS(109)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 Link-local address: Gi0/0 12 00:02:37 4 100 0 4
FE80::5054:FF:FE00:1F3
R1#

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
RIPng
RIPng

• Enterprise or academical networks can use ripng, if they are already

familiar with RIP
• Uses multicast addresses FF02::9 (224.0.0.9 for RIP)

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
RIPng
interface Loopback0
ipv6 address 2001:DB8:12FF::3/128
ipv6 rip test enable
!
interface GigabitEthernet0/0
ipv6 address 2001:DB8:12FF:35::3/64
ipv6 rip test enable
!
ipv6 router rip test

R5#sh ipv6 rip data

RIP process "test", local RIB
2001:DB8:12FF::3/128, metric 2, installed
GigabitEthernet0/0/FE80::3, expires in 152 secs
2001:DB8:12FF:35::/64, metric 2
GigabitEthernet0/0/FE80::3, expires in 152 secs

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
PIMv6
PIMv6

• PIMv6 is the standard base multicast routing protocol for IPv6

• No support for MSDP
• Anycast RP is still possible using PIMv6 instead of MSDP to propagate
source active (SA) information between the RPs (RFC4610)
• No support for dense mode
• New concept in IPv6 of embedded RP address can optionally be used
• Embedded RP consists of inserting the RP address in the multicast
addresses itself. This removes the need to configure the RP address
statically or dynamically on all routers.

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Multicast Listener Discovery (MLD)

• MLD is the IGMP counterpart for IPv6 (RFC3810)

• MLD version 2 is required for Source Specific Multicast (SSM)
• Version 2 allows the host to request a multicast group from a specific
source

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Multicast Embedded RP addresses
•Long IPv6 addresses allow the RP address insertion in the multicast address

•It removes the need to configure the RP address on multicast routers, as

these routers will get that information directly from PIMv6, MLD or the data
plane

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Bonus:
SD-WAN Platforms
& Routing
Routing Protocol with IPv6 on SD-WAN Platforms

Viptela Meraki MX

Firmware 20.10/17.10 MX18

Routing protocols BGP, OSPFv3, RIPng, BGP, OSPFv3, Static

OMP, Static with SLA

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Visit Capture The Flag (CTF)
SD-WAN IPv6 Mission with Meraki MX and Viptela

Abandoning the Legacy Protocol

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
FAQs about
IPv6 deployment
Routing Protocol Selection

• Which routing protocol should I

use?
• One RP for each IPv4 and IPv6 or
one for both?
• Could be the same or different for
both

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
How to assign an IPv6 address on a router interface

• Just like hosts, routers can use static, SLAAC, DHCPv6 to configure an
IPv6 address on an interface
• Static configuration is generally used in Corporate and ISP networks
• Stateless Address Auto Configuration (SLAAC) and DHCPv6 are used on
residentials gateways
• DHCPv6 prefix delegation is used on residential gateway to receive an
IPv6 address block and to assign prefixes from that block to local
interfaces

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
What IPv6 subnet length to use on Core
interfaces?
• RFC6164 recommends using a /127 for router-to-router links
• RFC mentions two main issues when a /127 is not used. Ping Pong (even if RFC
4443 prevents it) and neighbor cache exhaustion
• The Ping Pong issue happens when IP packets are sent to an address that does
not belong to any of the two routers and prefix length is shorter than 127. This
causes the two routers to send the messages in a loop until the hop limit expires.
This issue can potentially affect only interfaces not using the neighbor discovery
mechanism (serial, sonet, etc)
• The neighbor cache exhaustion issue happens when packets are sent on all
possible addresses on a subnet assigned to a router-to-router link cause
resources depletion. This issue can potentially affect interfaces using neighbor
discovery mechanism (Ethernet)

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Should I use ULA in my internal network?
• Although it is not really an RFC1918 equivalent, some people consider deploying
Unique Local Addresses in their internal network, like they currently do for IPv4
• IPv4 is preferred over ULA according to RFC6724
• Using ULA is not a good practice and is not recommended
• Refer to the following articles if you would like to know more on why you shouldn’t
deploy ULA in your network
https://blogs.infoblox.com/ipv6-coe/3-ways-to-ruin-your-future-network-with-
ipv6-unique-local/
https://blogs.infoblox.com/ipv6-coe/3-ways-to-ruin-your-future-network-with-
ipv6-unique-local-addresses-part-2-of-2/

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Internet Routing Table
• The IPv6 Internet routing table is currently at ~172k routes vs ~ 942k
routes for IPv4. Source: CIDR Report 09/01/2023
https://www.cidr-report.org/as2.0/
https://www.cidr-report.org/v6/as2.0/

• IPv6 is better summarize because of a few large blocks assigned to ISP

and corporations. The IPv4 Inter routing table is a lot more fragmented as
corporations/ISPs receives several small blocks due to IPv4 address
scarcity/depletion

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Multi-
Prefix/Link
Multi Homing
• Challenges Arise ISP-A ASP-B
• Upstream Address Filters
• Asymmetric Routing
• Default GW & NH Selection
• Provider Allocated
• Primary Provider & ASP Stream
• SOHO Tunnelling, VPN
• Medium to Large Enterprise
• Provider Independent
• BGP
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Network Prefix Translation IPv6
• RFC 6296 - NPTv6
Translators attached to internal network
Internet
•
• Unique Local Addressing (ULA) inside
• Provider allocated addressing outside

• Swaps Left Most Bits of Address

• Equal length Prefixes 2001:db8:46::/48
• Small-to-Medium Enterprise
interface GigabitEthernet0/0/0 fd07:18:4c::/48
nat66 inside
interface GigabitEthernet0/0/1
nat66 outside
!
nat66 prefix inside fd07:18:4c::/48 outside 2001:db8:46::/48
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Multihomed, Multiprefix (BGP)
• Solve for Ingress & Egress separately Internet

• Peer over IPv6 for IPv6 prefixes ISP A ISP B

• Controlling hop limit, accepting ~254 only

• MD5 shared secrets, IPsec possible
• Prefix Size Filtering, /32 - /48
router bgp 200
bgp router-id 4.6.4.6
no bgp default ipv4-unicast
neighbor 2001:db8:460:102::2 remote-as 2014
neighbor 2001:db8:460:102::2 ttl-security hops 1
neighbor 2001:db8:460:102::2 password cisco4646
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Solving Ingress

Ingress
• Equal load distribution
• Advertise more specific /45 & /44
Internet
• Non equal load distribution ISP A ISP B
AS 64499 AS 64497
• Use AS path prepend, if accepted 2001:db8:a1::/32 2001:db8:b1::/32
ipv6 prefix-list ISPAout seq 5 2001:db8:460::/44
ipv6 prefix-list ISPAout seq 10 2001:db8:460::/45
!
ipv6 prefix-list ISPBout seq 5 2001:db8:460::/44
ipv6 prefix-list ISPBout seq 10 2001:db8:468::/45
2001:db8:460::/44
Enterprise Domain
neighbor 2001:db8::b1 route-map ISPBout out
!
route-map ISPBout permit 10
set as-path prepend 64498 64498 64498 64498
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Solving Egress
• Accept the full table from provider A
• Filter everything except the aggregate 2001::/18
Internet
• Accept the full table from provider B ISP A ISP B
AS 64499 AS 64497
• Use local-preference for ::/0 2001:db8:a1::/32 2001:db8:b1::/32
ipv6 prefix-list ISPAin seq 5 permit ::/0
ipv6 prefix-list ISPAin seq 10 permit 2001:0000::/18 le 32

Egress
neighbor 2001:db8::b1 prefix-list ISPBin seq 5 permit ::/0
neighbor 2001:db8::b1 route-map LOCAL in
! 2001:db8:460::/44
Enterprise Domain
ipv6 prefix-list ISPBin seq 5 permit ::/0
route-map LOCAL permit 10
set local-preference 200

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
IPv6 BGP Table Aggregate
• Accept more specifics from provider A
• Via the default (::/0)
• Use the aggregate 2001:0000::/18
• Filter the rest

• Accept ::/0 from provider B

• Tweak the local pref. 2001:4000::/20
2001:8000::/22
2002:0000::/15
2001:5000::/20
2400:0000::/6
2800:0000::/5
Source: IANA

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Layer 2 Adjacent Firewall
• Firewalls are redundant and share state
Internet
• Common VLAN between the firewalls & routers ISP A ISP
B
• Hot Standby Router Protocol (HSRP)
• Default routes on firewall to HSRP groups HSRP 1
! Send first aggregate block to HSRP Group 1 HSRP 2
ipv6 route outside 2001:0000::/18 2001:db8:46::1
! Send Second aggregate block to HSRP Group 2 VLAN 46
ipv6 route outside 2001:4000::/20 2001:db8:46::2
ipv6 route outside 2001:8000::/22 2001:db8:46::2
ipv6 route outside 2002:0000::/15 2001:db8:46::2
ipv6 route outside 2001:5000::/20 2001:db8:46::2
ipv6 route outside 2400:0000::/6 2001:db8:46::2
ipv6 route outside 2800:0000::/5 2001:db8:46::2

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Layer 3 Adjacent Firewall
• IGP between edge routers & Layer 3 switch
Internet
• EIGRP, OSPF, iBGP, IS-IS
ISP A ISP
• Edge routers redistribute ::/0 (or Prefixes) into IGP B

• Layer 3 Switch has static route for PI address

::/0
• Set to next-hop of the firewall
• Firewall has a default route 2001:db8:46::/44

• Pointed at the Layer 3 switch

ip route outside ::/0 2001:db8:37::1

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Multihomed, Multisite
Internet
• Internet connectivity is split across two data centers ISP A ISP B
• Each firewall is active; state is not shared
AS 64498
• Advertising the /44 out both could cause asymmetry
• NAT solves this problem for the legacy protocol
• More specific routes plus aggregate needed for IPv6

• IPv6 will require an iBGP peer link at Internet edge

• Protects against failure
• Provides better outbound load distribution
AS 65535 AS 65534
• Alternatives exist, though not recommended
Subnets Subnets
• GRE thru the DCI link X,Y,Z EIGRP 46 A,B,C

• Layer 3 VPN service over ISP

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Multisite Egress Traffic Engineering
• Create eBGP multihop link to the core routers Internet
ISP A ISP B
• Advertise default route over this link to core routers
AS 64498
• Redistribute the default route into the IGP
• Increase the metric for the default route
router bgp 65535
neighbor 2001:db8:460:66::2 remote-as 64498
neighbor 2001:db8:460:66::2 ebgp-multihop 255 ::/0
!
::/0
router eigrp 46
redistribute bgp 65535 metric * * * * * route-map BGP-EIGRP AS 65535 AS 65534
! ::/0
ipv6 prefix-list DEFAULT seq 5 permit ::/0 >M
! EIGRP 46
route-map BGP-to-EIGRP permit 10
match ip address prefix-list DEFAULT

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
Multisite Ingress Traffic Engineering
Internet
• Redistribute subnets from IGP into BGP ISP A ISP B

• Use a route map with set command X,Y,Z =

low MED
A,B,C =
low MED
AS 64498

• Internet edge routers install prefixes

• bgp always-compare-med
router bgp 65535
neighbor 2001:db8:460:66:2 remote-as 64498
neighbor 2001:db8:460:66:2 ebgp-multihop 255
redistribute eigrp 46 route-map MED
! AS 65535 AS 65534
route-map MED permit 10
match ipv6 prefix-list SUBS Subnets Subnets
set metric 200 X,Y,Z X,Y,Z EIGRP 46 A,B,C
A,B,C
!
ipv6 prefix-list SUBS seq 10 permit 2001:db8:460::/45

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
Bonus:
SD-WAN Platforms
& Multi-Link/Prefix
The Client

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

options=400<CHANNEL_IO>
ether 3c:06:30:20:e7:07
inet6 fe80::1458:f6f3:2092:a718%en0 prefixlen 64 secured scopeid 0xc
inet6 2600:1820:d7e0:7a6f:95:76434:abc7:f630 prefixlen 64 autoconf secured
inet6 2600:1820:d7e0:7a6f:c66e:a7b1:7765:35fd prefixlen 64 autoconf temporary
inet6 2601:2f33:387f:3cd:85d:d874e:f7746:712d prefixlen 64 autoconf secured
inet6 2601:2f33:387f:3cd:9999:cf6b:d4:d642 prefixlen 64 autoconf temporary
nat64 prefix 64:ff9b:: prefixlen 96
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
The SD-WAN Network

ISP1
ISP2
No signaling exist
to the client

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
NAT66 on Cisco Meraki MX BRKMER-
1752

Automatically configured!

ISP1
ISP2
NAT66

Security & SD-WAN > Appliance status

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
NAT66 on Viptela – Transport (WAN) Side 20.7

Restrictions SD-WAN Edge

• NAT64/NAT66 is not supported on NAT6
IPv6 NW
2005::1
same device. 6
• Global/outside prefix should be unique VPN 0
2004::100
per vrf. WKP
• Only one single prefix translation is VPN 10 DNS
Server
supported per VRF with prefix 3000::100

delegation. DNS-Query
User
• Only DIA flows are supported. No 3000::101
support for service side flows.

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
IPv6 and MPLS
IPv6 and MPLS/SR/SRv6
• 6PE (Global IPv6 routing table over MPLS over IPv4 core)
• 6VPE (VRF IPv6 routing table over MPLS over IPv4 core)
• MPLS over native IPV6 core (LDPv6, SR-MPLS). Does not offer services
available with LDP (L2VPN, L3VPN, TE)
• Segment Routing (SR) can be used over an IPv6 only core
• SRv6 uses IPv6 rather than label to forward traffic and deliver services
similar to MPLS (L2VPN, L3VPN, traffic engineering (TE))

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
Global IPv6 routing table over MPLS (IPv4 core)

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
VRF IPv6 routing table over MPLS (IPv4 core)

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
SRv6

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
Transition
Technologies
The Real Target

IPv6-only

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
The Real Challenge to IPv6-only
When IPv4-Only is the Starting Point

Dare to Shut IPv4 Down ? IPv6-Only

Easy for ‘greenfield’

Path may differ

IPv4-Only All hosts and most

‘Brownfield’ apps are IPv6 ready

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
IPv6-Only Requires Translation Technologies
• Going IPv6-only without a translation mechanism is currently not a
feasible solution.

• Many websites are still IPv4-only 

• In order to ensure a smooth user experience, packets need to be

translated from IPv6 to IPv4 to provide connectivity to v4-only
resources

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
IPv6-only to
Legacy IPv4:
NAT64/DNS64
NAT64 – Stateful vs. Stateless

Stateful Stateless
• N:1translation • 1:1 translation
• “NAPT” • “NAT”
• TCP, UDP, ICMP • Any protocol
• Shares IPv4 addresses • No IP4 address sharing (or
saving)

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
Many NAT64 Scenarios
Network Address Translation Between IPv4 and IPv6
stateful stateless
IPv6 IPv4
Network Internet

IPv4 IPv6
Internet Network

IPv6 IPv4
Internet Network

IPv6 IPv4
Network Network

IPv4 IPv6
Network Network
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
Stateless NAT64
• Stateless NAT64 translates IPv6 packets to IPv4 and vice-versa.
• A specific mapping must be configured between one IPv4 and one IPv6
address
• Obviously, more IPv6 than IPv4 addresses, mainly used for IPv4 clients to
IPv6 servers

• Static A and AAAA resource records in DNS

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
NAT64 – Stateless
IPv6 Packet IPv4 Packet

Src Addr
2001:db8:c::<203.0.114.1>:
Src
Addr
203.0.113.1
DestAddr 2001:db8::1 Dest 92.0.2.1
Addr

IPv6 NAT IPv4

64

IPv6 2001:db8:c::/64 (203.0.113/24)

Listener announced in announced in
IPv4
IPv6 Routing domain IPv4 Routing domain
2001:db8::1 Initiator
92.0.2.1
DNS
@ IN A 203.0.113.1
@ IN AAAA 2001:db8::1

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
Stateful NAT6
• Stateful NAT64 translates IPv6 packets to IPv4 and vice-versa.
• Mapping between several IPv6 addresses to one IPv4 address
• Obviously, more IPv6 than IPv4 addresses, mainly used for IPv6 clients to
IPv4 servers
• The IPv4 address is translated into a /96 prefix
• either 64:ff9b::/96 or a /96 from your network)

• DNS64 is in basically all deployments used in conjunction with

NAT64.
• DNS64 synthesis AAAA records from A records

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 166
NAT64 – Stateful
IPv6 Packet IPv4 Packet

Src Addr
2001:db8:abcd:2::1
Src
Addr
203.0.113.1
DestAddr 64:ff9b::<92.0.2.1> Dest 92.0.2.1
Addr

IPv6 IPv4
NAT IPv4 Listener
64
92.0.2.1
IPv6 64:ff9b::/ (203.0.113/24)
Initiator announced in announced in
IPv6 Routing domain IPv4 Routing domain
2001:db8:abcd:2::1
• NAT64 keeps binding state between
inner IPv6 address/port and outer
IPv4 address/port
• DNS64 needed
• Application dependent/ALGs may
be required

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 167
DNS64 is usually needed with NAT64
• DNS64 provides conversion of an IPv4 address into an IPv6 address
• AAAA record is made up from A record (only if upstream AAAA not present) using IPv6 prefix of NAT64 translator (e.g.,
64:ff9b::/96)

• NAT64 and DNS64 do not need to be collocated

• All DNS server apps and open recursive DNS servers support DNS64
Internet
DNS64 NAT64
IPv6-only
Endpoint AAAA? AAAA?
Empty answer
(sent
simultaneously) A?

64:ff9b::/96 ::192.0.2.1 192.0.2.1

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 168
NAT64/DNS64 Demo

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
DNS64 – Watch out
• Works for applications doing DNS
queries
• https://www.example.com
• IMAP, connecting to XMPP servers,
etc.
• DNSSEC requires specific DNS64
to be the trusted validator (OK for
now)
• Doesn’t work for applications that
don’t do DNS queries or use IP
address literals
• https://1.2.3.4
• Skype
• H.323, XMPP peer to peer, etc.
• Doesn’t work well if Application-
level proxy for IP address literals
(HTTP proxy) is used
• Learn NAT64’s prefix, RFC 7050
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 170
 RFC 6877: Handling IPv4 Literals with 464XLAT
• 464XLAT allows for an IPv4-only app to access IPv4 servers over an
IPv6-only network
• 464XLAT implemented in Android ☺
CLAT included in host

IPv6-
IPv4- NAT NAT
only Internet
only app 46 64
network
IPv4-only
CLAT: listener
PLAT:
Provider stateless
Provider stateful
NAT46
NAT64

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 171
Server Load Balancing (SLB64)
• IPv4 and IPv6 Virtual IP
• Publish appropriate A and AAAA Resource Records
• IPv4 only inside pool Dual Stack
• Rapid Time to Deploy

IPv4 Only

Servers
WWW
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 172
 Content Distribution Network
• Most CDN offer by default IPv6 access to IPv4-only origin servers

CDN
Internet Internet
Cache

IPv6 enabled IPv4-only

client origin server

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
Mapping of
Address and
Ports (MAP) for
Service Provider
Access
MAP (Mapping of Address and Port) for ISP
• Dual-stacked users over an IPv6-only access network
• MAP has CPE and Border Relay (BR) function;
• CPE learns of MAP info (e.g. DHCPv6 option (RFC7598))
• Each CPE gets a shared public IPv4 address with a restricted TCP/UDP port-range(s) via MAP
info (=rules)
• CPE NAT44 the inside addresses/ports to this public outside IPv4 within the restriction port
range (states are in the CPE)

• This packet is forwarded translated/encapsulated in IPv6

• Stateless BR in SP network
• Use the same algorithm to map IPv4/IPv6 addresses/ports (stateless)
• Can use anycast, can have asymmetric routing
• No single point of failure, no need for high availability hardware
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 175
MAP-E : Stateless 464 Encapsulation (RFC7597)
IPv4-over-IPv6

Stateless Tunneling
function (on routers)

- No Stateful CGN-

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 176
MAP-T : Stateless 464 Translation (RFC7599)
Native IPv6

Stateless 64 translation
function (on routers)

- No Stateful CGN -

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 177
 MAP
• Advantages:
• Leverages IPv6 in the network
• No CGN inside SP network
• No need for NAT Logging (DHCP logging as usual)
• No need for ALGs
• No need for Stateful NAT64/DNS64

• Disadvantages:
• Dependency on CPE router
• Any application hardcoding any port# might not work without UPnPv2 support

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 178
Security
IPv6 Security
Myths…
IPv6 Myths: Better, Faster, More Secure

Sometimes, newer means better and more secure

Sometimes, experience IS better and safer!

Source: Microsoft clip-art gallery

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 181
The Absence of Reconnaissance Myth
• Default subnets in IPv6 have 264 addresses
• 10 Mpps = more than 50 000 years

Source: Microsoft clip-art gallery

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 182
Reconnaissance in IPv6 Scanning Methods Will
Change
• If using EUI-64 addresses, just scan 248
• Or even 224 if vendor OUI is known...

• Public servers will still need to be DNS reachable

• More information collected by Google...

• Increased deployment/reliance on dynamic DNS

• More information will be in DNS Source: Microsoft clip-art gallery

• Using peer-to-peer clients gives IPv6 addresses of peers

• Harvest NTP client addresses by becoming a member of pool.ntp.org
• Administrators may adopt easy-to-remember addresses
• ::1,::80,::F00D, ::C5C0, :ABBA:BABE or simply IPv4 last octet for dual-stack

• By compromising hosts in a network, an attacker can learn new addresses to scan

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 183
Scanning Made Bad for CPU
Remote Neighbor Cache Exhaustion (RFC 6583)
Potential router CPU/memory attacks if aggressive scanning
• Router will do Neighbor Discovery... And waste CPU and memory
Local router DoS with NS/RS/…
NS: 2001:db8::3

NS: 2001:db8::2

NS: 2001:db8::1

NS: 2001:db8::3

NS: 2001:db8::2

NS: 2001:db8::1

NS: 2001:db8::3

NS: 2001:db8::2

NS: 2001:db8::1

2001:db8::/64
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 184
 For Your
Reference

Mitigating Remote Neighbor Cache Exhaustion

• Built-in rate limiter with options to tune it
• Since 15.1(3)T: ipv6 nd cache interface-limit
• Or IOS-XE 2.6: ipv6 nd resolution data limit
• Destination-guard is part of First Hop Security
• Priority given to refresh existing entries vs. discovering new ones

• Using a /64 on point-to-point links => a lot of addresses to scan!

• Using /127 could help (RFC 6164)

• Internet edge/presence: a target of choice

• Ingress ACL permitting traffic to specific statically configured (virtual) IPv6 addresses only

• Using infrastructure ACL prevents this scanning

• iACL: edge ACL denying packets addressed to your routers
• Easy with IPv6 because new addressing scheme ☺

http://www.insinuator.net/2013/03/ipv6-neighbor-cache-exhaustion-attacks-risk-assessment-mitigation-strategies-part-1

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 185
The IPsec Myth:
IPsec End-to-End will Save the World
• “IPv6 mandates the implementation of IPsec”
• Some organizations believe that IPsec should be used to secure all
flows…
“Security expert, W., a professor at the University of <foo>
in the UK, told <newspaper> the new protocol system –
IPv6 – comes with a security code known as IPSEC that
would do away with anonymity on the web.

If enacted globally, this would make it easier to catch

cyber criminals, Prof W. said.”

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 186
The IPsec Myth:
IPsec End-to-End will Save the World
• IPv6 originally mandated the implementation of IPsec (but not its use)
• Now, RFC 8504 “IPsec SHOULD be supported by all IPv6 nodes”
• Some organizations still believe that IPsec should be used to secure all flows...
• Need to trust endpoints and end-users because the network cannot secure the traffic: no IPS,
no ACL, no firewall
• Network telemetry is blinded: NetFlow of little use
• Network services hindered: what about QoS or AVC ?
Recommendation: do not use IPsec end to end within an administrative
domain.

Suggestion: Reserve IPsec for residential or hostile environment or high profile

targets EXACTLY as for IPv4

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 187
Security Issues
Shared by IPv6
and IPv4
IPv6 Bogon and Anti-Spoofing Filtering
• Bogon filtering (data plane & BGP route-map): http://www.cymru.com/Bogons/ipv6.txt
• Anti-spoofing = uRPF

Inter-Networking Device
with uRPF Enabled
IPv6
Intranet X IPv6
Intranet/Internet
IPv6 Unallocated No Route to SrcAddr => Drop
Source Address

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 189
Remote Triggered Black Hole BRKSEC
-3200

• RFC 5635 RTBH is as easy in IPv6 as in IPv4

• uRPF is also your friend for black holing a
source
• RFC 6666 has a specific discard prefix
• 100::/64

http://www.cisco.com/web/about/security/intelligence/ipv6
_rtbh.html
Source: Wikipedia Commons

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 190
ICMPv4 vs. ICMPv6
ICMP Message Type ICMPv4 ICMPv6
Connectivity Checks X X
• Significant changes
Informational/Error
X X
• More relied upon Messaging
Fragmentation Needed
X X
Notification
Address Assignment X
Address Resolution X
Router Discovery X
Multicast Group Management X
Mobile IPv6 Support X

• => ICMP policy on firewalls needs to change

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 191
Generic ICMPv4
Border Firewall Policy
Internal Server A

Internet

ICMPv4 ICMPv4
Action Src Dst Name
Type Code

Permit Any A 0 0 Echo Reply

Permit Any A 8 0 Echo Request

Dst. Unreachable—
Permit Any A 3 0
Net Unreachable
Dst. Unreachable—
Permit Any A 3 4
Frag. Needed
Time Exceeded—
Permit Any A 11 0
TTL Exceeded

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 192
Equivalent ICMPv6
RFC 4890: Border Firewall Transit Policy
Internal Server A

Internet

ICMPv6 ICMPv6
Action Src Dst Name
Type Code

Permit Any A 128 0 Echo Reply Needed for

Teredo traffic
Permit Any A 129 0 Echo Request

Permit Any A 1 0 Unreachable

Permit Any A 2 0 Packet Too Big

Time Exceeded—
Permit Any A 3 0
HL Exceeded

Permit Any A 4 0 Parameter Problem

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 193
Potential Additional ICMPv6
RFC 4890: Border Firewall Transit Policy
Internal Server A
Firewall B
Internet

ICMPv6 ICMPv6
Action Src Dst Name
Type Code

Permit Any B 2 0 Packet too Big For locally

generated
Permit Any B 4 0 Parameter Problem by the
device
Permit Any B 130–132 0 Multicast Listener

Neighbor Solicitation
Permit Any B 135/136 0
and Advertisement

Deny Any Any

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 194
Remote NDP Floods...
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco
-sa-20160525-ipv6 (May 2016)
• Hot from the press https://blog.apnic.net/2023/01/30/interesting-ipv6-ndp-
observation/ (Feb 2023)
• RFC 4890 is a little too open

• RFC 4861 (Neighbor Discovery)

• Hop Limit MUST be 255
• Source should be link-local, unspecified or global address belonging to the link and
not "any"

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 195
Preventing IPv6 Routing Attacks
Protocol Authentication
• BGP, ISIS, EIGRP no change:
• An MD5 authentication of the routing update
• OSPFv3 has changed and pulled MD5 authentication from the
protocol and instead rely on transport mode IPsec (for authentication
and confidentiality)
• But see RFC 6506 7166 (but not widely implemented yet)
• IPv6 routing attack best practices
• Use traditional authentication mechanisms on BGP and IS-IS
• Use IPsec to secure protocols such as OSPFv3

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 196
IPv6 Attacks with Strong IPv4 Similarities Good news
IPv4 IPS
signatures can be
• Sniffing re-used
• IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4
• Application layer attacks
• The majority of vulnerabilities on the Internet today are at the application layer, something that
IPSec will do nothing to prevent
• Rogue devices
• Rogue devices will be as easy to insert into an IPv6 network as in IPv4
• Man-in-the-Middle Attacks (MITM)
• Without strong mutual authentication, any attacks utilizing MITM will have the same likelihood in
IPv6 as in IPv4
• Flooding
• Flooding attacks are identical between IPv4 and IPv6

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 197
Security Issues
Specific to IPv6
RFC 8941 Temporary Addresses Extensions
• Temporary addresses for IPv6 host client applications:
• Inhibit device/user tracking when EUI-64 was used
• Random 64-bit interface ID per IPv6 prefix
• then run Duplicate Address Detection before using it
• Rate of change based on local policy (typical once per day)
• Enabled by default in Windows, Android, iOS, Mac OS/X ...
• Excellent for privacy
• Makes operation more complex:
• Cannot have a client specific static ACL
• User attribution more complex (without RFC 7217 – stable privacy address)

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 199
IPv6 Header Manipulation
• Unlimited size of header chain (spec-wise) can make filtering difficult
• Potential DoS with poor IPv6 stack implementations
• More boundary conditions to exploit
• Can I overrun buffers with a lot of extension headers?
• Mitigation: a firewall such as ASA which can filter on headers

Perfectly Valid IPv6 Packet

According to the Sniffer

Header Should Only Appear

Once
Destination Header Which
Should
Occur at Most
Destination Twice Header
Options
Should
Be the Last
http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 200
ASA 8.4.2+ : IPv6 Extension Header Filtering

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 201
Parsing the Extension Header Chain
• Finding the layer 4 information is not trivial in IPv6
• Skip all known extension header
• Until either known layer 4 header found => MATCH
• Or unknown extension header/layer 4 header found... => NO MATCH

IPv6 hdr HopByHop Routing AH TCP data

IPv6 hdr HopByHop Routing AH Unknown L4 ???

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 202
Fragment Header: IPv6
• In IPv6 fragmentation is done only by the end system
• Tunnel end-points are end systems => Fragmentation / re-assembly can happen inside the network

• RFC 5722/RFC 8200: overlapping fragments => MUST drop the packet. Most OS
implement it since 2012
• Attackers can still fragment in intermediate systems on purpose ==> a great
obfuscation tool

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 203
Parsing the Extension Header Chain BRKSEC-
Fragments and Stateless Filters 3200

• Layer 4 information could be in 2nd fragment

• But stateless firewalls could not find it if a previous extension header is fragmented
• RFC 3128 is not applicable to IPv6 but
• RFC 6980 ‘nodes MUST silently ignore NDP ... if packets include a fragmentation header’ ;-)
• RFC 7112 ‘A host that receives a First Fragment that does not satisfy ... SHOULD discard the
packet’ ;-)
• RFC 8200 ‘If the first fragment does not include all headers through an Upper-Layer header,
then that fragment should be discarded’

IPv6 hdr HopByHop Routing Fragment1 Destination …

IPv6 hdr HopByHop Routing Fragment2 … Destination TCP Data

Layer 4 header is in 2nd fragment,

Stateless filters have no clue where
to find it!
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 204
IPv6 Fragmentation & IOS ACL
Fragment Keyword
• This makes matching against the first fragment non-deterministic:
• layer 4 header might not be there but in a later fragment
 Need for stateful inspection
RFC 7112 router MAY
• fragment keyword matches drop those packets ;-)
• Non-initial fragments (same as IPv4)
• undetermined-transport keyword does not match
• If non-initial fragment
• Or if TCP/UDP/SCTP and ports are in the fragment
• Or if ICMP and type and code are in the fragment
• Everything else matches (including OSPFv3, RSVP, GRE, ESP, EIGRP, PIM …)
• Only for deny ACE

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 205
Is there NAT for IPv6 ? - “I need it for security”
• Network Prefix Translation, RFC 6296,
• Else, IETF has not specified any N:1 stateful translation (aka overload NAT or NAPT)
for IPv6
• Do not confuse stateful firewall and NAPT* even if they are often co-located
• Nowadays, NAPT (for IPv4) does not help security
• Host OS are way more resilient than in 2000
• Hosts are mobile and cannot always be behind your ‘controlled NAPT’
• Malware are not injected from ‘outside’ but are fetched from the ‘inside’ by visiting weird sites or
installing any trojanized application

NAPT = Network Address and Port Translation

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 206
PCI DSS 3.0 Compliance and IPv6
• Payment Card Industry Data Security Standard (since revision November 2013):
• Requirement 1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties.
• Note: Methods to obscure IP addressing may include, but are not limited to: Network Address Translation (NAT)
...
• the controls used to meet this requirement may be different for IPv4 networks than for IPv6 networks.

• ➔ how to comply with PCI DSS

• Application proxies or SOCKS
• Strict data plane filtering with ACL
• Strict routing plane filtering with BGP route-maps

• Cisco IPv6 design for PCI with IPv6

• http://www.cisco.com/en/US/docs/solutions/Enterprise/Compliance/Compliance_DG/PCI_20_DG.pdf

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 207
Dual Stack Host Considerations
• Host security on a dual-stack device
• Applications can be subject to attack on both IPv6 and IPv4
• Fate sharing: as secure as the least secure stack...

• Host security controls should block and inspect traffic from both IP
versions
• Host intrusion prevention, personal firewalls, VPN
clients, etc.

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 208
Dual Stack with Enabled IPv6 by Default
• Your host:
• IPv4 is protected by your favorite personal firewall...
• IPv6 is enabled by default (Windows7 & 8.x , Linux, Mac OS/X, ...)

• Your network:
• Does not run IPv6
• Your assumption:
• I’m safe
• Reality
• You are not safe
• Attacker sends Router Advertisements
• Your host configures silently to IPv6
• You are now under IPv6 attack

=> Probably time to think about IPv6 in your network

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 209
Vulnerability Scanning in a Dual-Stack World
• Finding all hosts:
• Address enumeration does not work for IPv6
• Need to rely on DNS or NDP caches or NetFlow
• Vulnerability scanning
• IPv4 global address, IPv6 global address(es) (if any), IPv6 link-local address
• Some services are single stack only (currently mostly IPv4 but who knows...)
• Personal firewall rules could be different between IPv4/IPv6
• IPv6 vulnerability scanning MUST be done for IPv4 & IPv6 even in an IPv4-
only network
• IPv6 link-local addresses are active by default

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 210
Enforcing a
Security Policy
IOS IPv6 Extended ACL
• Can match on
• Upper layers: TCP, UDP, SCTP port numbers, ICMPv6 code and type
• TCP flags SYN, ACK, FIN, PUSH, URG, RST
• Traffic class (only six bits/8) = DSCP, Flow label (0-0xFFFFF)

• IPv6 extension headers

• routing matches any RH, routing-type matches specific RH
• mobility matches any MH, mobility-type matches specific MH
• dest-option matches any destination options
• auth matches AH
• hbh matches hop-by-hop (since 15.2(3)T)

• fragments keyword matches

• Non-initial fragments (same as IPv4)

• undetermined-transport keyword does not match

• TCP/UDP/SCTP and ports are in the fragment
• ICMP and type and code are in the fragment
• Everything else matches (including OSPFv3, …)
• Only for deny ACE
Check your platform & release as your mileage can vary…

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 212
IPv6 ACL Implicit Rules (RFC 4890)
• Implicit entries exist at the end of each IPv6 ACL to allow neighbor
discovery: ...
permit icmp any any nd-na
permit icmp any any nd-ns

• This is different on IOS XE (i.e. ASR1k) : no default permit of ND / NA

Packets

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 213
IPv6 ACL Implicit Rules – Cont.
Adding a deny-log
• The beginner’s mistake is to add a deny log at the end of IPv6 ACL
. . .
! Now log all denied packets
deny ipv6 any any log
! Heu . . . I forget about these implicit lines
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any

Solution, explicitly add the implicit ACE

. . .
! Now log all denied packets
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any log

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 214
ASA 9.0: Single Rule Table & Mixed Mode Objects

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 215
FIREpower NG IPS and IPv6
• FIREsight passive network discovery correlates Events & Host IP
• Very easy to find out the sender / destination in Dual Stacked environments!

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 216
Cisco Meraki MX and IPv6 ACLs

A single policy
engine for any
address family

Type of rule
Security & SD-WAN > Firewall
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 217
Secure IPv6 over IPv4/6 Public Internet
• No traffic sniffing
• No traffic injection
• No service theft
Public Network Site 2 Site Remote Access

▪ 6in4/GRE Tunnels Protected by ▪ SSL VPN Client AnyConnect

IPsec

IPv4 ▪ DMVPN 12.4(20)T

▪ FlexVPN
▪ Meraki Auto VPN
▪ IPsec VTI 12.4(6)T ▪ SSL VPN Client AnyConnect
3.1 & ASA 9.0
IPv6 ▪ DMVPN 15.2(1)T
▪ SSL VPN Client AnyConnect
▪ FlexVPN
4.10 & MX18
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 218
Security Takeaway
• So, nothing really new in IPv6
• Reconnaissance: address enumeration replaced by DNS enumeration
• Spoofing & bogons: uRPF is our IP-agnostic friend
• ICMPv6 firewalls need to change policy to allow NDP
• Extension headers: firewall & ACL can process them
• NGIPS / NGFW can detect & filter applications over IPv6
• Lack of operation experience may hinder security for a while:
Training is required
• Security enforcement is possible
• Control your IPv6 traffic as you do for IPv4
• Leverage IPsec to secure IPv6 when suitable

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 219
The Cloud and
Containers
The Big Three and IPv6

BRKIPV-
3927

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 221
Cloud Service Provider (CSP) IPv6 Assessment
• IPv6 is imperative for scale and cost savings
• WARNING: There is always a caveat
• Perceived strategy
• Short-term: dual stack
• Long-term: IPv6-only

Encourage IPv6 on by default!

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 222
Containers and IPv6

Docker Kubernetes
• OS dependency • IPv6-only supported
• Dual-stack: all OSes • Dual-stack is default
• IPv6-only: Linux only

IPv6: a natural fit to achieve the promise of scale

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 223
Cloud Service Providers:
IPv6-only and Container IPv6 Support
Cloud Provider IPv6-only IPv6 Kubernetes
Service
AWS Yes Yes

Azure No No

GCP No Yes*

Oracle No Unclear

Alibaba No No

* pre-GA

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 225
 In The News

AWS IPv6-only Subnets

June 2022

GCP introduction of IPv6

Dec 2022

Subscribe

Azure AD with IPv6 Support

Dec 2022

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 226
Plenty of runway
still to go!
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Take the
Challenge
Build a team

deploy, monitor
Train

Secure, test,
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Get
involved

40 Demand

IPv6-only
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
“IPv6-Only where you can, dual stack where you must”
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 233
 Source: https://chat.openai.com/chat

AI agrees with our approach!

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 234
Complete your Session Survey
• Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (open from Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events Mobile App or
by logging in to the Session Catalog and clicking the
"Attendee Dashboard” at
https://www.ciscolive.com/emea/learn/sessions/session-
catalog.html

TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 235
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 236
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 237
TECIPV-2265 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 238
Thank you