SlideShare uma empresa Scribd logo

02 ipv6-cpe-panel security

Haris Padinharethil
Haris Padinharethil
Educação
1 de 12
Baixar para ler offline
IPv6 residential gateway security Eric Vyncke Cisco Systems CTO/Consulting Engineering evyncke@cisco.com 1
The Security Questions when adding IPv6 to a RG/CPE   Is IPv6 more or less secure than IPv4? Roughly equivalent (lack of knowledge makes IPv6 less secure for now)   Which security policy for IPv6? Same as for IPv4? (including the ‘NAT security’) Same as in 2000 when IPv4 CPE were designed?   How congruent must be the IPv* policies? draft-vyncke-advanced-ipv6-security-00.txt> 2
Typical IPv4 Security   Apply spoofing anti-spoofing (and anti-bogons)   Allow all traffic inside to outside   Only allow traffic outside to inside if it matches an outbound flow   Drop the rest   Specific TCP/UDP ports could be blocked (such as 445/ TCP) or opened   Often co-located with the NAT function (cfr iptables) draft-vyncke-advanced-ipv6-security-00.txt> 3
IPv6 Changes a Few Things   Link-local / ULA are completely isolated from ‘bad’ Internet Good for security   Home device are globally reachable Perhaps less good for security draft-vyncke-advanced-ipv6-security-00.txt> 4
CPE to CPE Communication IPv4 vs. IPv6   SP want to see all user to user traffic   IPv4 WAN addresses must communicate Usually in the same layer 2 domain… tricks to force traffic to BNG   IPv6 WAN addresses have no reason to communicate IPv6 LAN addresses must communicate (easy: this is routed) SP BNG 2001:db8:bad::/64 192.2.0.0/24 Eric’s CPE Ole’s CPE 2001:db8:café::/64 192.168.1.0/24 192.168.1.0/24 2001:db8:bad::/64 draft-vyncke-advanced-ipv6-security-00.txt> 5
IPv6 Simple Security   An IETF work item from James Woodyatt, Apple   Advices a security policy for IPv6 which is mostly congruent with the IPv4 one: Basic anti-bogons/spoofing Outbound permitted Inbound permitted   Benefits: Guidelines for the CPE implementers Technically doable & easy Congruent with IPv4 (easier for user)   Cons: Break the open host to host promise of IPv6 draft-vyncke-advanced-ipv6-security-00.txt> 6
What has changed between v4 & v6?   IPv4 CPE designed pre-2000 Hosts were weak, vulnerable CPE were CPU and memory constraints NAT prevents any easy & direct host to host communication Security technique: mainly firewall   IPv6 CPE are designed in 2010 Humm… Wishful IPv6 hosts are much stronger and resistant thinking for sensors, CPE have more CPU and memory webcams and other small/ Host to host communication is possible embedded OS New security techniques: Intrusion Prevention System, reputation of IP addresses, centralized & automatic updates draft-vyncke-advanced-ipv6-security-00.txt> 7
Proposal: less simple security   Why not use modern techniques for IPv6 CPE? IPS Automated updates (policies & engines) Address reputation Cloud computing …   Individual I-D: draft-vyncke-advanced-ipv6-security draft-vyncke-advanced-ipv6-security-00.txt> 8
Overview   7 policies are identified. These are largely based on features which are commonly available in “advanced” security gear for enterprises today   Home edge router is not something that is purchased and thrown away when obsolete. Instead, it is actively updated like many other consumer devices are today (PCs, iPods and iPhones, etc.)   Business model may include a paid subscription service from the manufacturer, a participating service or content provider, consortium, etc. draft-vyncke-advanced-ipv6-security-00.txt> 9
Advanced Security Dynamic Update IPS User control Feedback draft-vyncke-advanced-ipv6-security-00.txt> 10
Why is this important to IPv6?   Security policy can be adjusted to match the threat as IPv6 attacks arrive   We don’t break end-to-end IPv6, unless we absolutely have to   While providing arguably better security, troubleshooting, etc. than we would otherwise draft-vyncke-advanced-ipv6-security-00.txt> 11
Conclusion   IPv6 is as (in)secure as IPv4   User education will be key   IPv6@2010 is different than IPv4@2000 More secure hosts More powerful CPE End-to-end connectivity could/should be restored draft-vyncke-advanced-ipv6-security-00.txt> 12

Recomendados

CCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asaCCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asaAhmed Habib
 
CCNA Security - Chapter 6
CCNA Security - Chapter 6CCNA Security - Chapter 6
CCNA Security - Chapter 6Irsandi Hasan
 
Asa sslvpn security
Asa sslvpn securityAsa sslvpn security
Asa sslvpn securityJack Melson
 
CCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsCCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsAhmed Habib
 
CCNA Security - Chapter 8
CCNA Security - Chapter 8CCNA Security - Chapter 8
CCNA Security - Chapter 8Irsandi Hasan
 
SANGFOR NGAF FIREWALL SG TECHNICAL PVT LTD 03002019693
SANGFOR NGAF FIREWALL SG TECHNICAL PVT LTD 03002019693 SANGFOR NGAF FIREWALL SG TECHNICAL PVT LTD 03002019693
SANGFOR NGAF FIREWALL SG TECHNICAL PVT LTD 03002019693 Muhammad Adeel Kazim⭐⭐⭐⭐⭐
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewallmohannadalhanahnah
 
Network Function Virtualization (NFV) using IOS-XR
Network Function Virtualization (NFV) using IOS-XRNetwork Function Virtualization (NFV) using IOS-XR
Network Function Virtualization (NFV) using IOS-XRCisco Canada
 

Recomendados

CCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asaCCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asaAhmed Habib
 
CCNA Security - Chapter 6
CCNA Security - Chapter 6CCNA Security - Chapter 6
CCNA Security - Chapter 6Irsandi Hasan
 
Asa sslvpn security
Asa sslvpn securityAsa sslvpn security
Asa sslvpn securityJack Melson
 
CCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsCCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsAhmed Habib
 
CCNA Security - Chapter 8
CCNA Security - Chapter 8CCNA Security - Chapter 8
CCNA Security - Chapter 8Irsandi Hasan
 
SANGFOR NGAF FIREWALL SG TECHNICAL PVT LTD 03002019693
SANGFOR NGAF FIREWALL SG TECHNICAL PVT LTD 03002019693 SANGFOR NGAF FIREWALL SG TECHNICAL PVT LTD 03002019693
SANGFOR NGAF FIREWALL SG TECHNICAL PVT LTD 03002019693 Muhammad Adeel Kazim⭐⭐⭐⭐⭐
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewallmohannadalhanahnah
 
Network Function Virtualization (NFV) using IOS-XR
Network Function Virtualization (NFV) using IOS-XRNetwork Function Virtualization (NFV) using IOS-XR
Network Function Virtualization (NFV) using IOS-XRCisco Canada
 
Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2Solomon Abavire Kobina,
 
Presentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesPresentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesOscar Romano
 
Ignite your network digitize your business
Ignite your network digitize your businessIgnite your network digitize your business
Ignite your network digitize your businessCisco Canada
 
Ccna security
Ccna securityCcna security
Ccna securitydkaya
 
Cisco asa cx firwewall
Cisco asa cx firwewallCisco asa cx firwewall
Cisco asa cx firwewallAnwesh Dixit
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsCisco Canada
 
#CiscoLiveLA 2017 Presentacion de Jerome Henry
#CiscoLiveLA 2017 Presentacion de Jerome Henry#CiscoLiveLA 2017 Presentacion de Jerome Henry
#CiscoLiveLA 2017 Presentacion de Jerome HenryITSitio.com
 
Bangalore OpenMSA DevDay - September 19, 2018
Bangalore OpenMSA DevDay - September 19, 2018Bangalore OpenMSA DevDay - September 19, 2018
Bangalore OpenMSA DevDay - September 19, 2018UBiqube
 
VMware vShield - Overview
VMware vShield - OverviewVMware vShield - Overview
VMware vShield - OverviewIrsandi Hasan
 
AnyConnect Secure Mobility
AnyConnect Secure MobilityAnyConnect Secure Mobility
AnyConnect Secure MobilityCisco Canada
 
Presentation asa 5585-x next generation multi-service adaptive security app...
Presentation asa 5585-x next generation multi-service adaptive security app...Presentation asa 5585-x next generation multi-service adaptive security app...
Presentation asa 5585-x next generation multi-service adaptive security app...xKinAnx
 
Network Engineer
Network EngineerNetwork Engineer
Network Engineervarma ksn
 
CCNA Security - Chapter 3
CCNA Security - Chapter 3CCNA Security - Chapter 3
CCNA Security - Chapter 3Irsandi Hasan
 
CCNA Security 03- network foundation protection
CCNA Security 03- network foundation protectionCCNA Security 03- network foundation protection
CCNA Security 03- network foundation protectionAhmed Habib
 
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsCCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsAhmed Habib
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosCisco Canada
 
Fg One Sho 1109 R4
Fg One Sho 1109 R4Fg One Sho 1109 R4
Fg One Sho 1109 R4fmesmeriii
 
Meraki powered services bell
Meraki powered services bellMeraki powered services bell
Meraki powered services bellCisco Canada
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA FirewallsBryley Systems Inc.
 
Updated Resume
Updated Resume Updated Resume
Updated Resume Daud (Dave) Amini
 
Approaching hyperconvergedopenstack
Approaching hyperconvergedopenstackApproaching hyperconvergedopenstack
Approaching hyperconvergedopenstackIkuo Kumagai
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutionseroglu
 

Mais conteúdo relacionado

Mais procurados

Presentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesPresentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesOscar Romano
 
Ignite your network digitize your business
Ignite your network digitize your businessIgnite your network digitize your business
Ignite your network digitize your businessCisco Canada
 
Ccna security
Ccna securityCcna security
Ccna securitydkaya
 
Cisco asa cx firwewall
Cisco asa cx firwewallCisco asa cx firwewall
Cisco asa cx firwewallAnwesh Dixit
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsCisco Canada
 
#CiscoLiveLA 2017 Presentacion de Jerome Henry
#CiscoLiveLA 2017 Presentacion de Jerome Henry#CiscoLiveLA 2017 Presentacion de Jerome Henry
#CiscoLiveLA 2017 Presentacion de Jerome HenryITSitio.com
 
Bangalore OpenMSA DevDay - September 19, 2018
Bangalore OpenMSA DevDay - September 19, 2018Bangalore OpenMSA DevDay - September 19, 2018
Bangalore OpenMSA DevDay - September 19, 2018UBiqube
 
VMware vShield - Overview
VMware vShield - OverviewVMware vShield - Overview
VMware vShield - OverviewIrsandi Hasan
 
AnyConnect Secure Mobility
AnyConnect Secure MobilityAnyConnect Secure Mobility
AnyConnect Secure MobilityCisco Canada
 
Presentation asa 5585-x next generation multi-service adaptive security app...
Presentation asa 5585-x next generation multi-service adaptive security app...Presentation asa 5585-x next generation multi-service adaptive security app...
Presentation asa 5585-x next generation multi-service adaptive security app...xKinAnx
 
Network Engineer
Network EngineerNetwork Engineer
Network Engineervarma ksn
 
CCNA Security - Chapter 3
CCNA Security - Chapter 3CCNA Security - Chapter 3
CCNA Security - Chapter 3Irsandi Hasan
 
CCNA Security 03- network foundation protection
CCNA Security 03- network foundation protectionCCNA Security 03- network foundation protection
CCNA Security 03- network foundation protectionAhmed Habib
 
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsCCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsAhmed Habib
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosCisco Canada
 
Fg One Sho 1109 R4
Fg One Sho 1109 R4Fg One Sho 1109 R4
Fg One Sho 1109 R4fmesmeriii
 
Meraki powered services bell
Meraki powered services bellMeraki powered services bell
Meraki powered services bellCisco Canada
 

Mais procurados (20)

Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2
 
Presentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesPresentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER Services
 
Ignite your network digitize your business
Ignite your network digitize your businessIgnite your network digitize your business
Ignite your network digitize your business
 
Ccna security
Ccna securityCcna security
Ccna security
 
Cisco asa cx firwewall
Cisco asa cx firwewallCisco asa cx firwewall
Cisco asa cx firwewall
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
 
#CiscoLiveLA 2017 Presentacion de Jerome Henry
#CiscoLiveLA 2017 Presentacion de Jerome Henry#CiscoLiveLA 2017 Presentacion de Jerome Henry
#CiscoLiveLA 2017 Presentacion de Jerome Henry
 
Bangalore OpenMSA DevDay - September 19, 2018
Bangalore OpenMSA DevDay - September 19, 2018Bangalore OpenMSA DevDay - September 19, 2018
Bangalore OpenMSA DevDay - September 19, 2018
 
VMware vShield - Overview
VMware vShield - OverviewVMware vShield - Overview
VMware vShield - Overview
 
AnyConnect Secure Mobility
AnyConnect Secure MobilityAnyConnect Secure Mobility
AnyConnect Secure Mobility
 
Presentation asa 5585-x next generation multi-service adaptive security app...
Presentation asa 5585-x next generation multi-service adaptive security app...Presentation asa 5585-x next generation multi-service adaptive security app...
Presentation asa 5585-x next generation multi-service adaptive security app...
 
Network Engineer
Network EngineerNetwork Engineer
Network Engineer
 
CCNA Security - Chapter 3
CCNA Security - Chapter 3CCNA Security - Chapter 3
CCNA Security - Chapter 3
 
CCNA Security 03- network foundation protection
CCNA Security 03- network foundation protectionCCNA Security 03- network foundation protection
CCNA Security 03- network foundation protection
 
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsCCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systems
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment Scenarios
 
Fg One Sho 1109 R4
Fg One Sho 1109 R4Fg One Sho 1109 R4
Fg One Sho 1109 R4
 
Meraki powered services bell
Meraki powered services bellMeraki powered services bell
Meraki powered services bell
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA Firewalls
 
Updated Resume
Updated Resume Updated Resume
Updated Resume
 

Semelhante a 02 ipv6-cpe-panel security

Approaching hyperconvergedopenstack
Approaching hyperconvergedopenstackApproaching hyperconvergedopenstack
Approaching hyperconvergedopenstackIkuo Kumagai
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutionseroglu
 
Netsft2017 day in_life_of_nfv
Netsft2017 day in_life_of_nfvNetsft2017 day in_life_of_nfv
Netsft2017 day in_life_of_nfvIntel
 
Router Defense - BRUcon 2010
Router Defense - BRUcon 2010Router Defense - BRUcon 2010
Router Defense - BRUcon 2010fropert
 
IPv6 - A Real World Deployment for Mobiles
IPv6 - A Real World Deployment for MobilesIPv6 - A Real World Deployment for Mobiles
IPv6 - A Real World Deployment for MobilesAPNIC
 
IPv6IntegrationBestPracticesfinal.pdf
IPv6IntegrationBestPracticesfinal.pdfIPv6IntegrationBestPracticesfinal.pdf
IPv6IntegrationBestPracticesfinal.pdfCPUHogg
 
Using Batfish for Network Analysis
Using Batfish for Network AnalysisUsing Batfish for Network Analysis
Using Batfish for Network AnalysisJoel W. King
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and RealitySwiss IPv6 Council
 
Eric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of ViewEric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of ViewIPv6 Conference
 
Achieving Network Deployment Flexibility with Mirantis OpenStack
Achieving Network Deployment Flexibility with Mirantis OpenStackAchieving Network Deployment Flexibility with Mirantis OpenStack
Achieving Network Deployment Flexibility with Mirantis OpenStackEric Zhaohui Ji
 
Ipv6 tutorial
Ipv6 tutorialIpv6 tutorial
Ipv6 tutorialsaryu2011
 
It security
It securityIt security
It securityMutten
 

Semelhante a 02 ipv6-cpe-panel security (20)

Approaching hyperconvergedopenstack
Approaching hyperconvergedopenstackApproaching hyperconvergedopenstack
Approaching hyperconvergedopenstack
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
 
Netsft2017 day in_life_of_nfv
Netsft2017 day in_life_of_nfvNetsft2017 day in_life_of_nfv
Netsft2017 day in_life_of_nfv
 
Router Defense - BRUcon 2010
Router Defense - BRUcon 2010Router Defense - BRUcon 2010
Router Defense - BRUcon 2010
 
10 fn s05
10 fn s0510 fn s05
10 fn s05
 
10 fn s05
10 fn s0510 fn s05
10 fn s05
 
IPv6 - A Real World Deployment for Mobiles
IPv6 - A Real World Deployment for MobilesIPv6 - A Real World Deployment for Mobiles
IPv6 - A Real World Deployment for Mobiles
 
Hyper-V Networking
Hyper-V NetworkingHyper-V Networking
Hyper-V Networking
 
VPN
VPNVPN
VPN
 
Vp ns
Vp nsVp ns
Vp ns
 
IPv6IntegrationBestPracticesfinal.pdf
IPv6IntegrationBestPracticesfinal.pdfIPv6IntegrationBestPracticesfinal.pdf
IPv6IntegrationBestPracticesfinal.pdf
 
Using Batfish for Network Analysis
Using Batfish for Network AnalysisUsing Batfish for Network Analysis
Using Batfish for Network Analysis
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
Phifer 3 30_04
Phifer 3 30_04Phifer 3 30_04
Phifer 3 30_04
 
Eric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of ViewEric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of View
 
Achieving Network Deployment Flexibility with Mirantis OpenStack
Achieving Network Deployment Flexibility with Mirantis OpenStackAchieving Network Deployment Flexibility with Mirantis OpenStack
Achieving Network Deployment Flexibility with Mirantis OpenStack
 
Ip tunneling and vpns
Ip tunneling and vpnsIp tunneling and vpns
Ip tunneling and vpns
 
Ipv6 tutorial
Ipv6 tutorialIpv6 tutorial
Ipv6 tutorial
 
Ipv6 tutorial
Ipv6 tutorialIpv6 tutorial
Ipv6 tutorial
 
It security
It securityIt security
It security
 

Mais de Haris Padinharethil

ഒടുവില്‍ നീതി പുലരുന്നു
ഒടുവില്‍ നീതി പുലരുന്നു ഒടുവില്‍ നീതി പുലരുന്നു
ഒടുവില്‍ നീതി പുലരുന്നു Haris Padinharethil
 

Mais de Haris Padinharethil (20)

Ramadan 001
Ramadan 001Ramadan 001
Ramadan 001
 
Yeshu(a) mahanaya pravachakan
Yeshu(a) mahanaya pravachakanYeshu(a) mahanaya pravachakan
Yeshu(a) mahanaya pravachakan
 
F7 ac2d01
F7 ac2d01F7 ac2d01
F7 ac2d01
 
Bc4 d25e3d01
Bc4 d25e3d01Bc4 d25e3d01
Bc4 d25e3d01
 
rabeeul awal khutuba
rabeeul awal khutubarabeeul awal khutuba
rabeeul awal khutuba
 
Moh maala
Moh maalaMoh maala
Moh maala
 
Saudi Ru
Saudi RuSaudi Ru
Saudi Ru
 
Document1
Document1Document1
Document1
 
Ml b-hajj2
Ml b-hajj2Ml b-hajj2
Ml b-hajj2
 
Ml b-hajj2
Ml b-hajj2Ml b-hajj2
Ml b-hajj2
 
V6 v4-threats
V6 v4-threatsV6 v4-threats
V6 v4-threats
 
Symbols
SymbolsSymbols
Symbols
 
Iuml mankada mandalam commitee
Iuml mankada mandalam commiteeIuml mankada mandalam commitee
Iuml mankada mandalam commitee
 
3hows
3hows3hows
3hows
 
What is jamahath
What is jamahathWhat is jamahath
What is jamahath
 
Program notice
Program noticeProgram notice
Program notice
 
ഒടുവില്‍ നീതി പുലരുന്നു
ഒടുവില്‍ നീതി പുലരുന്നു ഒടുവില്‍ നീതി പുലരുന്നു
ഒടുവില്‍ നീതി പുലരുന്നു
 
Full page fax print
Full page fax printFull page fax print
Full page fax print
 
marxist jamaahath
marxist jamaahathmarxist jamaahath
marxist jamaahath
 
Document1
Document1Document1
Document1
 

Último

THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
Millenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptxMillenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptxJanEmmanBrigoli
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmStan Meyer
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...JojoEDelaCruz
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptshraddhaparab530
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationRosabel UA
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfPatidar M
 
ClimART Action | eTwinning Project
ClimART Action | eTwinning ProjectClimART Action | eTwinning Project
ClimART Action | eTwinning Projectjordimapav
 
TEACHER REFLECTION FORM (NEW SET........).docx
TEACHER REFLECTION FORM (NEW SET........).docxTEACHER REFLECTION FORM (NEW SET........).docx
TEACHER REFLECTION FORM (NEW SET........).docxruthvilladarez
 

Último (20)

YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxYOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptxINCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
Millenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptxMillenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptx
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and Film
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.ppt
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translation
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdf
 
ClimART Action | eTwinning Project
ClimART Action | eTwinning ProjectClimART Action | eTwinning Project
ClimART Action | eTwinning Project
 
TEACHER REFLECTION FORM (NEW SET........).docx
TEACHER REFLECTION FORM (NEW SET........).docxTEACHER REFLECTION FORM (NEW SET........).docx
TEACHER REFLECTION FORM (NEW SET........).docx
 

02 ipv6-cpe-panel security

  • 1. IPv6 residential gateway security Eric Vyncke Cisco Systems CTO/Consulting Engineering evyncke@cisco.com 1
  • 2. The Security Questions when adding IPv6 to a RG/CPE   Is IPv6 more or less secure than IPv4? Roughly equivalent (lack of knowledge makes IPv6 less secure for now)   Which security policy for IPv6? Same as for IPv4? (including the ‘NAT security’) Same as in 2000 when IPv4 CPE were designed?   How congruent must be the IPv* policies? draft-vyncke-advanced-ipv6-security-00.txt> 2
  • 3. Typical IPv4 Security   Apply spoofing anti-spoofing (and anti-bogons)   Allow all traffic inside to outside   Only allow traffic outside to inside if it matches an outbound flow   Drop the rest   Specific TCP/UDP ports could be blocked (such as 445/ TCP) or opened   Often co-located with the NAT function (cfr iptables) draft-vyncke-advanced-ipv6-security-00.txt> 3
  • 4. IPv6 Changes a Few Things   Link-local / ULA are completely isolated from ‘bad’ Internet Good for security   Home device are globally reachable Perhaps less good for security draft-vyncke-advanced-ipv6-security-00.txt> 4
  • 5. CPE to CPE Communication IPv4 vs. IPv6   SP want to see all user to user traffic   IPv4 WAN addresses must communicate Usually in the same layer 2 domain… tricks to force traffic to BNG   IPv6 WAN addresses have no reason to communicate IPv6 LAN addresses must communicate (easy: this is routed) SP BNG 2001:db8:bad::/64 192.2.0.0/24 Eric’s CPE Ole’s CPE 2001:db8:café::/64 192.168.1.0/24 192.168.1.0/24 2001:db8:bad::/64 draft-vyncke-advanced-ipv6-security-00.txt> 5
  • 6. IPv6 Simple Security   An IETF work item from James Woodyatt, Apple   Advices a security policy for IPv6 which is mostly congruent with the IPv4 one: Basic anti-bogons/spoofing Outbound permitted Inbound permitted   Benefits: Guidelines for the CPE implementers Technically doable & easy Congruent with IPv4 (easier for user)   Cons: Break the open host to host promise of IPv6 draft-vyncke-advanced-ipv6-security-00.txt> 6
  • 7. What has changed between v4 & v6?   IPv4 CPE designed pre-2000 Hosts were weak, vulnerable CPE were CPU and memory constraints NAT prevents any easy & direct host to host communication Security technique: mainly firewall   IPv6 CPE are designed in 2010 Humm… Wishful IPv6 hosts are much stronger and resistant thinking for sensors, CPE have more CPU and memory webcams and other small/ Host to host communication is possible embedded OS New security techniques: Intrusion Prevention System, reputation of IP addresses, centralized & automatic updates draft-vyncke-advanced-ipv6-security-00.txt> 7
  • 8. Proposal: less simple security   Why not use modern techniques for IPv6 CPE? IPS Automated updates (policies & engines) Address reputation Cloud computing …   Individual I-D: draft-vyncke-advanced-ipv6-security draft-vyncke-advanced-ipv6-security-00.txt> 8
  • 9. Overview   7 policies are identified. These are largely based on features which are commonly available in “advanced” security gear for enterprises today   Home edge router is not something that is purchased and thrown away when obsolete. Instead, it is actively updated like many other consumer devices are today (PCs, iPods and iPhones, etc.)   Business model may include a paid subscription service from the manufacturer, a participating service or content provider, consortium, etc. draft-vyncke-advanced-ipv6-security-00.txt> 9
  • 10. Advanced Security Dynamic Update IPS User control Feedback draft-vyncke-advanced-ipv6-security-00.txt> 10
  • 11. Why is this important to IPv6?   Security policy can be adjusted to match the threat as IPv6 attacks arrive   We don’t break end-to-end IPv6, unless we absolutely have to   While providing arguably better security, troubleshooting, etc. than we would otherwise draft-vyncke-advanced-ipv6-security-00.txt> 11
  • 12. Conclusion   IPv6 is as (in)secure as IPv4   User education will be key   IPv6@2010 is different than IPv4@2000 More secure hosts More powerful CPE End-to-end connectivity could/should be restored draft-vyncke-advanced-ipv6-security-00.txt> 12