Test IPv6

what are two IPv6 header fields. identification. header checksum. options. IHL. traffic class. payload length.

what are two techniques to prevent IPv6 spoofing. ingress filtering. unicast reverse path forwarding. mac address filtering. address filtering. egress filtering. ipv6 address filtering.

true or false ingress filtering and unicast reverse path are BCPs (Best Common Practices) recommended to prevent IP spoofing. false. true.

what covert channel is. A Covert channel is a type of attack that allows the transfer of information between two network nodes that are not allowed to communicate. A Covert channel is a type of attack that allows address spoofing to steal information allowing changing the adressing. A Covert channel is a type of attack that is used to make firewall circumvention allowing communication between two network nodes. A Covert channel is a type of attack that allows to hide information between two network nodes.

what two IPv6 basic headers can be use to create a covert channel. traffic class. payload length. flow label. version. next header.

what are two devices can be used to detect a covert channel. Firewall. IDS. IPS. Antivirus. Web Filter.

IP spoofing is a threat where the attacker uses a source IP address that belongs to another host or that doesn’t exist. What is the solution to this threat?. Ingress filtering and uRPF. Inspect packets (IDS / IPS). Firewall. MNS.

Covert channel is a type of attack that can use Traffic Class (8 bits) and/or Flow Label (20 bits) to send information against security policies. What is the solution to this threat?. Ingress filtering and RPF. Inspect packets (IDS / IPS). Firewall. DNS.

IPv6 Extension Header is used for. An Extension Header (EH) is used to carry extra information in IPv6 and is added to a packet if special processing is required. An Extension Header (EH) is used to carry extra information in IPv6 and is added to a packet if special processing is optional. An Extension Header (EH) is used to An Extension Header (EH) is used to carry extra information in IPv6 and is added to a packet if essential processing is required. An Extension Header (EH) is used to An Extension Header (EH) is used to carry extra information in IPv6 and is added to a packet if it processing is required.

There is a limited number of defined EHs, and they are only used when they are needed. If used, they will go right after the Basic IPv6 header and before the upper layer header, for example, TCP, UDP, or ICMPv6. What is the order. Hop-by hop Options. Destination Options*. Routing. Fragmentation. IPsec: AH. IPsec: ESP. Destination Options**.

What is RFC for Ingress Filtering. RFC2827/BCP38. RFC3704/BCP84. RFC3784/BCP14. RFC2823/BCP54.

what is the RFC for unicast Reverse PathForwarding. RFC3704/BCP84. RFC3904/BCP64. RFC2827/BCP38. RFC2817/BCP54.

what is BCPs. Best Common Practices. Best Commit Process. Best Common Proves.

Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) can be used to inspect packets. what does it. This allows you to inspect traffic and detect unusual or unexpected values in some fields, like for example the values in the flow label, which is expected to be 0 (zero). his allows you to inspect traffic and detect unusual or unexpected values in some fields, like for example the values in the packet header, which is expected to be 0 (zero). his allows you to inspect traffic and detect unusual or unexpected values in some fields, like for example the values in the next header, which is expected to be 0 (zero). his allows you to inspect traffic and detect unusual or unexpected values in some fields, like for example the values in the type label, which is expected to be 0 (zero).

what is the RFC for "Transmission and Processing of IPv6 Extension Headers". RFC7045. RFC6564. RFC7145. RFC6764.

what are the IPv6 Extension Header Properties (Choose 4). Flexible (Use is optional). Only appear once (Except Destination options). Fixed (Types and order). Processed only at endpoints (Except Hop-by-Hop and Routing). Flexible (Use is mandatory). Only appear once (Except Hop-by-hop). Processed only at endpoints (Except Destination Options and Routing). Fixed (Class and Order).

The use of EHs is optional, providing a powerful and flexible mechanism for IPv6. what is it means (Select 2). This means that there may be IPv6 packets with no extension header at all, with one, with two, and so on, depending on the needs. Some of these EHs will have options inside (only one option or many). Normally there are no EHs in IPv6 packets. In the Basic IPv6 header, the EHs and the upper layer header (if used), are linked using the Next Header field. This is called the “IPv6 Header Chain”. A common case would be to send the Destination Options EH for the final destination IP of the packet. The EH could also be used together with a routing header. As the routing header contains a list of IPs of where the packet should go, the destination options in the associated EH will be processed by all the nodes with these IPs.

Each type of EH can only appear once. However, there's an exception to this rule, since Destination Options can appear twice (two no more): A common case would be to send the Destination Options EH for the final destination IP of the packet. The EH could also be used together with a routing header. As the routing header contains a list of IPs of where the packet should go, the destination options in the associated EH will be processed by all the nodes with these IPs. This means that there may be IPv6 packets with no extension header at all, with one, with two, and so on, depending on the needs. Some of these EHs will have options inside (only one option or many). Normally there are no EHs in IPv6 packets. In the Basic IPv6 header, the EHs and the upper layer header (if used), are linked using the Next Header field. This is called the “IPv6 Header Chain”.

IPv6 extension headers are processed only at enpoints (Hop-by-Hop and Routing) IPv6 performance was improved by moving packet processing complexity from the core to the edge of the Internet. We have already seen this related to the Basic IPv6 header, but EHs also contribute to this because they are only to be processed at endpoints of the communication. There are two exceptions to this. Hop-by-hop Options EH is used to carry optional information that may be examined and processed by every node along a packet's path, from its source to its destination. Routing EH is processed by all the IPv6 stacks with the IPv6 addresses included in the routing header as intermediate nodes to be “visited” before reaching the final destination. A common case would be to send the Destination Options EH for the final destination IP of the packet. The EH could also be used together with a routing header. As the routing header contains a list of IPs of where the packet should go, the destination options in the associated EH will be processed by all the nodes with these IPs.

What does the use of these IPv6 Extension Headers imply? (Select 3). Flexibility Means Complexity. Security Devices / Software must process the Full Chain of Headers. Firewalls must be able to filter based on Extension Headers. Routers must be able to to forward traffic based on Extension Headers. Flexibility Means Facility. Traffic must be able to pass between nodes without any modification.

Defining new IPv6 extension headers is recommended. true. false.

What is the fragment header format order. Next Header. Reserved. Fragment Offset. Res. M. Identification.

Order the Routing Header format. Next Header. Length. Routing Type. Segments Left. Specific data of that Routing Header type.

What types of Routing Headers were deprecated. RH0(Source Route). RH1(Nimrod). RH2(MIPv6). RH3(RLP). RH4(SRH).

For what reason using RH0 is dangerous. It can be used to flood a path or link remotely on the internet. It can be used to get a copy of routing information from 1 or more routers on the internet. It can be used to flood a path or link locally on the internet. It can be used to get information about a path or link remotely on the internet.

What type of threat is the result from attacking RH0. DDoS. Dos. MITM. Ransomware.

The solution to prevent attacks using RH0 is. Do not use RH0 or do not allow the use of it. When using RH0 must be filter the packet to prevent invalid routing information. Validate the RH0 extended header to prevent further attacks. Use RH0 carefully.

true or false. The extension headers can also be used as a way of hiding the type of packet that is sent. False. True.

The extension headers can also be used as a way of Bypassing RA Filtering/RA-Guard. true. false.

RA-Guard looks at next header = 60. true. false.

what do I need to Avoiding attacks using fragmented NDP packets. Do not use them and do not allow them. When use them you must configure the router to verify the information in the packet. Verify that the information in the packet must be consistent.

What is the RFC number for Neighbor discovery. RFC4861. RFC4871. RFC4681. RFC4771.

What is the RFC number for the Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard). RFC7113. RFC7123. RFC7223. RFC7213.

Implications of IPv6 Fragmentation with IPv6 Neighbor Discovery is described in the RFC. RFC6980. RFC6780. RFC6890. RFC6790.

Select the suitable security measure to avoid attacks using RH0. Do not use RH0 and do not allow to use it. Use other type of RH instead of RH0. Inspect RH0 properly.

Select the suitable security measure to avoid attacks using an Extension Header (except Fragment Header) to bypass security tools. Do not use fragmented NDP packets and do not allow to use them. Header chain should go in the first fragment. Ensure that your security tools are able to inspect the header chain properly.

Select all the suitable security measures to avoid attacks using the Fragment Extension Header to bypass security tools. Two options are correct. Do not use or allow fragmented NDP packets. Header chain should go in the first fragment. Ensure that your security tools are able to inspect the header chain properly.

Overlapping fragments consist in. IP fragment overlapping is what happens when two fragments in the same datagram have offsets indicating that they overlap each other in the same datagram. IP fragment overlapping is what happens when two fragments in various datagrams have offsets indicating that they overlap each other in the same datagram. IP fragment overlapping is what happens when two fragments in double datagram have offsets indicating that they overlap each other in the same datagram.

Overlapping fragments may also be used in an attempt to bypass Intrusion Detection Systems (IDS). This is where part of an attack is sent in fragments along with additional random data. Future fragments may overwrite the random data with the remainder of the attack. If the completed datagram is not properly reassembled at the IDS, the attack will go undetected. true. false.

What are three possible use of the fragment header as attack vector. Overlapping fragments. Not sending last fragment. "Atomic" fragments. Not sending first fragment. Giant Fragment. Overwriting Fragments.

What is an use of overlapping fragments. An attempt to bypass Intrusion Detection System. An attempt to rewrite information between nodes. An attempt to make information unavailable.

Some operating systems do not properly handle fragments that overlap in this manner. This is the basis for the teardrop attack. true. false.

To avoid overlapping fragments attack When reassembling an IPv6 datagram, if one or more of its fragments are overlapping, the entire datagram (and any other fragments, including those not yet received) must be silently discarded [RFC5722]. true. false.

what is the purpose of not sending last fragment attack. Memory exhaustation and stop any other communication in the other device. To avoid detected network access to other device. Incomplete communication must be resend to finish it.

According to RFC8200 what is the timer and discard packets when not sending last fragment is in use. 60 sec. 45 sec. 30 sec. 90 sec.

Select the suitable security measure to avoid attacks using overlapping fragments. Establish a timeout mechanism with a default timer of 60 seconds. The fragments should be processed in isolation from any other fragments and packets. The entire datagram must be silently discarded.

Select the suitable security measure to avoid the "not sending last fragment" threat. Establish a timeout mechanism with a default timer of 60 seconds. The fragments should be processed in isolation from any other fragments and packets. The entire datagram must be silently discarded.

Select the suitable security measure to avoid attacks using "Atomic" fragments. After 60 seconds, the packet must be discarded. The fragments should be processed in isolation from any other fragments and packets. The entire datagram must be silently discarded.

Match the options correctly. Use Routing Header type 0. Bypass security tools using any type of Extension Header. Overlapping fragment. Not sending last fragment. Atomic fragments. Bypass security tools using fragment header.

Please match the threat against the solution and reference. Use RH0. Bypass security tools using any type of EH. Bypass security tools using fragment header. Overlapping fragments. Not sending last fragment. "Atomic" Fragments.

Match threat against reference. Use RH0. Bypass security tools using any type of EH. Bypass security tools using fragment header. Overlapping fragments. Not sending last fragment. "Atomic" Fragments.

Please match the correct mode for IPsec. Protect the communication end-to-end. Protect only the upper layers. Protect the communication only between two intermediate nodes. Protect the full original packet. The traffic will go unprotected until it reaches the nearest IPsec enabled node.

IPsec is embedded in the IPv6 protocol, using two specific extension headers, one for each security protocol used by IPsec: Authentication Header (AH). Encapsulation Security Payload (ESP). Virtual Private Network (VPN). Internet Key Exchange (IKE).

What is the RFC for "Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)". RFC8221. RFC4301. RFC7331. RFC7231.

IPsec shares the same characteristics for IPv6 and IPv4. what is the main difference. he main difference is that in IPv4 it is an added layer on top of IPv4, while in IPv6 it is part of the basic protocol's definition and uses two extension headers. he main difference is that in IPv6 it is an added layer on top of IPv6, while in IPv4 it is part of the basic protocol's definition and uses two extension headers. he main difference is that in IPv4 it is an added layer on top of IPv4, while in IPv6 it is part of the basic protocol's definition and uses three extension headers. he main difference is that in IPv6 it is an added layer on top of IPv6, while in IPv4 it is part of the basic protocol's definition and uses two extension headers.

Mutable fields are. bits that can change in transit. bits that should not change in transit.

A hash function is an algorithm that converts a variable length string input into a fixed size value output called a hash value. The output is normally smaller than the input. The hash functions have the following properties: The produced hash value should have a low probability of having the same output for two different inputs. If you reuse the same input many times, the hash function output will always be the same. The function is deterministic. It is a one way function. It’s nearly impossible to reverse the process and discover the input based on the hash value. The produced hash value should have a low probability of having the same input for two different outputs. If you reuse the same input many times, the hash function output will always be the same. The function is probabilistic. It is a one way function. It’s nearly impossible to reverse the process and discover the output based on the hash value.

IPsec uses a hash function to calculate an Integrity Check Value (ICV). The hash function uses the unchanging bits of the packet as an input to produce the ICV. This ICV is added to the IPv6 packet and sent to the destination. When the packet arrives at its destination, the same bits are used again as an input to produce a hash value. This value is compared to the ICV. What happen when the values do not mach. The destination can then choose whether or not to drop these packets. The source can then choose whether or not to drop these packets. The destination can then to drop these packets. The destination can then do not to drop these packets.

By using the Encapsulating Security Payload [RFC4303], confidentiality and integrity services can be offered by the IP layer. what is the difference between ESP and AH. When using ESP. The confidentiality service is offered by encrypting the content of the packet (starting at the ESP header). When using AH. The confidentiality service is offered by encrypting the content of the packet (starting at the AH header).

In ___________ mode, IPsec is applied to IP packets tunnelled between two intermediate systems. Tunnel. Transport. ESP. AH.

In ___________ mode, IPsec protects the communication from end to end. Transport. Tunnel. ESP. AH.

Authentication Header... provides integrity and this security protocol is mandatory. provides integrity and this security protocol may be implemented. provides integrity and confidentiality, and this security protocol must be implemented. provides confidentiality and this security protocol may be implemented.

Encapsulating Security Payload... provides integrity and this security protocol may be implemented. provides confidentiality, without integrity, so is recommended. provides integrity and confidentiality, and this security protocol may be implemented. provides integrity and confidentiality, and this security protocol must be implemented.

Which of the following options can be used to generate “stable” IIDs for SLAAC? Two options are correct. Modified EUI-64. Temporary pseudo-random. DHCPv6. Stable, semantically opaque. Manually.

To find a host's IPv6 address, you need to know two things: Network Prefix. Interface ID. Router ID. VlanID.

Please select the correct description. Sequential address. Address based on service port number. Traceroute6. Address based on Modified EUI-64. Common patterns in addressing plans. DNS Reverse resolution. Address containing words. Traffic Snooping. DNS Direct Resolution.

what are others IID generation Options (select two). Cryptographical Generated Addresses (CGAs). Hash-Based Addresses (HBA). Multihoming Shim Protocol for IPv6 (SHIM6). Secure Neighbour Discovery (SEND).

What are three characteristics of semantically opaque IIDs. We should consider the 64 bits of an IID an “opaque” identifier, with no structure, meaning, or value. This simplifies some previous standards definitions, like bits u and g, that now can have any value we want, unless we use Modified EUI-64. A different IID will be generated for each interface connected to the same network prefix. It won’t be related to any fixed interface identifier, but will always be the same when the interface connects to the same network prefix. It is a good compromise between privacy and stability. The method defined in RFC7217 is recommended by the standards as the default method used for stable addresses generated using SLAAC [RFC8064]. It’s becoming the most used, so you may see it in your OS. We should consider the 64 bits of an IID an “opaque” identifier, with no structure, meaning, or value. This simplifies some previous standards definitions, like bits u and g, that now can have any value we want, unless we use EUI-64. The method defined in RFC7327 is recommended by the standards as the default method used for stable addresses generated using SLAAC [RFC8604]. It’s becoming the most used, so you may see it in your OS.

To find a host's IPv6 address, you need to know two things: Network Prefix (or Network ID or Subnet ID). Interface ID (IID). Neighbour Discovery Protocol (NDP). Network IP Scanner.

What are three Network Prefix Determination. common patterns. DNS. Traceroute6. Ping sweep. Mac Addresses. IPv6 address guessing.

There are several ways to guess IIDs please select the method and how it is defined. EUI-64. Low-bits / Trivial (::1). IPv4-Based. Service port. Wordy address. Sequential.

There are several ways to Locally Scanning IPv6 Networks If the attacker has access to a network´s link, it is possible to discover used addresses using techniques like: Traffic Snooping. Dual-Stack. Routing Protocols. Local Protocols. Local Scanning.

How can you make it more difficult for an attacker to scan your IPv6 network? Which of the following options do you think are good security practices?. Avoid using IIDs that are easy to guess. Use mechanisms that can detect specific scanning patterns. Generate random IIDs. Be careful not to leak routing and therefore addressing information. All of above.

The requirements for IPv6 network configuration are: Should be plug and play without manual intervention. No requirement to keep track of hosts (which ones or their addresses). No special filtering requirements. The company's global filtering policy for IPv6 will be used for filtering: outgoing connections are allowed by default, incoming connections are only allowed for replies to outgoing connections and specific messages like "ICMPv6 packet too big", for example. What option would you recommend for the scenario described above?. Manual configuration of assigned address, gateway and DNS server for each device. SLAAC with all the information on the RA (gateway, IPv6 prefix, DNS server). Stateless DHCPv6, with RAs providing gateway and IPv6 prefix, and DHCPv6 providing DNS and NTP server. Stateful DHCPv6, with RAs providing gateway and DHCPv6 providing IPv6 address, DNS and NTP server.

The requirements for IPv6 network configuration are: Should be plug and play, because of the large number of hosts. It is required to assign known fixed addresses to each device. Filtering requirements only allow specific protocols (DNS, HTTP/HTTPS, IMAP/POP3, NTP, etc.) and others can be allowed through request (deny all is the default configured in the firewall), in addition to the global filtering policy for IPv6: All outgoing connections allowed by default, incoming connections only allowed as replies to outgoing connections and specific messages like ICMPv6 packet too big, etc. What option would you recommend for the scenario described above?. Manual configuration of assigned address, gateway and DNS server for each device. SLAAC with all the information on the RA (gateway, IPv6 prefix, DNS server). Stateless DHCPv6, with RAs providing gateway and IPv6 prefix, and DHCPv6 providing DNS and NTP server. Stateful DHCPv6, with RAs providing gateway and DHCPv6 providing IPv6 address, DNS and NTP server.

The requirements for IPv6 network configuration are that: This is critical infrastructure where you do not want unexpected changes in the configuration and you need to assign a fixed address to each server. These fixed addresses are the ones made available to clients using DNS. Strict filtering rules exist in the firewall to access the servers, allowing only specific protocols on specific addresses, for example HTTP/HTTPS only for one specific IPv6 address configured in a web server. What option would you recommend for the scenario described?. Manual configuration of assigned address, gateway and DNS server for each device. SLAAC with all the information on the RA (gateway, IPv6 prefix, DNS server). Stateless DHCPv6, with RAs providing gateway and IPv6 prefix, and DHCPv6 providing DNS and NTP server. Stateful DHCPv6, with RAs providing gateway and DHCPv6 providing IPv6 address, DNS and NTP server.

What are ICMPv6 error messagess (select 4). Destination Unreachable. Packet Too Big. Time Exceeded. Parameter Problem. Echo Request. Echo Reply. Neighbour Discovery Protocol. Multicast Listener Discovery.

What are two formats of ICMPv6. General. Extended. Short. Long. Structured.

What are the fields of ICMPv6 General Format. Type, Code, Checksum, Message Body. Type, Length, Code, Message Body. Code, Checksum, Type, Extended Structure. Type, Length, code, Extended Structure.

Please select the correct order of the Destination Unreachable Errors. No route to destination. Communication with destination administratively prohibited. Beyond scope of source address. Address Unreachable. Port Unreachable. Source address failed ingress/egress policy. Reject route to destination. Error in Source Routing Header.

What are two time exceeded errors. Hop Limit Exceeded in Transit, Packet to big. Hop Limit Exceeded in Transit, Fragment reassembly Time Exceeded. Packet too Big, Fragment reassembly Time Exceeded. Hop Limit Exceeded in Transit, Erroneous Header Field Encountered.

Please Selec the correct order of Paramenter Problem ICMPv6 Error (Parameter=offset to error). Erroneous Header Field Encountered. Unrecognized Next Header Type. Unrecognized IPv6 Option. IPv6 First Fragment has incomplete IPv6 Header Chain.

In IPv6 smurf is a DDOS attack that consist in: Send to a local network messages with origin the IPv6 address of the victim and destination multicast address to all nodes like ff02::1. Send to a local network messages with origin the IPv6 address of the victim and destination broadcast address of that network. Send to a local network messages with origin the IPv6 address of the victim and destination multicast address for that network. Send to a local network messages with origin the IPv6 address of multicast address to all nodes ff02::1 and destination the address of the victim.

Select the measures for IPv6 security issues related to ICMPv6. Two answers are correct. Filter ICMPv6 as you filter ICMPv4. Filter ICMPv6 carefully. ICMPv6 error messages must be sent in response to receiving a packet destined to a multicast address. Send an Echo Reply when receiving an Echo Request sent to a multicast address as a destination. If an ICMPv6 informational message of unknown type is received, it must be silently discarded.

Select the option that only contains ICMPv6 error messages. Destination unreachable, Packet too big, Erroneous IP packets, Parameter problem. Echo request, Echo reply, NDP, MLD. Destination unreachable, Packet too big, Time exceeded, Parameter problem. Multicast traffic, Erroneous IP packets, NDP, MLD.

If you filter all ICMPv6, as you can do with ICMP for IPv4, …. you will always have communication.". communication will never work.". it works because protocols like NDP or MLD don’t use ICMPv6.".

"No ICMPv6 error messages should be sent in response to... receiving a packet destined to a multicast address.". an IPv6 multicast or anycast address.". a packet whose source address uniquely identifies a single node.".

Match each NDP message type with its purpose. Neighbor Solicitation. Neigbor Advertisement. Router Solicitation. Router Advertisement. Redirect.

NDP specification mentions IPsec as a possible security solution, but in practice it is not used. This is because of its complexity and the need of a PKI (Public Key Infrastructure), which is not widely used. This is because the implementation is very complex and need specialized personnel. It´s not very widely used because it is expensive.

SEND (Secure Neighbor Discovery) is. to provide a solution to NDP security problems. to make an alternative to NDP. to integrate IPsec to NDP.

What are three treats of NDP. Neighbor Solicitation/Advertisement Spoofing. Neighbor Unreachability Detection (NUD) Failure. Duplicate Address Detection (DAD) DoS Attack. Cam Table spoofing. IPv6 address spoofing resolution.

The first attack to NDP is Neighbor Solicitation (NS) or Neighbor Advertisement (NA) Spoofing [RFC3756]. Can achieve through. Sending NS. Sending NA. Sending RA. Sending RS.

The first attack to NDP is Neighbor Solicitation (NS) or Neighbor Advertisement (NA) Spoofing [RFC3756]. It is used to achieve. Redirection attack. DoS attack. Ransomware attack. DDoS attack.

In this exercise, test your knowledge about different attacks to NDP based on NS/NA messages. Select the correct statements. Two answers are correct. Almost all the attacks related to NDP need local access to the network by the attacker. Neighbor Solicitation/Advertisement Spoofing can be done sending NS with "target link-layer" option changed. Neighbor Unreachability Detection failure can be used to create a MITM attack. Duplicate Address Detection attack can be used as a DoS attack because the victim can’t use any addresses.

First Hop Security First Hop Security (FHS) are security mechanisms for IPv6 implemented on switches. This means layer 2 devices looking at upper layer information. It is called 'first hop' because switches are usually the first device nodes are connected to. RA-GUARD. DHCPv6 Guard / DHCPv6 Shield. IPv6 Snooping (ND inspection + DHCPv6 Snooping). IPv6 Source / Prefix Guard. IPv6 Destination Guard (or ND Resolution rate limiter). MLD Snooping. all of above. none.

RS/RA Threats: The four NDP threats you will see in this section are: Malicious Last Hop Router. Bogus On-Link Prefix. Bogus Address Configuration Prefix. Parameter Spoofing. Link-Address Detection. MAC Address Spoofing. Bogus Address Layer.

The Malicious Last Hop Router attack [RFC3756] uses rogue RA messages to achieve a redirection or a DoS. What malicious last hop router attack is. The attacker (with access to the link) pretends to be a router for the hosts in the network, specifically to become the default gateway. Once accepted as a legitimate router, the attacker could send Redirect messages to hosts and then disappear, covering their tracks. The attacker (with access to the link) sends an RA message including a prefix for address autoconfiguration, and all the corresponding flags set to the right values (A=1, M=0). Another attack that uses RA messages. This threat can result in a DoS attack as the destination address(es) are not reachable. The attacker (with access to the link) sends out a valid-seeming RA that duplicates the RAs from the legitimate default router, except the included parameters that are designed to disrupt legitimate traffic.

In this exercise, you can test your knowledge about different attacks based on RS/RA messages. Select the correct statements. Two answers are correct. Parameter Spoofing is a NDP threat based in NA and/or NS messages. Bogus Address Configuration Prefix is a DoS attack. During Malicious Last Hop Router attacks, the attacker pretends to be a router for the hosts in the network, to become the default gateway. Bogus On-Link Prefix is a MITM attack because the destination address is not reachable.

Drag each NDP attack to the corresponding type, whether it is based in NA and/or NS messages or based in RS and/or RA messages. NS Spoofing. Bogus Address Configuration Prefix. Unsolicited NA. Rogue RA. NUD Failure. Malicious Last Hop Router. Parameter Spoofing. DAD DoS Attack. Bogus On-Link Prefix.

Select the correct statements. Three answers are correct. Neighbor Discovery DoS attacks can be made from outside the local network. First Hop Security are security mechanisms for IPv6 implemented on switches. Parameter Spoofing is an attack based in Redirect messages. Rogue Router Advertisements can be generated by mistake or wrong configuration or by an attacker. SEND is a Rogue RA solution widely used.

You receive a report with the following information about what was discovered by the IT support team: The hosts were not able to access some external services, while others were working normally. DNS resolution was working fine. Looking at the network configuration, IPv4 was correct, but the IPv6 one had an extra IPv6 address auto configured using an unknown prefix. There was also an extra default gateway pointing to an unknown link-local address. This was detected on all the hosts in the link. What do you think was the cause of the problem? Select the correct option. The users changed the network configuration. NA message sent on the link by an attacker or by error. RA message sent on the link by an attacker or by error. Redirect message sent on the link by an attacker or by error.

You receive a report with the following information about what was discovered by the IT support team: The hosts were not able to access some external services, while others were working normally. DNS resolution was working fine. Looking at the network configuration, IPv4 was correct, but the IPv6 one had an extra IPv6 address auto configured using an unknown prefix. There was also an extra default gateway pointing to an unknown link-local address. This was detected on all the hosts in the link. What would be your recommendation to avoid this problem in the future? Select the correct option. Use DHCPv6 to configure the hosts on that link to avoid RAs. Use RA-guard on the switch to filter out rogue RAs. Use MLD Snooping on the switch to protect against multicasted traffic. Implement SEND on that link to protect NDP messages.

Please select the correct threat. Neighbor Solicitation/Advertisemente Spoofing (Usolicited NA). Neighbor Unreachability Detection (NUD) failure. Duplicate Address Detection (DAD) DoS Attack. Rogue Router Advertisements. Malicious Last Hop Router. Bogus On-Link Prefix. Bogus Address Configuration Prefix. Parameter Spoofing.

Please select the correct option. RA-Guard. IPv6 Snooping. IPv6 Source/Prefix Guard. IPv6 Destination Guard. Link Monitoring. SEND. Host Packet Filtering. Router Preference Option. ACLs on Switches. RA Snooping on Switches (RA-Guard).

Match each NDP message type with its purpose. Neighbor Solicitation. Neighbor Advertisement. Router Solicitation. Router Advertisement. Redirect.

Select the correct statements. Two answers are correct. Parameter Spoofing is a NDP threat based in NA and/or NS messages. Bogus Address Configuration Prefix is a DoS attack. During Malicious Last Hop Router attacks, the attacker pretends to be a router for the hosts in the network, to become the default gateway. Bogus On-Link Prefix is a MITM attack because the destination address is not reachable.

There are many ways of protecting your network from rogue RAs [RFC6104]. Some of the possible solutions are: Link Monitoring, SEND, Manual Configuration, Host-Based Packet Filters, Router Preference Option, ACLs (Access Control Lists) on Managed Switches, and RA Snooping on Switches. Link Monitoring. Secure Neighbor discovery. Manual Configuration. Host-Based Packet Filters. Router Preference Option. ACLs on Managed Switches. RA Snooping on Switches.

What is Stateless RA-Guard. Decisions are based on examination of received RA message or in the switch static configuration. The switch first learns dynamically where the router is and then allows RAs to be received from authorised sources learned in that period.

What is Stateful RA-Guard. Decisions are based on examination of received RA message or in the switch static configuration. The switch first learns dynamically where the router is and then allows RAs to be received from authorised sources learned in that period.

The main difference when filtering for IPv6 will be: When using ICMPv6. When using extension headers.

Select correctly. The goal of a Spoofed Redirect Message [RFC3756] is to change a host's routing table by introducing a malicious route. It could become a DoS attack, or even a redirect attack, depending on the next hop used. Another NDP threat is the so-called Neighbor Discovery DoS Attack [RFC3756]. This attack is important because it can be made from outside the local network. This makes this threat different from all the other ones we have seen related to NDP. The goal of this attack is to block legitimate traffic on the target network.

Select the correct statements. Three answers are correct. Neighbor Discovery DoS attacks can be made from outside the local network. First Hop Security are security mechanisms for IPv6 implemented on switches. Parameter Spoofing is an attack based in Redirect messages. Rogue Router Advertisements can be generated by mistake or wrong configuration or by an attacker. SEND is a Rogue RA solution widely used.

Looking at the network configuration, IPv4 was correct, but the IPv6 one had an extra IPv6 address auto configured using an unknown prefix. There was also an extra default gateway pointing to an unknown link-local address. This was detected on all the hosts in the link. Select the correct option. The users changed the network configuration. NA message sent on the link by an attacker or by error. RA message sent on the link by an attacker or by error. Redirect message sent on the link by an attacker or by error.

Looking at the network configuration, IPv4 was correct, but the IPv6 one had an extra IPv6 address auto configured using an unknown prefix. There was also an extra default gateway pointing to an unknown link-local address. This was detected on all the hosts in the link. What would be your recommendation to avoid this problem in the future? Select the correct option. Use DHCPv6 to configure the hosts on that link to avoid RAs. Use RA-guard on the switch to filter out rogue RAs. Use MLD Snooping on the switch to protect against multicasted traffic. Implement SEND on that link to protect NDP messages.

Multicast Listener Discovery (MLD) is a protocol used by IPv6 routers to discover two things: The presence of multicast listeners, i.e., nodes wishing to receive multicast packets, on its directly attached links. Which multicast addresses the listeners are interested in. The presence of multicast listeners, i.e., nodes wishing to receive multicast packets, on its remotely attached links. Which multicast addresses the listeners are not interested in.

Because even if we are not using IPv6 multicast routing: In general, multicast is used much more in IPv6 than in IPv4 as a substitute of broadcast. All IPv6 nodes have several multicast addresses configured on each interface. MLD is required by NDP [RFC4861] and “IPv6 node Requirements” [RFC8504]. It is implemented by all IPv6 stacks, enabled by default, and it is not usually possible to disable it. IPv6 nodes (hosts and routers) are required to use it when joining a multicast group. Each time a node joins one multicast group, it sends one or more MLD Report messages to the link, specifically for the Solicited Node Multicast addresses. In general, multicast is used much more in IPv6 than in IPv4 as a substitute of unicast. All IPv6 nodes have several multicast addresses configured on each interface. MLD is required by NDP [RFC4861] and “IPv6 node Requirements” [RFC8504]. It is implemented by all IPv6 stacks, enabled by default, and it is usually possible to disable it. IPv6 nodes (hosts and routers) are required to use it when joining a multicast group. Each time a node joins one multicast group, it sends one or more MLD Report messages to the link, specifically for the all Nodes Multicast addresses.

There are three types of ICMPv6 messages used by MLDv1 [RFC2710]: Query, Report, Done. Query, Solicit, Done. Query, Report, Answer. Request, Solicit, Done.

MLDv2 supports two types of "filter modes". Include filter. Exclude filter.

Lightweight MLDv2 [RFC5790] is a simplified subset of the original MLDv2 specification that. omits exclude filter mode to specify the undesired source(s). omits include filter mode to specify the undesired source(s). omits exclude filter mode to specify the undesired destination(s). omits include filter mode to specify the undesired destination(s).

Multicast Listener Query (ICMPv6 type 130) has three subtypes of message: General Query. Multicast Address Specific Query. Multicast Address and Source Specific Query.

Version 2 Multicast Listener Report (ICMPv6 type 143) is sent: To the IPv6 destination address FF02::16 (link-scope all MLDv2 capable routers multicast). Sent twice or more times to be sure of the delivery. By all MLDv2 IPv6 nodes when joining a multicast address, specifically for the Solicited Node Multicast addresses (State Change Report), or as an answer to a Query message (Current State Report). To the IPv6 destination address FF02::116 (link-scope all MLDv2 capable routers multicast). Sent one time to be sure of the delivery. By all MLDv2 IPv6 nodes when leaving a multicast address, specifically for the Solicited Node Multicast addresses (State Change Report), or as an answer to a Query message (Current State Report).

Select the correct option about MLDv2 in IPv6. MLDv2 is no longer mandatory and it only uses two types of messages. MLDv2 is no longer mandatory and it uses three types of messages. MLDv2 is mandatory and it only uses two types of messages. MLDv2 is mandatory and it uses three types of messages.

Please select the correct. Router asks if a specific multicast group has listeners on the group. Router periodically queries all multicast groups that have listeners on the link. It is sent to report about a change on its listenig state. It is sent in response to periodic General queries sent by routers.

What are three different MLD threats: Flooding of MLD messages. Traffic amplification. Network scanning. Traffic reflection. Port scanning. Sniffing of MLD messages.

Please select the problem and its solution. Based on sending lots of MLD Report messages, the attacker can exhaust the RAM or CPU of a router, causing a DoS attack. An attacker can send generic Query messages with the router's address spoofed as the source address. This makes the hosts send Report messages to the router (usually several) for each multicast address they have configured. Another malicious use of MLD is network scanning to find out what nodes are connected to a link. Network scanning can be made in a passive or active way.

In the flooding of MLD messages, the attacker... sends a query with the router's address spoofed as a source address. sniffs MLD messages on the link and tries to identify, e.g. hosts or routers. can exhaust the RAM or CPU of a router (based on sending report messages). sends query messages and listens to the report messages.

In the traffic amplification threat, the attacker... can send a query message with the address of the router spoofed as a source address. sniffs MLD messages on the link and tries to identify, e.g. hosts or routers. exhausts the RAM or CPU of a router (based on sending report messages). sends query messages and listening to the report messages sent.

In the passive network scanning threat, the attacker... sends a query with the address of the router spoofed as a source address. sniffs MLD messages on the link and tries to identify hosts or routers. exhausts the RAM or CPU of a router (based on sending report messages). sends query messages and listening to the report messages sent.

In the active network scanning threat, the attacker... sends a query with the address of the router spoofed as a source address. sniffs MLD messages on the link and tries to identify, e.g. hosts or routers. exhausts the RAM or CPU of a router (based on sending report messages). sends query messages and listens to the report messages sent.

Match each MLD security option with the corresponding security measure. MDL snooping. Protection on switches. Built-in MDL features. Protection on routers.

To outline the IPv6 security details of MLD and its importance for IPv6. MLD is: A multicast related protocol, used on the local link. A protocol required by NDP and “IPv6 node Requirements”. Used by IPv6 nodes (hosts and routers) when joining a multicast group. An optional protocol by NDP and “IPv6 node Requirements”. Used by IPv6 nodes (hosts and routers) when leaving a multicast group.

Please drag and drop to respective MLD version. It is no longer mandatory in all IPv6 Nodes. It uses three types of messages: Query, Report and Done. It is mandatory in all IPv6 Nodes. Compatible with MLDv1, requiring all hosts to use MLDv1. It only uses two types of messages: Query and Report-v2.

How to identify MLD security issues and choose a suitable and available security measure for: Threat and Solution. Flooding of MLD messages. Traffic amplification.

How to identify MLD security issues and choose a suitable and available security measure for: Threat and Description. Flooding of MLD messages. Traffic amplification.

To outline other MLD security features and measures, such as: Built-in MLD security: link local source address only; Hop Limit = 1; Router alert option in Hop-by-Hop EH. only allows multicast traffic on switch ports with listeners. only allows queries in the port where the router is connected using filtering/ACLs. rate limit reports from each host or disable multicast/MLD functionality if not needed.

To outline other MLD security features and measures, such as: MLD snooping: link local source address only; Hop Limit = 1; Router alert option in Hop-by-Hop EH. only allows multicast traffic on switch ports with listeners. only allows queries in the port where the router is connected using filtering/ACLs. rate limit reports from each host or disable multicast/MLD functionality if not needed.

To outline other MLD security features and measures, such as: MLD protection on switches: link local source address only; Hop Limit = 1; Router alert option in Hop-by-Hop EH. only allows multicast traffic on switch ports with listeners. only allows queries in the port where the router is connected using filtering/ACLs. rate limit reports from each host or disable multicast/MLD functionality if not needed.

To outline other MLD security features and measures, such as: MLD protection on routers: link local source address only; Hop Limit = 1; Router alert option in Hop-by-Hop EH. only allows multicast traffic on switch ports with listeners. only allows queries in the port where the router is connected using filtering/ACLs. rate limit reports from each host or disable multicast/MLD functionality if not needed.

There are two ways for the attacker to become the victim's DNS server, using. NDP threats. Autoconfiguration. Poisoning DNS Cache. Redirecting DNS traffic to a fake DNS server.

In this way, depending on the answers given by the attacker to DNS queries, services can be exposed to a: Service MITM attack (or service hijack). Service DoS Attack.

Other name resolutions protocols. DNS Service Discovery (DNS-SD). Multicast DNS (mDNS). LLMNR (Link Local Multicast Name Resolution).

Select the correct option regarding IPv6 attacks to DNS service. There is no way of attacking the DNS with IPv6. The attacker can become the victim’s DNS server using NDP threats or autoconfiguration mechanisms. sing autoconfiguration, the attacker is the real destination when a victim sends a packet to the legitimate DNS server’s IP. In the MITM attack, the attacker does not answer DNS queries from the victim.

Select the correct options that complete the statement. Two answers are correct. "Once the attacker becomes the victim's DNS server, the attack to DNS can be a ...". DoS attack. Smurf attack. Dual Stack attack. MITM attack.

There are some IPv6 security issues for DNS: 1. An attacker can become the victim's DNS server using NDP attacks (Neighbor Cache Poisoning) and autoconfiguration mechanisms (SLAAC or DHCPv6). 2. The attack to the DNS service can be a MITM or a DoS attack, depending on the attacker answering the victim’s DNS queries or not. 3. The security solutions to these threats are the ones that can be used to secure NDP, SLAAC, and DHCPv6. 1 and 2 are correct. 2 and 3 are correct. all are correct.

To DHCPv6 please select allocation strategy against its description. Iterative allocation. Identifier-based allocation. Hash allocation. Random allocation.

To DHCPv6 please select allocation strategy against its Privacy implication. Iterative allocation. Identifier-based allocation. Hash allocation. Random allocation.

How to identify security solutions for DHCPv6, namely: IPsec (ESP) to protect communications between relay and servers, and between relays. Secure DHCPv6, which includes Authentication of the DHCPv6 client and server, and Encryption between them. This option is not fully standardised nor available. DHCPv6-Shield and DHCPv6 Guard, mechanisms implemented on switches (layer 2 devices) which protects the hosts connected against rogue DHCPv6 servers. all of above. none.

How to identify DHCPv6 threats, particularly the Rogue DHCPv6 server, where the attacker will answer a client's queries as a legitimate server. About this attack: It can be used to send wrong information to the victim: DNS server address, IPv6 address, or any other DHCPv6 option. In order to be sure it succeeds, the attacker can try to use the DHCPv6 Exhaustion attack. The attacker has two ways of becoming a Rogue DHCPv6 server: simple attack or DHCP Reply Injection. all of above. none.

What is the correct order to obtain an IPv6 address. Solicit. Advertise. Request. Reply.

Select the correct statements about DHCPv4 and DHCPv6. Three answers are correct. DHCPv6 doesn't provide a default gateway. DHCPv4 doesn't use UDP for their messages. The names of DHCPv6 messages are different from the DHCPv4 names. DHCPv6 uses DUID instead of the MAC address to identify servers and clients. Only DHCPv4 is a client-server service.

DHCPv6 uses well-known IPv6 multicast addresses. When clients want to find a server or relay, there is no need to know their exact IPv6 unicast address. They just have to send the message to one of the well-known multicast addresses, such as: Both servers and relays listen on this link-local scope multicast address. This address is used by the client to reach a server or relay listening on the same link. Servers listen on this site-local scope multicast address. It is used by relays to reach servers within the site infrastructure. Usually, the DHCPv6 server's unicast address is configured in the relay that doesn’t use this multicast address to reach the server.

The attacker has two ways of becoming a Rogue DHCPv6 server: Simple Attack. DHCP Reply Injection.

DHCPv6 Security solutions. Secure DHCPv6. DHCPv6-Shield.

Select the correct statements related to DHCPv6 security. Three answers are correct. IPsec should be used between relay agents and servers, specifically ESP in transport mode. The Secure DHCPv6 is a mechanism for using public key cryptography to protect end-to-end communication between DHCP clients and servers. The Secure DHCPv6 provides security on the Authentication of the DHCPv6 client and server, but not on the Encryption between them. DHCPv6-Shield protects servers but it doesn't protect clients. DHCPv6-Shield is a mechanism for protecting hosts connected to a switched network against rogue DHCPv6 servers.

There are some similarities and some differences between DHCPv4 and DHCPv6. Drag each sentence to the respective box, depending on whether it is a common feature of DHCPv4 and DHCPv6, or exclusive to DHCPv6. Uses UDP for messages. Doesn´t provide a default gateway. Uses Relay. Uses DUID. Possibility to delegate IPv6 prefixes. Client-server service.

Match the different allocation strategies with its privacy implications. Iteractive allocation. Identifier-based allocation. Hash allocation. Random allocation.

In Rogue DHCPv6 server attack... the attacker answers as a legitimate server to a client's queries. the client receives a wrong information, including the default gateway.

The Rogue DHCPv6 server attack can be used to... send a wrong DNS server address and a solicit message to the victim. send a wrong DNS server address and a fake IPv6 address to the victim.

In the simple attack, the attacker becomes a Rogue DHCPv6 server sending... Reply messages with tailor made parameters. Advertise messages to Solicit requests from clients.

Both DHCPv6 Shield and DHCPv6 Guard…. provide security to DHCPv6’s clients and servers, authenticating clients and encrypting communications between them. are a mechanism which protects hosts connected to a switched network against rogue DHCPv6 servers.

IPv6 Routing Protocols Four ways to improve its security. Authenticating the neighbours/peers. Securing routing updates. Using route filtering. Router hardening.

There are also general routing security practices, but those are the same for IPv4 and IPv6, such as: Performing IPv6 filtering at the perimeter. Using ingress filtering [RFC2827 (BCP38)] [RFC3704 (BCP84)] throughout the network. Using egress filtering [RFC2827 (BCP38)] [RFC3704 (BCP84)] throughout the network. Performing IPv6 filtering at network interfaces.

For routing protocols please select the most appropriate. RIPng. OSPFv3. IS-IS. MBGP.

Drag each security option to the corresponding IPv6 routing protocol. Authentication trailer. TCP-AO. IPsec. HMAC-SHA.

Routing protocols for IPv6 have different security options available and you should use them as much as possible. Select all the correct statements related to neighbours/peers authentication. Three answers are correct. RIPng is not recommended for high-security environments. The use of MD5 is recommended for IS-IS protocol. TCP-AO protects TCP and it's recommended for MBGP protocol. OSPFv3 can use IPsec for authentication between neighbours.

Communication between two IPv6 nodes, including routers exchanging routing information, can be encrypted. Select the correct option related to securing routing updates between IPv6 routers. IPsec is a general solution for IPv6 communication and it's widely used. OSPFv3 must use ESP to encrypt the OSPFv3 payload to hide the routing information. Other routing protocols, such as RIPng, have several options available to encrypt the packets exchanged between routers. In a protocol such as OSPFv3 where adjacencies are formed on a one-to-many basis, IPsec key management is easy to maintain.

Based on the security features available for the different IPv6 routing protocols, what would be the recommended option? Select the best option. RIPng. OSPFv2. OSPFv3. IS-IS.

Below you will find a summary table with the authentication options for each protocol and some considerations related to it. RIPng. OSPFv3. IS-IS. MBGP.

You can see the IPv6 multicast addresses that your Linux host is using by running the ip command: root@hostA:~# ip -6 mad 1: lo inet6 ff02::1 inet6 ff01::1 10: eth0 inet6 ff02::1:ffee:a users 2 inet6 ff02::1 users 2 inet6 ff01::1 Do you recognise the types of multicast addresses used for eth0 by our Linux host in the labs? There are three correct answers. All-routers, with link scope. All-nodes, with link scope. All-routers, with interface scope. Solicited-Node multicast address, with link scope. All nodes, with interface scope.

After you have analysed the received Report messages, you should be able to make a list of hosts that are connected to the link and the multicast IPv6 addresses they are listening to. How many nodes are reporting multicast IPv6 addresses?. 2. 3. 4. 5.

How many different multicast IPv6 addresses are reported in total by all nodes?. 4. 5. 6. 7. 8.

Which multicast addresses have been reported by the nodes on the link? Choose the three correct answers. ff02::16. ff02::1:ffee:b. ff02::1. ff02::2. ff02::1:ff00:1.

Which statements are true? Two answers are correct. Packet filtering is applied on firewalls but cannot be applied on routers. Filtering in IPv6 is not as important as it was in IPv4. Because of Global Unicast Addresses, filtering in IPv6 is the way to protect from unwanted traffic. Filtering in IPv6 has many things in common with filtering in IPv4, so common best practices could be used.

ICMPv6 Match each message type to the correct action. Type 2 Packet too big. Type 128 Echo Reply. Type 134 Router Advertisement. Type 137 Redirect.