Some ideas to consider about IPv6 packet filtering: Much more important in IPv6 Commom IPv4 practices New IPv6 considerations.
Which statements are true? Two answers are correct. Packet filtering is applied on firewalls but cannot be applied on routers. Filtering in IPv6 is not as important as it was in IPv4. Because of Global Unicast Addresses, filtering in IPv6 is the way to protect from unwanted traffic. Filtering in IPv6 has many things in common with filtering in IPv4, so common best practices could be used.
Filtering rules for ICMPv6 will depend on: Where you apply the filtering rules, for example on a router, a firewall, or a host/server. What are you trying to protect, for example, an end host, a site, or a transit site like an ISP network. If you are filtering traffic that passes through the filter or has as destination the filtering device. If you are filtering traffic that passes through the vpn device or has as destination the vpn device. If the traffic is passing through a server, for example on a web server, a database server, an email server.
Below are descriptions of general filtering recommendations for ICMPv6. Allow Allow for troubleshoot and services Allow if MDL or NDP goes through FW Not Allow.
Match each message type to the correct action. Allow Allow for troubleshoot and services. Rate limit. Allow if NDP goes through FW. Not allow.
Firewalls should be able to... ...recognise and filter by EH. ...follow the chain of headers. ...do not allow forbidden combinations of headers.
Filtering IPv6 Fragments. Drag and Drop attack and description Upper layer information not in the first fragment Fragments inside fragments Fragmentation inside a tunnel.
Filtering IPv6 Fragments. Drag and Drop attack and Solution Upper layer information not in the first fragment Fragments inside fragments Fragmentation inside a tunnel.
The following table [retrieved from RFC7123] shows how to filter each type of the most common transition mechanisms, all of them based on tunnelling IPv6 traffic inside IPv4.
Drag and Drop Technology and Filtering rules
Native IPv6 6in4; 6to4; 6RD; ISATAP 6in4(GRE) 6in4 (6-UDP-4) Teredo Tunnel Broker with TSP AYIYA.
Which statements are true? Two answers are correct. ICMPv6 filtering can be configured the same way as it is for ICMPv4. There’s no need for extra care when filtering. Filtering IPv6 traffic in the data plane is a powerful tool to protect your IPv6 network. Firewalls should be able to allow forbidden combinations of Extension Headers. In dual-stack networks you need to filter two protocols, using an equivalent set of rules that you should keep over time.
Match the following possible solutions to the use of the fragment header as an attack vector. Upper layer information not in first fragment Fragments inside fragments Fragmentation inside a tunnel.
So, the IPv6 traffic going through the new firewall needs to be properly filtered.
Which of the following IPv6 requirements would you recommend?
Select the six correct answers. Filtering ICMPv6 messages by type and code Rate limiting ICMPv6 echo request/reply Filtering Neighbor Discovery Protocol ICMPv6 messages Filtering by IPv6 destination prefix Filtering Multicast Listener Discovery ICMPv6 messages Filtering of Transition Mechanisms Filtering by Extensions Headers Filtering routing protocols information RA-guard support Filtering fragmented IPv6 packets without header chain in 1st fragment.
So, the IPv6 traffic going through the new firewall needs to be properly filtered.
Which of the following IPv6 requirements would you recommend?
Select the six correct answers. Inspection of encapsulated traffic Filtering BGP Bogon prefixes Filtering IPv6 traffic based on upper layer protocols Filtering by IPv6 destination prefix Filtering Multicast Listener Discovery ICMPv6 messages Filtering of Transition Mechanisms Filtering by Extensions Headers Filtering routing protocols information RA-guard support Filtering fragmented IPv6 packets without header chain in 1st fragment.
Click on the tabs below to know more about the recommended IPv6 requirements. Filtering ICMPv6 messages by type and code Rate limiting ICMPv6 echo request/reply Filtering by IPv6 destination prefix Filtering of Transition Mechanisms Filtering by Extensions Headers Filtering fragmented IPv6 packets without header chain in 1st fragment Inspection of encapsulated traffic Filtering IPv6 traffic based on upper layer protocols.
Click on the tabs below to know why the following IPv6 requirements are not recommended. Filtering Neighbor Discovery Protocol ICMPv6 messages Filtering Multicast Listener Discovery ICMPv6 messages Filtering routing protocols information RA-guard support Filtering BGP Bogon prefixes.
Let's begin by clarifying two important concepts within the scope of this module: Denial of Service (DoS): Distributed Denial of Service (DDoS): .
Do you think that an IPv6 DDoS attack has already happened? No, it's impossible. I don't think so, but if it happened it was very recently! Yes, absolutely!.
DDoS Factors Related to IPv6
From the attackers' point of view, there are some IPv6-specific “features” that can be leveraged for a DDoS attack. Using lots of hosts Using outdate firmware poor or not security measures .
The following is a non-exhaustive list of IP-independent techniques (Select four): Distribute your service in different locations, using Anycast and/or DNS to distribute the load. Use cloud-based DDoS mitigation service, usually with several locations around the world. They "scrub" or clean the traffic and then send it to the legitimate destination. Remotely Triggered Black Hole (RTBH) technique can be used for both IPv4 [RFC5635] and IPv6 [RFC6666]. Intrusion Prevention Systems (IPSs). Centralize your service in the same location, using Anycast and/or DNS to distribute the load. Locally Triggered Black Hole (RTBH) technique can be used for both IPv4 [RFC5635] and IPv6 [RFC6666].
The following diagram shows five possible measures to improve your IPv6 network security against the mentioned IPv6 DDoS factors. Filter Traffic Update Firmware Use security measures for IPv6 Ingress/Egress filtering and RPF (Reverse Path Forwarding) Hierarchical IPv6 address assignment.
The rise of IoT will make it easier to find insecure firmware/ software that could be exploited and controlled and used in DDoS attacks. True False.
We can expect more security in IPv6 networks when compared with IPv4. True False.
Some DDoS attacks have been based on legitimate client requests. True False.
Select the measures that can improve network security and avoid DDoS attacks. There are four correct answers. Filter IPv6 traffic. Allow access to all IPv6 addresses. Keep the firmware and software updated. Use all IPv6 security measures available for the network. Avoid using ingress/ egress filtering and RPF protection mechanisms. Allocate and use IPv6 addresses in a much more hierarchical way, in comparison to IPv4.
The following list specifies possible security issues in this scenario of an IPv4-only infrastructure: VPNs or tunnels Undesired local IPv6 traffic Automatic Transition Mechanisms Problems with rogue Router Advertisements.
Match each threat for dual-stack networks to the corresponding solution. Bigger attack surface GUA Use one IP version to attack the other.
In general, the attack to tunnelling transition mechanisms needs to have information about: The versions of IP used The addresses of the tunnel endpoints The protocol used for the encapsulation All of them None.
Translation IPv6 transition mechanisms are based on translating from one protocol to another. This translation, resulting in a change of the packet on its path from source to destination, makes the use of some security protocols not possible. Next you can find two examples of this: IPsec can't be used end-to-end DNSSEC can't be used with DNS64.
There are, at least, three identified attacks to translation mechanisms, known to work for NAT64/DNS64: Reflection Attack IP Pool Depletion Attack Application Level Gateway (ALG) CPU Attack.
There are, at least, three identified attacks to translation mechanisms, known to work for NAT64/DNS64: Reflection Attack IP Pool Depletion Attack Application Level Gateway (ALG) CPU Attack.
For the bigger attack surface, the solution is... not to trust "IPv4-only" and be prepared to protect your network. to protect IPv6 at the same level as IPv4. to filter end-to-end IPv6 properly.
For the attack based on GUA addresses, the solution is... not to trust "IPv4-only" and be prepared to protect your network. to protect IPv6 at the same level as IPv4. to filter end-to-end IPv6 properly.
For the attack based on the use of one IP version to attack the other, the recommendation is... not to trust "IPv4-only" and be prepared to protect your network. to protect IPv6 at the same level as IPv4. to filter end-to-end IPv6 properly.
In an IPv4-only infrastructure, you have to expect dual-stack hosts. What are the security issues in this scenario? Four options are correct. FTP protocols VPNs or tunnels Undesired local IPv6 traffic Manual Transition Mechanisms Automatic Transition Mechanisms Rogue Neighbor Advertisements Rogue Router Advertisements.
Tunneling IPv6 Transition Mechanisms are based on encapsulation of the native packets into new ones using the same version of IP. True False.
The attack to tunnelling transition mechanisms only needs to have information about the addresses of the tunnel endpoints and the protocol used for the encapsulation. True False.
Drag each statement about Translation IPv6 Transition Mechanisms to the corresponding box, depending on whether it is correct or incorrect. DNSSEC must be used with DNS64 IP pool depletion is an attack launched from the IPv6 side Reflection and pool depletion attacks have the same defensive measure Using IPsec end-to-end communications might result in traffic rejection ALG CPU attack is based on resource exhaustion on the translation element The reflection attack is done with amplification The reflection attack can be avoided if the translation supports filtering.
Regarding the dual-stack networks: Bigger attack surface GUA Addresses Use one IP version to attack the other.
About translation based transition mechanisms: Reflection attack IP pool depletion attack ALG CPU attack.
BGP (Border Gateway Protocol) is a control plane protocol on the application layer that is used to exchange routing information at the highest level of the Internet. control plane protocol on the internet layer that is used to exchange routing information at the highest level of the Internet. control plane protocol on the transport layer that is used to exchange routing information at the highest level of the Internet.
BGP Hijacking Attacks
Let's see two types of BGP hijacking attacks: Fake origin: based on an illegitimate announcement of a prefix from an AS. Fake AS-path: a more complex one, based on announcing a fake AS-path. Fake destination: based on an illegitimate announcement of a prefix from an AS. Fake AS-path: a less complex one, based on announcing a fake AS-path.
BGP Hijacking Attacks
Let's see two types of BGP hijacking attacks: Fake origin: based on an illegitimate announcement of a prefix from an AS. Fake AS-path: a more complex one, based on announcing a fake AS-path.
Much like the threats, solutions for BGP Hijack for IPv6 are also the same for IPv4: Route filtering or BGP prefix filtering RPKI BGPsec.
You already know that the BGP threats for IPv6 are the same for IPv4, but can you identify the solutions? Three options are correct. Route Filtering IPsec RPKI SEND BGPsec.
IPv6 BGP Bogon Prefix Filtering
Bogon prefix filtering is the filtering of prefixes that should not be announced in the Internet routing table for different reasons: non-allocated address space or reserved prefixes. Loopback Address IPv4-mapped Address IPv4-Compatible Address (deprecated) Site-local Address (deprecated) Unique-local Address Multicast Address Documentation Address 6Bone Address (deprecated) Orchid Unspecified Address .
MANRS (Mutually Agreed Norms for Routing Security) is addressing three types of problems: Related to incorrect routing information Related to traffic with spoofed source IP addresses Related to coordination and collaboration between network operators Related to traffic with real source IP addresses Related to correct routing information.
To address these problems, collaborative network operators can take four actions. Which of the following do you think are the MANRS actions? Facilitate global operational communication and coordination. Facilitate validation of routing information on a global scale. Prevent traffic with spoofed source IP addresses. Prevent propagation of incorrect routing information.
Issues in BGP Facilitate global operational communication and coordination Facilitate validation of routing information on a global scale Prevent traffic with spoofed source IP addresses Prevent propagation of incorrect routing information (Filtering and validating).
Select the statements which are about a Fake origin - Prefix hijack attack. An attacker AS can make the traffic destined to an address range get lost or sink. As there is no service disruption, the victim doesn’t realise that an attack is occurring. It can happen by accident, misconfiguration or deliberately. Requires previous knowledge on how the ASs are connected.
Select the solutions for a BGP Hijack. Route Filtering, uRPF, RPKI Route Filtering, RPKI, BGPsec Discard packets, uRPF, BGPsec.
BGP prefix filtering recommendations, techniques, and best practices for IPv6 are significantly different from those implemented for IPv4. True False.
One solution that can be used to counter a BGP Hijack is to announce more specific prefixes. This is a permanent solution. True False.
Route filtering is applied to routers speaking the same routing protocol, at the control plane. True False.
Match the four main actions defined by MANRS for network operators and the way to implement them. Facilitate Global Coordination Facilitate Routing Information Validation Prevent IP Spoofing Prevent Incorrect Routing Information.
You have access to the messages captured by the IDS. What do you have to look for to find out which host sent the NDP Redirect message? The source IPv6 address The destination IPv6 address The source MAC address The target address in the ICMPv6 Redirect message.
What would be the security recommendations for BGP, specifically for IPv6?
Select the five correct answers. Keep updated contact information for your IPv6 resources in the RIPE Database. Use IPsec to protect your IPv6 BGP peerings. Configure RPKI ROAs for your IPv6 address space. Forbid the use of RH0 (Routing Header Type 0) in BGP peerings. Apply BGP ROV (Route Origin Validation) using RPKI. Apply BGP Bogon prefix filtering. Rate limit BGP announcements. Configure TCP-AO to protect BGP peerings. Use the Router Preference Option in RAs in the peering link.
Identify the four concrete actions defined by MANRS that network operators should implement: Keep contract information updated Ripe DB, LIR Portal, PeeringDB Route Objects RPKI Document Policy uRPF Ingress Filtering [RFC2827][RFC3704] Define Routing Policy Check BGP annoncements (RPKI/ROAs) BGP Bogon Filtering BGPsec?.
Also, to increase security of BGP Configure RPKI ROAs Enable Route Origin Validation using RPKI IPsec rate limit BGP announcements Router Preference Option.
Filtering Fragments Upper layer info
not in 1st fragment Fragments
inside fragments Fragmentation
inside a tunnel.
Filtering Fragments 2 Upper layer info
not in 1st Fragment Fragments
inside fragments Fragmentation
inside a tunnel.
Identify the four concrete actions defined by MANRS that network operators should implement: Facilitate Global Coordination Facilitate Routing information Validation Prevent IP spoofing Prevent Incorrect Routing Information.
|
