IPv6 Introduction and Implications on Network Security Keith O’Brien Cisco Distinguished Engineer kobrien@cisco.com © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 • Keith O’Brien Distinguished Engineer Cisco kobrien@cisco.com • Specializes in large scale IP routing, network security and incident response within ISP and enterprise networks. • Working with major US based ISPs on their transition to an IPv6 network • Adjunct professor of Computer Science at NYU’s Polytechnic Institute - Graduate Studies • Visiting Professor of Electrical and Computer Engineering at the United States Coast Guard Academy • BSEE Lafayette College, MS Stevens Institute of Technology • CCIE, CISSP, SANS GIAC • http://keithobrien.org • Twitter: @keitheobrien © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 • IPv6 – Why Now? • Technology Intro Comparison to IPv4 Addressing ICMPv6 and Neighbor Discovery DHCPv6 and DNS • IPv4/IPv6 Transition and Coexistence • IPv6 Security © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 More Devices Nearly 15B Connections More Internet Users 3 Billion Internet Users Key Growth Factors Faster Broadband Speeds 4-Fold Speed Increase More Rich Media Content 1M Video Minutes per Second Source: Cisco Visual Networking Index (VNI) Global IP Traffic Forecast, 2010–2015 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 IETF IPv6 WG began in early 90s, to solve addressing growth issues, but CIDR, NAT,…were developed IPv4 32 bit address = 4 billion hosts IANA recently issued their last /8 blocks to the regional registries IP is everywhere Data, voice, audio and video integration is a reality Main Compelling reason: More IP addresses © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Probability of when RIR reaches “last /8 threshold” http://www.bgpexpert.com/ianaglobalpool2.php http://www.potaroo.net/tools/ipv4/rir.jpg © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Service Segment When do you run out of IPv4 addresses? Mobile Enterprise Now Varies Devices are already being actively deployed with IPv6 addresses Now A combination of NAT and IPv6 enabled CPE are being deployed Slower ramp When is most of the content available on IPv6 network? Growing rapidly What is the device/CPE refresh frequency? Short refresh cycle © 2010 Cisco and/or its affiliates. All rights reserved. NAT is already being used at peering points where run out has occurred Wireline Due to enterprise specific applications and longer development cycles Longer refresh cycle Growing rapidly Longer refresh cycle Cisco Confidential 9 June 6, 2012 • Network equipment vendors, ISPs and content providers are coming together on June 6 to permanently enable IPv6 on the Internet. • Last June 6th “World IPv6 Day” was a 24 hour “soak” period • Current players Akamai Comcast AT&T Cisco D-Link Facebook Free Telecom Google Internode KDDI Limelight Bing Time Warner Cable Yahoo Netflix AOL NASA Sprint • http://www.worldipv6launch.org/ © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Service IPv4 IPv6 32-bit, Network Address Translation 128-bit, Multiple Scopes IP Provisioning DHCP SLAAC, Renumbering, DHCP Security IPSec IPSec Mandated, Works End-to-End Mobility Mobile IP Mobile IP with Direct Routing Differentiated Service, Integrated Service Differentiated Service, Integrated Service IGMP/PIM/MBGP MLD/PIM/MBGP, Scope Identifier Addressing Range Quality-of-Service Multicast © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 IPv4 Header Version IHL Type of Service Identification Time to Live Total Length Version Flags Protocol IPv6 Header Fragment Offset Header Checksum Traffic Class Flow Label Payload Length Next Header Hop Limit Source Address Destination Address Legend Options Padding Source Address Field’s Name Kept from IPv4 to IPv6 Fields Not Kept in IPv6 Name and Position Changed in IPv6 Destination Address New Field in IPv6 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 V Class Len Flow 6 Hop V Class Len Flow 43 Hop V Class Len Destination Destination Destination Source Source Source Upper Layer TCP Header Payload 17 Routing Header Upper Layer UDP Header Payload 60 6 Flow 43 Hop Routing Header Destination Options Upper Layer TCP Header Payload • Extension Headers Are Daisy Chained © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Order Header Type Header Code 1 Basic IPv6 Header - 2 Hop-by-Hop Options 0 3 Dest Options (with Routing options) 60 4 Routing Header 43 5 Fragment Header 44 6 Authentication Header 51 7 ESP Header 50 8 Destination Options 60 9 Mobility Header 135 - No Next Header 59 Upper Layer TCP 6 Upper Layer UDP 17 Upper Layer ICMPv6 58 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 IPv4 32-bits IPv6 128-bits 32 = 4,294,967,296 2 128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 2 128 32 = 2 * 2 96 2 296 = 79,228,162,514,264,337,593,543,950,336 times the number of possible IPv4 Addresses (79 trillion trillion) © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 • IPv6 addresses are 128 bits long Segmented into 8 groups of four HEX characters (called HEXtets) Separated by a colon (:) Default is 50% for network ID, 50% for interface ID Network portion is allocated by Internet registries 2^64 (1.8 x 1019) Global Unicast Identifier Example Network Portion Interface ID gggg:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx Global Routing Prefix n <= 48 bits Subnet ID 64 – n bits Host 2001:0000:0000: 00A1:0000:0000:0000:1E2A 2001:0:0: A1::1E2A © 2010 Cisco and/or its affiliates. All rights reserved. Full Format Abbreviated Format Cisco Confidential 20 • Hex numbers are not case sensitive • Abbreviations are possible Leading zeros in contiguous block could be represented by (::) 2001:0db8:0000:130F:0000:0000:087C:140B 2001:db8:0:130F::87C:140B Double colon can only appear once in the address • IPv6 uses CIDR representation IPv4 address looks like 98.10.0.0/16 IPv6 address is represented the same way 2001:db8:12::/48 • Only leading zeros are omitted, trailing zeros cannot be omitted 2001:0db8:0012::/48 = 2001:db8:12::/48 2001:db80:1200::/48 ≠ 2001:db8:12::/48 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 • Loopback address representation 0:0:0:0:0:0:0:1 == ::1 Same as 127.0.0.1 in IPv4 Identifies self • Unspecified address representation 0:0:0:0:0:0:0:0 == :: Used as a placeholder when no address available (Initial DHCP request, Duplicate Address Detection DAD) NOT the default route • Default Route representation ::/0 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 IANA 2001::/3 AfriNIC ::/12 to::/23 APNIC ::/12 to::/23 ARIN ::/12 to::/23 LACNIC ::/12 to::/23 RIPE NCC ::/12 to::/23 ISP ISP ISP/32 /32 /32 ISP ISP ISP/32 /32 /32 ISP ISP ISP/32 /32 /32 ISP ISP ISP/32 /32 /32 ISP ISP ISP/32 /32 /32 Site Site Site/48 /48 /48 Site Site Site/48 /48 /48 Site Site Site/48 /48 /48 Site Site Site/48 /48 /48 Site Site Site/48 /48 /48 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Partition of Allocated IPv6 Address Space © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 Partition of Allocated IPv6 Address Space (Cont.) • Lowest-Order 64-bit field of unicast address may be assigned in several different ways: Auto-configured from a 64-bit EUI-64, or expanded from a 48-bit MAC address (e.g., Ethernet address) Auto-generated pseudo-random number (to address privacy concerns) Assigned via DHCP Manually configured © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 • This format expands the 48 bit MAC address to 64 bits by inserting FFFE into the middle 16 bits MAC Address 00 00 90 90 27 • To make sure that the chosen address is from a unique Ethernet MAC address, the universal/local (“u” bit) is set to 1 for global scope and 0 for local scope 00 000000U0 U = 1 02 © 2010 Cisco and/or its affiliates. All rights reserved. 90 27 27 FF FE FF FE Where U= 90 27 17 FF FC 0F 17 FC 0F 17 FC 0F 1 = Unique 0 = Not Unique FE 17 FC 0F Cisco Confidential 26 • Addresses are assigned to interfaces Change from IPv4 mode: • Interface “expected” to have multiple addresses • Addresses have scope Link Local Unique Local Global • Addresses have lifetime Global Unique Local Link Local Valid and preferred lifetime © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 • Three types of unicast address scopes Link-Local – Non routable exists on single layer 2 domain (FE80::/64) FE80:0000:0000:0000: xxxx:xxxx:xxxx:xxxx Unique-Local – Routable within administrative domain (FC00::/7) FCgg:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx FDgg:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx Global – Routable across the Internet (2000::/3) Link Local 2ggg:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx 3ggg:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx • Multicast addresses (FF00::/8) FFfs: xxxx:xxxx:xxxx:xxxx:xxxx :xxxx:xxxx Flags (f) in 3rd nibble (4 bits) Scope (s) into 4th nibble © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 • Unicast Address of a single interface. One-to-one delivery to single interface • Multicast Address of a set of interfaces. One-to-many delivery to all interfaces in the set • Anycast Address of a set of interfaces. One-to-one-of-many delivery to a single interface in the set that is closest • No more broadcast addresses © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 • An interface can have many addresses allocated to it Address Type Requirement Comment Link Local Required Required on all interfaces Unique Local Optional Valid only within an Administrative Domain Global Unicast Optional Globally routed prefix Auto-Config 6to4 Optional Used for 2002:: 6to4 tunnelling Solicited Node Multicast Required Neighbour Discovery and Duplicate Detection (DAD) All Nodes Multicast Required For ICMPv6 messages © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 Address Scope Meaning FF01::1 Node-Local All Nodes FF01::2 Node-Local All Routers FF02::1 Link-Local All Nodes FF02::2 Link-Local All Routers FF02::5 Link-Local OSPFv3 Routers FF02::6 Link-Local OSPFv3 DR Routers FF02::1:FFXX:XXXX Link-Local Solicited-Node http://www.iana.org/assignments/ipv6-multicast-addresses © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 R1#show ipv6 interface e0 Ethernet0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::200:CFF:FE3A:8B18 No global unicast address is configured Joined group address(es): All Nodes FF02::1 All Routers FF02::2 Solicited Node Multicast Address FF02::1:FF3A:8B18 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses. R1# © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40 Function IPv4 IPv6 Address Assignment DHCPv4 DHCPv6, SLAAC, Reconfiguration Address Resolution ARP, RARP NS, NA Router Discovery Name Resolution © 2010 Cisco and/or its affiliates. All rights reserved. ICMP Router Discovery DNSv4 RS, RA DNSv6 Cisco Confidential 41 • Internet Control Message Protocol version 6 • RFC 2463 • Modification of ICMP from IPv4 • Message types are similar (but different types/codes) Destination unreachable (type 1) Packet too big (type 2) Time exceeded (type 3) Parameter problem (type 4) Echo request/reply (type 128 and 129) © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42 • Replaces ARP, ICMP (redirects, router discovery) • Reachability of neighbors • Hosts use it to discover routers, auto configuration of addresses • Duplicate Address Detection (DAD) © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43 • Neighbor discovery uses ICMPv6 messages, originated from node on link local with hop limit of 255 • Consists of IPv6 header, ICMPv6 header, neighbor discovery header, and neighbor discovery options • Five neighbor discovery messages Router solicitation (ICMPv6 type 133) Router advertisement (ICMPv6 type 134) Neighbor solicitation (ICMPv6 type 135) Neighbor advertisement (ICMPv6 type 136) Redirect (ICMPV6 type 137) © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44 A B NS NA Neighbour Solicitation ICMP Type IPv6 Source IPv6 Destination Data Query 135 A Unicast B Solicited Node Multicast FE80:: address of A What is B link layer address? Neighbour Advertisment ICMP Type IPv6 Source B Unicast IPv6 Destination A Unicast Data © 2010 Cisco and/or its affiliates. All rights reserved. 136 FE80:: address of B, MAC Address Cisco Confidential 45 RS Router Solicitation ICMP Type IPv6 Source IPv6 Destination Query RA Router Advertisement 133 A Link Local (FE80::1) All Routers Multicast (FF02::2) Please send RA ICMP Type IPv6 Source IPv6 Destination Data 134 A Link Local (FE80::2) All Nodes Multicast (FF02::1) Options, subnet prefix, lifetime, autoconfig flag • Router solicitations (RS) are sent by booting nodes to request RAs for configuring the interfaces • Routers send periodic Router Advertisements (RA) to the all-nodes multicast address © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46 • Autoconfiguration is used to automatically assigned an address to a host “plug and play” Generating a link-local address, Generating global addresses via stateless address autoconfiguration Duplicate Address Detection procedure to verify the uniqueness of the addresses on a link MAC 00:2c:04:00:fe:56 A R1 2001:db8:face::/64 1 RS 2 RA 3 DAD Host Autoconfigured Address comprises Prefix Received + Link-Layer Address if DAD check passes 2001:db8:face::22c:4ff:fe00:fe56 Router Advertisement (RA) Ethernet DA/SA Router R2 / Host A Prefix Information 2001:db8:face::/64 Default Router © 2010 Cisco and/or its affiliates. All rights reserved. Router R1 Cisco Confidential 47 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48 IPv4 Hostname to IP address IP address to hostname © 2010 Cisco and/or its affiliates. All rights reserved. IPv6 A record: AAAA record: www.abc.test. A 192.168.30.1 www.abc.test AAAA 2001:db8:C18:1::2 PTR record: PTR record: 1.30.168.192.in-addr.arpa. PTR 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0. 8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test. www.abc.test. Cisco Confidential 49 192.168.0.3 www.example.org = * ? IPv4 DNS Server IPv4 IPv6 www IN A 192.168.0.3 www IN AAAA 2001:db8:1::1 IPv6 2001:db8:1::1 In a dual stack case an application that: Is IPv4 and IPv6-enabled Can query the DNS for IPv4 and/or IPv6 records (A) or (AAAA) records Chooses one address and, for example, connects to the IPv6 address © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50 Domain name with IPv6 address only mSecs Source Destination Prot Info Initial Query over IPv4 for IPv4 A record 0.000 64.104.197.141 64.104.200.248 DNS Standard query A ipv6.google.com 0.158 64.104.200.248 64.104.197.141 DNS Standard query response CNAME ipv6.l.google.com 0.000 64.104.197.141 64.104.200.248 DNS Standard query AAAA ipv6.google.com 0.135 64.104.200.248 64.104.197.141 DNS IPv6 address of canonical name returned Standard query response CNAME ipv6.l.google.com AAAA 2404:6800:8004::68 DNS response refers to an alias/canonical address Host immediately sends a request for AAAA record (original FQDN) Domain name with both addresses mSecs Source Destination Prot Info 0.000 64.104.197.141 64.104.200.248 DNS Standard query A www.apnic.net 0.017 64.104.200.248 64.104.197.141 DNS Standard query response A 202.12.29.211 0.000 64.104.197.141 64.104.200.248 DNS Standard query AAAA www.apnic.net 0.017 64.104.200.248 64.104.197.141 DNS Standard query response AAAA 2001:dc0:2001:11::211 0.001 2001:420:1:fff:2 2001:dc0:2001:11::211 Hosts prefers IPv6 address (configurable) ICMP Echo request (Unknown (0x00)) v6 0.023 2001:dc0:2001:11::211 2001:420:1:fff::2 © 2010 Cisco and/or its affiliates. All rights reserved. Initial Query over IPv4 for IPv4 A record IPv4 address returned Host immediately sends a request for AAAA record IPv6 address of FQDN returned ICMP Echo reply (Unknown (0x00)) v6 Cisco Confidential 51 • Manual Assignment Statically configured by human operator • Stateless Address Autoconfiguration (SLAAC RFC 4862) Allows auto assignment of address through Router Advertisements • Stateful DHCPv6 (RFC 3315) Allows DHCPv6 to allocate IPv6 address plus other configuration parameters (DNS, NTP etc…) • DHCPv6-PD (RFC 3633) Allows DHCPv6 to allocate entire subnets to a router/CPE device for further allocation • Stateless DHCPv6 (RFC 3736) Combination of SLAAC for host address allocation DHCPv6 for additional parameters such as DNS Servers and NTP © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52 • Updated version of DHCP for IPv4 • Supports new addressing • Can be used for renumbering • DHCP Process is same as in IPv4, but, • Client first detect the presence of routers on the link • If found, then examines router advertisements to determine if DHCP can be used • If no router found or if DHCP can be used, then DHCP Solicit message is sent to the All-DHCP-Agents multicast address Using the link-local address as the source address • Multicast addresses used: FF02::1:2 = All DHCP Agents (servers or relays, Link-local scope) FF05::1:3 = All DHCP Servers (Site-local scope) DHCP Messages: Clients listen UDP port 546; servers and relay agents listen on UDP port 547 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53 • RA message contain flags that indicate address allocation combination (A, M and O bits) Use SLAAC only, Use DHCPv6 stateful, Use SLAAC and DHCPv6 for other options Router 1 (DHCPv6 Relay) A 2001:db8:face::/64 1 DHCP Server RA 3 2 2001:db8:face::1/64, DNS1, DNS2, NTP Send DHCP Solicit to FF02::1:2 (All DHCP Relays) Router Advertisement (RA) A bit (Address config flag) M bit (Managed address configuration flag) O bit (Other configuration flag) © 2010 Cisco and/or its affiliates. All rights reserved. Set to 0 - Do not use SLAAC for host config Set to 1 - Use DHCPv6 for host IPv6 address Set to 1 - Use DHCPv6 for additional info (DNS, NTP) Cisco Confidential 54 • RA message contain flags that indicate address allocation combination (A, M and O bits) Use SLAAC only, Use DHCPv6 stateful, Use SLAAC and DHCPv6 for other options 2 2001:db8:face::22c:4ff:fe00:fe56 Router 1 (DHCPv6 Relay) A 1 DHCP Server RA 3 2001:db8:face::/64 4 DNS1, DNS2, NTP Send DHCP Solicit to FF02::1:2 for options only Router Advertisement (RA) A bit (Address config flag) On-link Prefix M bit (Managed address configuration flag) O bit (Other configuration flag) © 2010 Cisco and/or its affiliates. All rights reserved. Set to 1 - Use SLAAC for host address config 2001:db8:face::/64 Set to 0 - Do not use DHCPv6 for IPv6 address Set to 1 - Use DHCPv6 for additional info (DNS, NTP) Cisco Confidential 55 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56 • A wide range of techniques have been identified and implemented, basically falling into three categories: Dual-stack techniques, to allow IPv4 and IPv6 to co-exist in the same devices and networks Tunneling techniques, to avoid order dependencies when upgrading hosts, routers, or regions Translation techniques, to allow IPv6-only devices to communicate with IPv4only devices • Expect all of these to be used, in combination © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57 Dual Stack App IPv6 + IPv4 Core IPv4 + IPv6 Edge PE P IPv4 and/or IPv4 edge P PE CE IPv4 CE IPv6 IPv4 IPv4 configured interface IPv4/IPv6 Core IPv6 Some or all interfaces in cloud dual configured IPv6 configured interface • All P + PE routers are capable of IPv4+IPv6 support • Two IGPs supporting IPv4 and IPv6 • Memory considerations for larger routing tables • Native IPv6 multicast support • All IPv6 traffic routed in global space • Good for content distribution and global services (Internet) © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58 Dual Stack App IPv6 + IPv4 Core IPv4 + IPv6 Edge CE PE P P IPv4 and/or IPv4 edge PE CE IPv4 IPv6 IPv4 IPv4/IPv6 Core IPv6 ipv6 unicast-routing interface Ethernet0 ip address 192.168.99.1 255.255.255.0 ipv6 address 2001:db8:213:1::1/64 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59 IPv6-Enabled Application Application TCP IPv4 UDP IPv6 0x0800 0x86dd Data Link (Ethernet) TCP IPv4 UDP Preferred Method on Application’s Servers IPv6 0x0800 0x86dd Frame Protocol ID Data Link (Ethernet) Dual Stack Node Means: • Both IPv4 and IPv6 stacks enabled • Applications can talk to both • Choice of the IP version is based on name lookup and application preference © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60 • GRE • Manual • 6to4 • DMVPN • ISATAP • MPLS Manual • MPLS 6PE © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61 Dual-Stack Router1 IPv6 Network IPv4 IPv4: 192.168.99.1 IPv6: 2001:db8:800:1::3 Dual-Stack Router2 IPv6 Network IPv4: 192.168.30.1 IPv6: 2001:db8:800:1::2 router1# router2# interface Tunnel0 ipv6 enable ipv6 address 2001:db8:c18:1::3/128 tunnel source 192.168.99.1 tunnel destination 192.168.30.1 tunnel mode gre ipv6 interface Tunnel0 ipv6 enable ipv6 address 2001:db8:c18:1::2/128 tunnel source 192.168.30.1 tunnel destination 192.168.99.1 tunnel mode gre ipv6 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62 Dual-Stack Router1 IPv6 network IPv4 IPv4: 192.168.99.1 IPv6: 2001:db8:800:1::3 Dual-Stack Router2 IPv6 network IPv4: 192.168.30.1 IPv6: 2001:db8:800:1::2 router1# router2# interface Tunnel0 ipv6 enable ipv6 address2001:db8:c18:1::3/127 tunnel source 192.168.99.1 tunnel destination 192.168.30.1 tunnel mode ipv6ip interface Tunnel0 ipv6 enable ipv6 address 2001:db8:c18:1::2/127 tunnel source 192.168.30.1 tunnel destination 192.168.99.1 tunnel mode ipv6ip © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63 IPv6 Packet IPv6 Packet IPv6 Network IPv4 Header IPv6 Packet IPv4 Backbone Network IPv6 Network 200.15.15.1 (e0/0) 200.11.11.1 (e0/0) PE IPv6 2002:c80f:0f01 IPv4 Backbone Network PE IPv6 2002:c80b:0b01 6 to 4 Tunnel CE CE P P 2002:c80f:0f01:100::1 2002:c80b:0b01:100::1 • Automatic tunnel method using 2002:IPv4::/48 IPv6 range IPv4 embedded in IPv6 format eg. 2002:c80f:0f01:: = 200.15.15.1 • No impact on existing IPv4 or MPLS Core (IPv6 unaware) • Tunnel endpoints have to be IPv6 and IPv4 aware (Dual stack) • Transition technology – not for long term use • No multicast support, Static Routing • Intrinsic linkage between destination IPv6 Subnet and IPv4 gateway interface IPv4 Gateway = Tunnel End point © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64 IPv6 Packet IPv6 Packet IPv6 Network IPv4 Header IPv4 Backbone Network 200.15.15.1 (e0/0) PE IPv6 2002:c80f:0f01 IPv4 Backbone Network 192.88.99.1 (lo0) 2002:c058:6301::1 (lo0) PE IPv6 Relay 6 to 4 Tunnel CE P P PE 2002:c80f:0f01:100::1 192.88.99.1 (lo0) 2002:c058:6301::1 (lo0) IPv6 Internet 2000::/3 IPv6 Relay • 6 to 4 relay allows access to IPv6 global network • Can use tunnel Anycast address 192.88.99.1 6 to 4 router finds closest 6-to-4 relay router Return path could be asymmetric • Default route to IPv6 Internet BGP can also be used to select particular 6 to 4 relay based on prefix Allows more granular routing policy © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67 • Additional and increased focus on IPv6 at security conference such as Blackhat, CanSecWest and others. • Companies putting additional effort into IPv6 vulnerability research – Stonesoft released 163 new “Advanced Evasion Techniques” – 12 of those are IPv6-specific • Private security researchers are also putting additional focus on IPv6. Chinese “researchers”, Marc Heuse, Fernando Gont – to name a few • UK’s CPNI – The Centre for the Protection of National Infrastructure – 220 page report “Security Assessment of the Internet Protocol version 6 (IPv6)” © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68 • The Hacker’s Choice – http://thc.org/thc-ipv6/ • Over 30 tools – Included in BackTrack • “Private” version available • A sampling Parasite6: icmp neighbor solicitation/advertisement spoofer, puts you as man-in-themiddle, same as ARP mitm (and parasite) dnsdict6: parallized dns ipv6 dictionary bruteforcer fake_router6: announce yourself as a router on the network, with the highest priority flood_router6: flood a target with random router advertisements © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69 • Industry as a whole has far less experience with IPv6 vs IPv4 • IPv6 implementations have not been proven over time • Security tools such as firewalls, IDS have varying levels of IPv6 support. Even when it is claimed to be supported that level of support varies widely • IPv6 brings added complexity which is the enemy of security • Network engineers and security operations staff are not fully trained on IPv6 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71 • Default subnets in IPv6 have 264 addresses 10 Mpps = more than 50 000 years • NMAP doesn’t even support ping sweeps on IPv6 networks 2128 6.5 Billion = 52 Trillion Trillion IPv6 addresses per person World’s population is approximately 6.5 billion © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72 • Public servers will still need to be DNS reachable • Increased deployment and reliance on Dynamic DNS – More info in DNS • Admins might adopt easy to remember addresses such as: ::20, ::F00D, ::CAFE, or the last IPv4 octet • Transition technologies derive IPv6 address from IPv6 addresses • Brute force IPv6 scanning assumes that the addresses are randomly distributed. This has been shown not to be the case*: SLACC – IP based on MAC IPv4 based – (2001:0db8::192.168.100.1) Low number – (2001:0db8:1:1::1) (*) Malone, D. 2008. Observations of IPv6 Addresses. Passive and Active Measurement Conference (PAM 2008, LNCS 4979), 29–30 April 2008. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73 • 3 site-local multicast addresses FF05::2 all-routers, FF05::FB mDNSv6, FF05::1:3 all DHCP servers • Several link-local multicast addresses FF02::1 all nodes, FF02::2 all routers, FF02::F all UPnP, ... • Some deprecated (RFC 3879) site-local addresses but still used FEC0:0:0:FFFF::1 DNS server • Not feasible from remote Source Destination Payload 2001:db8:2::50 Attacker FF05::1:3 DHCP Attack 2001:db8:1::60 2001:db8:3::70 http://www.iana.org/assignments/ipv6-multicast-addresses/ © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74 • Bittorrent will expose IPv6 peers • Look in web server log files for IPv6 address. Convince the target to browse to web server • Email headers from target • Mailing list archives © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75 • ICMPv6 echo/response • Send invalid ICMPv6 options and nodes will be forced to reply • Use Traceroute6 • Look for well know IPv4 addresses which are linked to IPv6 (e.g. Teredo) • Neighbor discovery cache for already compromised hosts root@bt:~# alive6 -s 1 eth1 Alive: 2001:470:67b9:1:234:36ff:fe9c:3132 Alive: 2001:470:67b9:1:21d:29ff:fef9:bc06 Alive: 2001:470:67b9:1:22f:29ff:fe61:1ea1 Alive: 2001:470:67b9:1:259:29ff:fe40:e19a Alive: 2001:470:67b9:1:231:ebff:fef7:f140 Alive: fe80::ebff:d4ff:fedd:c572 Alive: 2001:470:67b9:1:b917:c2ff:fed9:6b1b Alive: 2001:470:67b9:1:993:cbff:fea3:1733 Alive: 2001:470:67b9:1:675:dfff:fede:4875 Alive: 2001:470:67b9:1:b67d:caff:fe1b:c7a7 Alive: 2001:470:67b9:1:b78f:cbff:fee9:fd7f Found 11 systems alive © 2010 Cisco and/or its affiliates. All rights reserved. root@bt:~# ip -6 neigh show 2001:470:67b9:1:7273:cbff:fee9:ddf3 dev eth1 lladdr 70:73:cb:e9:dd:f3 DELAY 2001:470:67b9:1:224:36ff:fe9c:ff56 dev eth1 lladdr 00:24:36:9c:ff:56 DELAY 2001:470:67b9:1:216:cbff:fea3:dd44 dev eth1 lladdr 00:16:cb:a3:dd:44 DELAY 2001:470:67b9:1:223:dfff:fede:1122 dev eth1 lladdr 00:23:df:de:11:22 DELAY fe80::223:ebff:fedd:1298 dev eth1 lladdr 00:23:eb:dd:12:98 DELAY 2001:470:67b9:1:ba17:c2ff:fed9:11ed dev eth1 lladdr b8:17:c2:d9:11:ed DELAY 2001:470:67b9:1:5a55:caff:fe1b:dfee dev eth1 lladdr 58:55:ca:1b:df:ee DELAY Cisco Confidential 76 /23 /32 /48 /64 2001 Interface ID • Temporary addresses for IPv6 host client application, e.g. web browser Inhibit device/user tracking Random 64 bit interface ID, then run Duplicate Address Detection before using it Rate of change based on local policy Can have this address in addition to EUI-64 address on an interface (based on mac address) Recommendation: Use Privacy Extensions for External Communication but not for Internal Networks (Troubleshooting and Attack Trace Back) © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77 • Google – Many sites use ipv6.example.com or ip6.example.com during the transition phase. Search for “site: ipv6*” or “site: ip6*” • Do a AXFR if DNS is misconfigured • If DNSSEC is being used try NSEC walk*. NSEC3 records make this more difficult. • Try a “brute force”. Perform automated AAAA lookups based on a preconfigured dictionary. (i.e. lookup firewall.example.com, server1.example.com, mail.example.com) © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79 • Your host: IPv4 is protected by your favorite personal firewall... IPv6 is enabled by default (Vista, Linux, Mac OS/X, ...) • Your network: Does not run IPv6 • Your assumption: I’m safe • Reality You are not safe Attacker sends Router Advertisements Your host configures silently to IPv6 You are now under IPv6 attack • => Probably time to think about IPv6 in your network © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80 • Easy to check! • Look inside NetFlow records Protocol 41: IPv6 over IPv4 or 6to4 tunnels IPv4 address: 192.88.99.1 (6to4 anycast server) UDP 3544, the public part of Teredo, yet another tunnel • Look into DNS server log for resolution of ISATAP • Beware of the IPv6 latent threat: your IPv4-only network may be vulnerable to IPv6 attacks NOW © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82 Router Advertisements contains: -Prefix to be used by hosts -Data-link layer address of the router -Miscellaneous options: MTU, DHCPv6 use, … RA w/o Any Authentication Gives Exactly Same Level of Security as DHCPv4 (None) MITM 1. RS 2. RA 1. RS: Data = Query: please send RA © 2010 Cisco and/or its affiliates. All rights reserved. DoS 2. RA 2. RA: Data= options, prefix, lifetime, A+M+O flags Cisco Confidential 83 • Devastating: Denial of service: all traffic sent to a black hole Man in the Middle attack: attacker can intercept, listen, modify unprotected data • Also affects legacy IPv4-only network with IPv6-enabled hosts • Most of the time from non-malicious users • Requires layer-2 adjacency (some relief…) • The major blocking factor for enterprise IPv6 deployment © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84 Where What Routers Increase “legal” router preference Hosts Disabling Stateless Address Autoconfiguration Routers & Hosts SeND “Router Authorization” Switch (First Hop) Host isolation Switch (First Hop) Port Access List (PACL) Switch (First Hop) RA Guard © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 85 • RFC 3972 Cryptographically Generated Addresses (CGA) IPv6 addresses whose interface identifiers are cryptographically generated from node public key • SeND adds a signature option to Neighbor Discovery Protocol Using node private key Node public key is sent in the clear (and linked to CGA) • Very powerful If MAC spoofing is prevented But, not a lot of implementations: Cisco IOS, Linux, some H3C, third party for Windows © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86 • Each devices has a RSA key pair (no need for cert) • Ultra light check for validity • Prevent spoofing a valid CGA address RSA Keys Priv Pub Modifier Public Key Subnet Prefix Signature SHA-1 CGA Params Subnet Prefix SeND Messages © 2010 Cisco and/or its affiliates. All rights reserved. Interface Identifier Crypto. Generated Address Cisco Confidential 87 • Adding a X.509 certificate to RA • Subject Name contains the list of authorized IPv6 prefixes Trust Anchor X.509 cert Router Advertisement Source Addr = CGA CGA param block (incl pub key) Signed X.509 cert © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 88 • Prevent Node-Node Layer-2 communication by using: 1 VLAN per host (SP access network with Broadband Network Gateway) Private VLANs (PVLAN) where node can only contact the official router • Link-local scope multicast (RA, DHCP request, etc) sent only to the local official router: no harm • Can also be used on Wireless in ‘AP Isolation Mode’ PC (public V6 ) CPE PVLAN RA PC (public V6 ) CPE © 2010 Cisco and/or its affiliates. All rights reserved. BNG PVLAN Cisco Confidential 89 • Port ACL blocks all ICMPv6 Router Advertisements from hosts interface FastEthernet3/13 ipv6 traffic-filter ACCESS_PORT in RA switchport mode access RA RA access-group mode prefer port RA RA © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 90 host ? “I am the default gateway” Router Advertisement Option: prefix(s) • Configuration- based • Learning-based • Challenge-based Verification succeeded ? Bridge RA • Switch selectively accepts or rejects RAs based on various criteria’s • Can be ACL based, learning based or challenge (SeND) based. • Hosts see only allowed RAs, and RAs with allowed content © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 91 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 92 • Pretty much like RA: no authentication Any node can ‘steal’ the IP address of any other node Impersonation leading to denial of service or MITM • Requires layer-2 adjacency © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 93 Where What Routers & Hosts configure static neighbor cache entries Routers & Hosts Use CryptoGraphic Addresses (SeND CGA) Switch (First Hop) Host isolation Switch (First Hop) Address watch • • © 2010 Cisco and/or its affiliates. All rights reserved. Glean addresses in NDP and DHCP Establish and enforce rules for address ownership Cisco Confidential 94 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 95 Remote • Remote router CPU/memory DoS attack if aggressive scanning Router will do Neighbor Discovery... And waste CPU and memory • Local router DoS with NS/RS/… NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 2001:db8::/64 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 96 • Mainly an implementation issue Rate limiter on a global and per interface Prioritize renewal (PROBE) rather than new resolution Maximum Neighbor cache entries per interface and per MAC address • Internet edge/presence: a target of choice Ingress ACL permitting traffic to specific statically configured (virtual) IPv6 addresses only => Allocate and configure a /64 but uses addresses fitting in a /120 in order to have a simple ingress ACL © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 97 • Built-in rate limiter but no option to tune it Since 15.1(3)T: ipv6 nd cache interface-limit Or IOS-XE 2.6: ipv6 nd resolution data limit Destination-guard is coming with First Hop Security phase 3 • Using a /64 on point-to-point links => a lot of addresses to scan! Using /127 could help (RFC 6164) • Internet edge/presence: a target of choice Ingress ACL permitting traffic to specific statically configured (virtual) IPv6 addresses only • Using infrastructure ACL prevents this scanning iACL: edge ACL denying packets addressed to your routers Easy with IPv6 because new addressing scheme can be done © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 98 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 99 • RFC allows for multiple and repeating extension headers. • RFC 3128 is not applicable to IPv6; extension header can be fragmented • Packets get increasing complex to parse Original Packet IPv6 hdr Dest Option Dest Option TCP data TCP data First Fragment IPv6 hdr Frag Header Dest Option Second Fragment IPv6 hdr © 2010 Cisco and/or its affiliates. All rights reserved. Frag Header Dest Option Cisco Confidential 100 • Unlimited size of header chain (spec-wise) can make filtering difficult • Potential DoS with poor IPv6 stack implementations More boundary conditions to exploit Can I overrun buffers with a lot of extension headers? Perfectly Valid IPv6 Packet According to the Sniffer Header Should Only Appear Once Destination Header Which Should Occur at Most Twice Destination Options Header Should Be the Last See also: http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 101 • Use a stateful firewall which reassembles all of the fragments and then applies the filtering rules • This only has limited usefulness as the attacker can keep adding headers and increasing the number of fragments to a point where the firewall can no longer reassemble • Filter out packets with specific combinations of Extension Headers or number of Extension Headers • Filter out packets that combine fragmentation with additional Extension Headers © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 102 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 103 • Most IPv4/IPv6 transition mechanisms have no authentication built in • => an IPv4 attacker can inject traffic if spoofing on IPv4 and IPv6 addresses IPv4 IPv6 ACLs Are Ineffective Since IPv4 & IPv6 Is Spoofed Tunnel Termination Forwards the Inner IPv6 Packet IPv6 IPv6 Network Public IPv4 Internet IPv6 Network IPv6 in IPv4 Tunnel Server A © 2010 Cisco and/or its affiliates. All rights reserved. Tunnel Termination Tunnel Termination Server B Cisco Confidential 104 • Unauthorized tunnels—firewall bypass (protocol 41) • IPv4 infrastructure looks like a Layer 2 network to ALL ISATAP hosts in the enterprise This has implications on network segmentation and network discovery • No authentication in ISATAP—rogue routers are possible Windows default to isatap.example.com • Ipv6 addresses can be guessed based on IPv4 prefix ISATAP Router Any Host Can Talk to the Router ISATAP Tunnels IPv4 Network ~ Layer 2 for IPv6 Service Direct Communication © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 105 6to4 relay IPv6 Internet ACL tunnel 6to4 router IPv4 6to4 router Direct tunneled traffic ignores hub ACL © 2010 Cisco and/or its affiliates. All rights reserved. 6to4 router Cisco Confidential 106 • Teredo navalis A shipworm drilling holes in boat hulls • Teredo Microsoftis IPv6 in IPv4 punching holes in NAT devices Source: United States Geological Survey © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 107 • All outbound traffic inspected: e.g., P2P is blocked • All inbound traffic blocked by firewall IPv6 Internet IPv4 Internet Teredo Relay IPv4 Firewall IPv4 Intranet © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 108 Teredo threats—IPv6 Over UDP (port 3544) • Internal users wants to get P2P over IPv6 • Configure the Teredo tunnel (already enabled by default!) • FW just sees IPv4 UDP traffic (may be on port 53) • No more outbound control by FW IPv6 Internet IPv4 Internet Teredo Relay IPv4 Firewall IPv4 Intranet © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 109 Once Teredo Configured • Inbound connections are allowed • IPv4 firewall unable to control • IPv6 hackers can penetrate • Host security needs IPv6 support now IPv6 Internet IPv4 Internet Teredo Relay IPv4 Firewall IPv4 Intranet © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 110 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 111 Red : New or Changed Function in the network Residential Broadband Service Case: CPE based Scenario 1 thru 5 And Future IPv6 IPv4 6RD CE IPv4-Only IPv4 Address Sharing CGN IPv4 IPv6 6RD CE IPv4 IPv6 Dual Stack IPv4-Only IPv4-Only Dual-Stack IPv4 Internet Access IPv4 Address Sharing IPv4 Internet Access IPv6 Internet Access IPv6 Internet Access IPv6 Internet Access 6rd BR IPv4 DualStack IPv6 IPv4 DualStack Dual-Stack IPv6 only IPv4 Address Sharing IPv4 Address Sharing IPv6 Internet Access IPv6 Internet Access CGN CGN + 6rd IPv6 IPv4 Private IPv4 IPv4 Stateful [DS Lite] Stateless 46 IPv4 Public IPv4 IPv4 IP NGN Backbone 1. Running 6PE/6vPE 2. Running Dual-Stack IPv6 Internet © 2010 Cisco and/or its affiliates. All rights reserved. IPv4 Internet Cisco Confidential 112 • Use of Carrier Grade NAT will require more information to be gathered in order to accurately identify a subscriber. • Currently a simple IPv4 address and a time frame is normally sufficient • With the advent of IPv6 and IPv4 address exhaustion you will need more. • The following should be gathered: IPv4 address (source and destination) IPv6 address if in use TCP/UDP ports (source and destination) Time © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 113 IPv4 IPv6 host Customer Router IPv6 Internet IPv4+IPv6 host SP NAT Sharing IPv4 address(es) IPv6 IPv4 Internet IPv4 host Subscriber Network Dual-Stack SP Network using RFC1918 addresses Internet • More likely scenario: IPv6 being available all the way to the consumer SP core and customer has to use IPv4 NAT due to v4 depletion © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 114 • Every IPv4 address has a reputation Either blacklist or more sophisticated (senderbase.org) Used to detect spam, botnet members, … • It is fine as long as: One IPv4 == One legal entity (subscriber) • What if One IPv4 == 10.000 entities/subscribers through SP NAT? © 2010 Cisco and/or its affiliates. All rights reserved. 11 5 Cisco Confidential 115 • Usual way to block a Denial of Service (DoS) against a server is to block the source IPv4 address(es) Before SP NAT: ok because it blocks only the attacker With SP NAT: will block the attacker but also 9.999 potential users/customers © 2010 Cisco and/or its affiliates. All rights reserved. 11 6 Cisco Confidential 116 • Servers currently keep only the remote IPv4 address in their log • Law Enforcement Agencies (LEA) can request any ISP to get the subscriber ID of this IPv4 address on a specific time • With SP NAT, there will be 10,000 subscribers using this IPv4 address © 2010 Cisco and/or its affiliates. All rights reserved. 11 7 Cisco Confidential 117 • SP will have to keep all the translation log (data retention) <time, subscriber internal IP, subscriber internal TCP/UDP port, subscriber external TCP/UDP port, Internet IP, Internet TCP/UDP port> <10:23:02 UTC, 10.1.2.3, 6543, 23944, 91.121.200.122, 80> • AND, the server will have to extend the log to include the TCP/UDP port • “At 10:23:02 who was using the shared port 23944?” © 2010 Cisco and/or its affiliates. All rights reserved. 11 8 Cisco Confidential 118 Operator has expanding customer base, but does not have enough IPv4 addresses to service new customers. Business need is to be able to assign new users an IP address and give those new subscribers access to IPv4 Internet content as well as IPv6 internet content. Possible Scenarios 1.1 IPv6 address to subscriber with Carrier Grade NAT 1.2 Carrier Grade NAT with private v4 address 1.3 Dual stack private v4 and public v6 at customer. 1.4 Dual stack public v4 and public v6 at customer © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 119 Thank you.