© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v2.07-1 Security Issues in IPv6 Configuring IPv6 ACLs. - презентация

1 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Security Issues in IPv6 Configuring IPv6 ACLs

2 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 standard ACL examines only source and destination addresses. Standard ACL VersionTraffic ClassFlow Label Payload LengthNext HeaderHop Limit Source Address (128) Destination Address (128) Next Header Extension Header Length(8)=? Source Port (16) Hop-by-Hop Header Options Destination Port (16) TCP Header and Data 5x21 Bits of Other Parameters

3 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v (config) ipv6 access-list my-stnd-list permit host 2001:db8:3:: :db8:4::/64 permit host 2001:db8:3::200 host 2001:db8:4::500 (config) int f0/1 ipv6 traffic-filter my-stnd-list out Example Standard ACL linkA 2001:db8:3::/64 linkB 2001:db8:5::/64 f0/0f0/1 f0/2 WW1.300 PC1.100 PC2.200 WW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services)

4 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Standard ACL (Cont.) (config) ipv6 access-list my-stnd-list permit host 2001:db8:3:: :db8:4::/64 permit host 2001:db8:3::200 host 2001:db8:4::500 (config) int f0/1 ipv6 traffic-filter my-stnd-list out Example linkA 2001:db8:3::/64 linkB 2001:db8:5::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services)

5 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Standard ACL (Cont.) linkB 2001:db8:5::/64 (config) ipv6 access-list my-stnd-list permit host 2001:db8:3:: :db8:4::/64 permit host 2001:db8:3::200 host 2001:db8:4::500 (config) int f0/1 ipv6 traffic-filter my-stnd-list out linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services)

6 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Standard ACL (Cont.) (config) ipv6 access-list my-stnd-list permit host 2001:db8:3:: :db8:4::/64 permit host 2001:db8:3::200 host 2001:db8:4::500 (config) int f0/1 ipv6 traffic-filter my-stnd-list out linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services)

7 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Example Extended ACL (config) ipv6 access-list my-extnd-list permit tcp 2001:db8:3::/64 host 2001:db8:4::400 eq 80 (config) int f0/0 ipv6 traffic-filter my-extnd-list in linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services)

8 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Extended ACL (Cont.) Example (config) ipv6 access-list my-extnd-list permit tcp 2001:db8:3::/64 host 2001:db8:4::400 eq 80 (config) int f0/0 ipv6 traffic-filter my-extnd-list in linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services)

9 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Extended ACL (Cont.) Example (config) ipv6 access-list my-extnd-list permit tcp 2001:db8:3::/64 host 2001:db8:4::400 eq 80 (config) int f0/0 ipv6 traffic-filter my-extnd-list in linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services)

10 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Reflexive and Time-Based ACL Reflexive ACL provides the means to control traffic flow based on session initiator: –Router tracks state –Permitted outbound session automatically creates temporary converse rule for return packet flow Time-based ACL permits or denies traffic based on a configurable time range.

11 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services) Reflexive and Time-Based ACL (Cont.) Example (Reflexive ACL) Source Port: tcp32154 Dest Port: tcp80 (config) ip reflexive-list timeout 120 (config) ipv6 access-list my-refl-OUT-list permit tcp 2001:db8:3::/64 any eq 80 reflect ref-tcp permit udp 2001:db8:3::/64 any reflect ref-udp (config) ipv6 access-list my-refl-IN-list evaluate ref-tcp evaluate ref-udp (config) int f0/1 ipv6 traffic-filter my-refl-OUT-list out ipv6 traffic-filter my-refl-IN-list in

12 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services) Reflexive and Time-Based ACL (Cont.) Example (Reflexive ACL) Dest Port: tcp32154 Source Port: tcp80 (config) ip reflexive-list timeout 120 (config) ipv6 access-list my-refl-OUT-list permit tcp 2001:db8:3::/64 any eq 80 reflect ref-tcp permit udp 2001:db8:3::/64 any reflect ref-udp (config) ipv6 access-list my-refl-IN-list evaluate ref-tcp evaluate ref-udp (config) int f0/1 ipv6 traffic-filter my-refl-OUT-list out ipv6 traffic-filter my-refl-IN-list in

13 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services) Reflexive and Time-Based ACL (Cont.) Example (Reflexive ACL) Dest Port: tcp32154 (config) ip reflexive-list timeout 120 (config) ipv6 access-list my-refl-OUT-list permit tcp 2001:db8:3::/64 any eq 80 reflect ref-tcp permit udp 2001:db8:3::/64 any reflect ref-udp (config) ipv6 access-list my-refl-IN-list evaluate ref-tcp evaluate ref-udp (config) int f0/1 ipv6 traffic-filter my-refl-OUT-list out ipv6 traffic-filter my-refl-IN-list in Source Port: tcp12400

14 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services) Example (Time-Based ACL) Reflexive and Time-Based ACL (Cont.) (config) time-range NON-CORE periodic weekdays 12:00 to 13:00 periodic saturday 0:00 to sunday 23:59 (config) ipv6 access-list my-timed-list permit tcp 2001:db8:3::/64 any eq 80 time-range NON-CORE deny tcp 2001:db8:3::/64 any eq 80 permit ipv6 any any (config) int f0/1 ipv6 traffic-filter my-timed-list out Wednesday 12:30pm

15 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services) Wednesday 1:15am (config) time-range NON-CORE periodic weekdays 12:00 to 13:00 periodic saturday 0:00 to sunday 23:59 (config) ipv6 access-list my-timed-list permit tcp 2001:db8:3::/64 any eq 80 time-range NON-CORE deny tcp 2001:db8:3::/64 any eq 80 permit ipv6 any any (config) int f0/1 ipv6 traffic-filter my-timed-list out Example (Time-Based ACL) Port 80 : HTTP Blocked Reflexive and Time-Based ACL (Cont.)

16 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Cisco IOS IPv6 Header Filtering Extended ACL also provides means to inspect packet headers for: DSCP: Value Flow Label: Value Fragmentation header: Presence Routing header: Presence Unknown Next Header: Presence

17 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v DSCP af12 packet Example (Extended ACL Filtering in IPv6 Header Values) Cisco IOS IPv6 Header Filtering (Cont.) (config) ipv6 access-list my-hdrcheck-list deny 2001:db8:3::/64 any fragments dscp af12 routing permit ipv6 any any (config) int f0/0 ipv6 traffic-filter my-hdrcheck-list in linkA 2001:db8:3::/64 f0/0f0/1 f0/2 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services) VersionTraffic ClassFlow Label Payload LengthNext HeaderHop Limit Source Address Destination Address Routing Extension Header Next Header = routing Extension Header Next Hdr = fragmentation TCP Header and Data Next Header = TCP

18 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Example (Extended ACL Filtering in IPv6 Header Values) Cisco IOS IPv6 Header Filtering (Cont.) (config) ipv6 access-list my-hdrcheck-list deny 2001:db8:3::/64 any fragments dscp af12 routing permit ipv6 any any (config) int f0/0 ipv6 traffic-filter my-hdrcheck-list in linkA 2001:db8:3::/64 f0/0f0/1 f0/2 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services) Standard packet

19 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Cisco IOS New ICMPv6 Types New ICMP types for IPv6 (ICMPv6) include: Error messages Information messages Multicast messages RA/neighbor solicitation/neighbor advertisement messages Mobility (MobileIPv6) messages

20 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Example (Extended ACL Filtering on ICPMv6 Types) Cisco IOS New ICMPv6 Types (Cont.) (config) ipv6 access-list my-ICMPv6-list deny icmp any any echo-request deny icmp any any router-solicitation permit ipv6 any any (config) int f0/1 ipv6 traffic-filter my-ICMPv6-list in Sending echo- request packets linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1PC2 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services)

21 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v How to Configure ACLs in an IPv6 Environment ACL configuration procedure: 1. Design the traffic flows. 2. Examine the interfaces. 3. Create the ACL. 4. Build and apply ACLs. 5. Test the ACL.

22 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Example How to Configure ACLs in an IPv6 Environment (Cont.) Enterprise DMZ linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 Access1.500 (SSH uses Telnet for other services) Enterprise Core linkC 2001:db8:4::/64 Internet

23 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Example How to Configure ACLs in an IPv6 Environment (Cont.) Enterprise DMZ linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 Access1.500 (SSH uses Telnet for other services) Enterprise Core linkC 2001:db8:4::/64 Internet time-range LUNCH periodic weekdays 12:00 to 13:00 ! ip reflexive-list timeout 120 ! ipv6 access-list my-OUTf0/1-list permit host 2001:db8:3::100 host 2001:db8:4::500 reflect REFLany permit tcp host 2001:db8:3::200 host 2001:db8:4::500 eq 22 reflect REFLssh permit tcp host 2001:db8:3::100 host 2001:db8:4::400 eq 80 reflect REFLweb permit any any time-range LUNCH ! ipv6 access-list my-INf0/1-list deny ipv6 any any fragments deny icmp any 2001:db8:3::/64 echo-request evaluate REFLany evaluate REFLssh evaluate REFLweb ! int f0/1 ipv6 traffic-filter my-OUTf0/1-list out ipv6 traffic-filter my-INf0/1-list in

24 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Summary Standard ACL examines only source and destination addresses; extended ACL allows packet matching on more IPv6 header fields. Reflexive ACL allows traffic flow control based on session initiator; time-based ACL allows it based on time ranges. Extended ACL can examine new IPv6 header fields. Configuring ACLs involves designing traffic flow; examining the interfaces; creating, building, and applying the ACL; and testing the ACL.

25 © 2006 Cisco Systems, Inc. All rights reserved.IP6FD v