Soumettre la recherche
Mettre en ligne
Eric Vyncke - IPv6 Security Vendor Point of View
•
Télécharger en tant que PPTX, PDF
•
4 j'aime
•
949 vues
IPv6 Conference
Suivre
Eric Vyncke - IPv6 Security Vendor Point of View
Lire moins
Lire la suite
Signaler
Partager
Signaler
Partager
1 sur 19
Télécharger maintenant
Recommandé
IPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
Swiss IPv6 Council
Ole Ipv4onlifesupport
Ole Ipv4onlifesupport
IPv6no
FlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLE
Tariq Sheikh
Tech f42
Tech f42
SelectedPresentations
DPDK: Multi Architecture High Performance Packet Processing
DPDK: Multi Architecture High Performance Packet Processing
Michelle Holley
Развитие решений для маршрутизации в корпоративных сетях Cisco
Развитие решений для маршрутизации в корпоративных сетях Cisco
Cisco Russia
Download It
Download It
Videoguy
Развитие решений для коммутации в корпоративных сетях Cisco
Развитие решений для коммутации в корпоративных сетях Cisco
Cisco Russia
Recommandé
IPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
Swiss IPv6 Council
Ole Ipv4onlifesupport
Ole Ipv4onlifesupport
IPv6no
FlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLE
Tariq Sheikh
Tech f42
Tech f42
SelectedPresentations
DPDK: Multi Architecture High Performance Packet Processing
DPDK: Multi Architecture High Performance Packet Processing
Michelle Holley
Развитие решений для маршрутизации в корпоративных сетях Cisco
Развитие решений для маршрутизации в корпоративных сетях Cisco
Cisco Russia
Download It
Download It
Videoguy
Развитие решений для коммутации в корпоративных сетях Cisco
Развитие решений для коммутации в корпоративных сетях Cisco
Cisco Russia
DPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway Application
Michelle Holley
Cisco Software Defined Access - новая архитектура для корпоративных кампусных...
Cisco Software Defined Access - новая архитектура для корпоративных кампусных...
Cisco Russia
Software Defined Data Centers - June 2012
Software Defined Data Centers - June 2012
Brent Salisbury
All about routers
All about routers
agwanna
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_Final
Musa Stephen HONLUE
CDP Indicator
CDP Indicator
npsg
Intel- OpenStack Summit 2016/Red Hat NFV Mini Summit
Intel- OpenStack Summit 2016/Red Hat NFV Mini Summit
kimw001
CCNA Security - Chapter 3
CCNA Security - Chapter 3
Irsandi Hasan
Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...
Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...
Michelle Holley
David-FPGA
David-FPGA
guest66dc5f
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet Processing
Michelle Holley
CVamrish
CVamrish
Amrish Paul
Dont Get Caught With Your Layers Down
Dont Get Caught With Your Layers Down
Northeast Ohio Information Security Forum
Configuring i pv6
Configuring i pv6
VNG
I psec
I psec
ahmad1986jor
Asterisk security with kingasterisk
Asterisk security with kingasterisk
King Asterisk
TechWiseTV Workshop: Cisco Catalyst 9600: Deep Dive and Design Considerations
TechWiseTV Workshop: Cisco Catalyst 9600: Deep Dive and Design Considerations
Robb Boyd
Cisco asr 1000 series embedded services processors data sheet.
Cisco asr 1000 series embedded services processors data sheet.
Amanda Meng
IPv6 Security und Hacking
IPv6 Security und Hacking
Swiss IPv6 Council
Michael De Leo Global IPv6 Summit México 2009
Michael De Leo Global IPv6 Summit México 2009
Jaime Olmos
10 fn s05
10 fn s05
Scott Foster
10 fn s05
10 fn s05
Scott Foster
Contenu connexe
Tendances
DPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway Application
Michelle Holley
Cisco Software Defined Access - новая архитектура для корпоративных кампусных...
Cisco Software Defined Access - новая архитектура для корпоративных кампусных...
Cisco Russia
Software Defined Data Centers - June 2012
Software Defined Data Centers - June 2012
Brent Salisbury
All about routers
All about routers
agwanna
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_Final
Musa Stephen HONLUE
CDP Indicator
CDP Indicator
npsg
Intel- OpenStack Summit 2016/Red Hat NFV Mini Summit
Intel- OpenStack Summit 2016/Red Hat NFV Mini Summit
kimw001
CCNA Security - Chapter 3
CCNA Security - Chapter 3
Irsandi Hasan
Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...
Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...
Michelle Holley
David-FPGA
David-FPGA
guest66dc5f
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet Processing
Michelle Holley
CVamrish
CVamrish
Amrish Paul
Dont Get Caught With Your Layers Down
Dont Get Caught With Your Layers Down
Northeast Ohio Information Security Forum
Configuring i pv6
Configuring i pv6
VNG
I psec
I psec
ahmad1986jor
Asterisk security with kingasterisk
Asterisk security with kingasterisk
King Asterisk
TechWiseTV Workshop: Cisco Catalyst 9600: Deep Dive and Design Considerations
TechWiseTV Workshop: Cisco Catalyst 9600: Deep Dive and Design Considerations
Robb Boyd
Cisco asr 1000 series embedded services processors data sheet.
Cisco asr 1000 series embedded services processors data sheet.
Amanda Meng
Tendances
(18)
DPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway Application
Cisco Software Defined Access - новая архитектура для корпоративных кампусных...
Cisco Software Defined Access - новая архитектура для корпоративных кампусных...
Software Defined Data Centers - June 2012
Software Defined Data Centers - June 2012
All about routers
All about routers
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_Final
CDP Indicator
CDP Indicator
Intel- OpenStack Summit 2016/Red Hat NFV Mini Summit
Intel- OpenStack Summit 2016/Red Hat NFV Mini Summit
CCNA Security - Chapter 3
CCNA Security - Chapter 3
Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...
Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...
David-FPGA
David-FPGA
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet Processing
CVamrish
CVamrish
Dont Get Caught With Your Layers Down
Dont Get Caught With Your Layers Down
Configuring i pv6
Configuring i pv6
I psec
I psec
Asterisk security with kingasterisk
Asterisk security with kingasterisk
TechWiseTV Workshop: Cisco Catalyst 9600: Deep Dive and Design Considerations
TechWiseTV Workshop: Cisco Catalyst 9600: Deep Dive and Design Considerations
Cisco asr 1000 series embedded services processors data sheet.
Cisco asr 1000 series embedded services processors data sheet.
Similaire à Eric Vyncke - IPv6 Security Vendor Point of View
IPv6 Security und Hacking
IPv6 Security und Hacking
Swiss IPv6 Council
Michael De Leo Global IPv6 Summit México 2009
Michael De Leo Global IPv6 Summit México 2009
Jaime Olmos
10 fn s05
10 fn s05
Scott Foster
10 fn s05
10 fn s05
Scott Foster
I pv6 tutorial
I pv6 tutorial
Fred Bovy
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
gogo6
02 ipv6-cpe-panel security
02 ipv6-cpe-panel security
Haris Padinharethil
Eric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in general
IKT-Norge
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 9
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 9
Waqas Ahmed Nawaz
IoT関連技術の動向@IETF87
IoT関連技術の動向@IETF87
Shoichi Sakane
Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0
Fred Bovy
Attacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using Fragmentation
michelemanzotti
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advance
Bertrand Duvivier
Router Defense - BRUcon 2010
Router Defense - BRUcon 2010
fropert
Phifer 3 30_04
Phifer 3 30_04
Ayano Midakso
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
eroglu
Ole - Ipv4onlifesupport
Ole - Ipv4onlifesupport
IPv6no
Peer-to-peer Internet telephony
Peer-to-peer Internet telephony
Kundan Singh
Rapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP Networks
Skeeve Stevens
Advanced Topics in IP Multicast Deployment
Advanced Topics in IP Multicast Deployment
Arrive Technologies, Inc.
Similaire à Eric Vyncke - IPv6 Security Vendor Point of View
(20)
IPv6 Security und Hacking
IPv6 Security und Hacking
Michael De Leo Global IPv6 Summit México 2009
Michael De Leo Global IPv6 Summit México 2009
10 fn s05
10 fn s05
10 fn s05
10 fn s05
I pv6 tutorial
I pv6 tutorial
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
02 ipv6-cpe-panel security
02 ipv6-cpe-panel security
Eric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in general
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 9
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 9
IoT関連技術の動向@IETF87
IoT関連技術の動向@IETF87
Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0
Attacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using Fragmentation
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advance
Router Defense - BRUcon 2010
Router Defense - BRUcon 2010
Phifer 3 30_04
Phifer 3 30_04
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
Ole - Ipv4onlifesupport
Ole - Ipv4onlifesupport
Peer-to-peer Internet telephony
Peer-to-peer Internet telephony
Rapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP Networks
Advanced Topics in IP Multicast Deployment
Advanced Topics in IP Multicast Deployment
Plus de IPv6 Conference
0930 1 blixt
0930 1 blixt
IPv6 Conference
Joost Tholhuijsen - Public authoritiesThe NetherlandsIPv6 Awareness
Joost Tholhuijsen - Public authoritiesThe NetherlandsIPv6 Awareness
IPv6 Conference
Urban Kunc - Status of IPv6 in Slovenia
Urban Kunc - Status of IPv6 in Slovenia
IPv6 Conference
Heinz-Werner Schuelting - IPV6 Piloting
Heinz-Werner Schuelting - IPV6 Piloting
IPv6 Conference
Max Lemke - Smart cities: a fertile ground for Internet innovation
Max Lemke - Smart cities: a fertile ground for Internet innovation
IPv6 Conference
Andre Richier - e-Skills for the 21st Century
Andre Richier - e-Skills for the 21st Century
IPv6 Conference
Wim Delrue - Trends in IPv6 Training
Wim Delrue - Trends in IPv6 Training
IPv6 Conference
Mohsen Souissi - Leveraging G6’s IPv6 Tutorial material for training activity
Mohsen Souissi - Leveraging G6’s IPv6 Tutorial material for training activity
IPv6 Conference
IPv6 curricula study Franck Le Gall, Caroline Garence, Fabrice Clari
IPv6 curricula study Franck Le Gall, Caroline Garence, Fabrice Clari
IPv6 Conference
Testimonial from an IPv6 ready logo certified trainer - Silvia Hagen (Sunny C...
Testimonial from an IPv6 ready logo certified trainer - Silvia Hagen (Sunny C...
IPv6 Conference
Public IPv6 training provider’s testimonials - Florent Nolot (Univ. Reims)
Public IPv6 training provider’s testimonials - Florent Nolot (Univ. Reims)
IPv6 Conference
Martin Potts - Rapporteur’s Remarks
Martin Potts - Rapporteur’s Remarks
IPv6 Conference
Onur Bektas - Turkey IPv6 Update
Onur Bektas - Turkey IPv6 Update
IPv6 Conference
Simon Hicks - BIS Perspective on the likely IPv4/IPv6 Migration, and the Way ...
Simon Hicks - BIS Perspective on the likely IPv4/IPv6 Migration, and the Way ...
IPv6 Conference
Carlo SIMON - IPv6 Case Study LUXEMBOURG
Carlo SIMON - IPv6 Case Study LUXEMBOURG
IPv6 Conference
Petra Holubičková - Governmental Support of IPv6 Deployment in the Czech Repu...
Petra Holubičková - Governmental Support of IPv6 Deployment in the Czech Repu...
IPv6 Conference
Davor Sostaric - IPv6 in Slovenia
Davor Sostaric - IPv6 in Slovenia
IPv6 Conference
Constanze Bürger - IPv6 in the public administration of Germany
Constanze Bürger - IPv6 in the public administration of Germany
IPv6 Conference
16 30 1 maria hall
16 30 1 maria hall
IPv6 Conference
Rob Smets - IPv6 deployment monitoring
Rob Smets - IPv6 deployment monitoring
IPv6 Conference
Plus de IPv6 Conference
(20)
0930 1 blixt
0930 1 blixt
Joost Tholhuijsen - Public authoritiesThe NetherlandsIPv6 Awareness
Joost Tholhuijsen - Public authoritiesThe NetherlandsIPv6 Awareness
Urban Kunc - Status of IPv6 in Slovenia
Urban Kunc - Status of IPv6 in Slovenia
Heinz-Werner Schuelting - IPV6 Piloting
Heinz-Werner Schuelting - IPV6 Piloting
Max Lemke - Smart cities: a fertile ground for Internet innovation
Max Lemke - Smart cities: a fertile ground for Internet innovation
Andre Richier - e-Skills for the 21st Century
Andre Richier - e-Skills for the 21st Century
Wim Delrue - Trends in IPv6 Training
Wim Delrue - Trends in IPv6 Training
Mohsen Souissi - Leveraging G6’s IPv6 Tutorial material for training activity
Mohsen Souissi - Leveraging G6’s IPv6 Tutorial material for training activity
IPv6 curricula study Franck Le Gall, Caroline Garence, Fabrice Clari
IPv6 curricula study Franck Le Gall, Caroline Garence, Fabrice Clari
Testimonial from an IPv6 ready logo certified trainer - Silvia Hagen (Sunny C...
Testimonial from an IPv6 ready logo certified trainer - Silvia Hagen (Sunny C...
Public IPv6 training provider’s testimonials - Florent Nolot (Univ. Reims)
Public IPv6 training provider’s testimonials - Florent Nolot (Univ. Reims)
Martin Potts - Rapporteur’s Remarks
Martin Potts - Rapporteur’s Remarks
Onur Bektas - Turkey IPv6 Update
Onur Bektas - Turkey IPv6 Update
Simon Hicks - BIS Perspective on the likely IPv4/IPv6 Migration, and the Way ...
Simon Hicks - BIS Perspective on the likely IPv4/IPv6 Migration, and the Way ...
Carlo SIMON - IPv6 Case Study LUXEMBOURG
Carlo SIMON - IPv6 Case Study LUXEMBOURG
Petra Holubičková - Governmental Support of IPv6 Deployment in the Czech Repu...
Petra Holubičková - Governmental Support of IPv6 Deployment in the Czech Repu...
Davor Sostaric - IPv6 in Slovenia
Davor Sostaric - IPv6 in Slovenia
Constanze Bürger - IPv6 in the public administration of Germany
Constanze Bürger - IPv6 in the public administration of Germany
16 30 1 maria hall
16 30 1 maria hall
Rob Smets - IPv6 deployment monitoring
Rob Smets - IPv6 deployment monitoring
Eric Vyncke - IPv6 Security Vendor Point of View
1.
IPv6 Security Vendor
Point of View Eric Vyncke, evyncke@cisco.com Distinguished Engineer Cisco, CTO/Consulting Engineering Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 1
2.
ARP Spoofing is
now NDP Spoofing: Threats ARP is replaced by Neighbor Discovery Protocol Nothing authenticated Static entries overwritten by dynamic ones Stateless Address Autoconfiguration rogue RA (malicious or not) All nodes badly configured DoS Traffic interception (Man In the Middle Attack) Attack tools exist (from THC – The Hacker Choice) Parasit6 Fakerouter6 ... Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 2
3.
ARP Spoofing is
now NDP Spoofing: Mitigation BAD NEWS: nothing like dynamic ARP inspection for IPv6 Will require new hardware on some platforms Not available now GOOD NEWS: Secure Neighbor Discovery SEND = NDP + crypto IOS 12.4(24)T But not in Windows Vista, 2008 and 7 Crypto means slower... Other GOOD NEWS: Private VLAN works with IPv6 Port security works with IPv6 801.x works with IPv6 For FTTH & other broadband, DHCP-PD means not need to NDP-proxy Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 3
4.
Securing Link Operations:
Cisco Future First Hop Trusted Device Certificate Advantages server – central administration, central operation – Complexity limited to first hop – Transitioning lot easier – Efficient for threats coming from the link – Efficient for threats coming from outside Time server Disadvantages – Applicable only to certain topologies – Requires first-hop to learn about end-nodes – First-hop is a bottleneck and single-point of failure Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 4
5.
IPv6 Header Manipulation
Unlimited size of header chain (spec-wise) can make filtering difficult Potential DoS with poor IPv6 stack implementations More boundary conditions to exploit Can I overrun buffers with a lot of extension headers? Perfectly Valid IPv6 Packet According to the Sniffer Header Should Only Appear Once Destination Header Which Should Occur at Most Twice Destination Options Header Should Be the Last See also: http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 5
6.
Parsing the Extension
Header Chain Finding the layer 4 information is not trivial in IPv6 Skip all known extension header Until either known layer 4 header found => SUCCESS Or unknown extension header/layer 4 header found... => FAILURE IPv6 hdr HopByHop Routing AH TCP data IPv6 hdr HopByHop Routing AH Unknown L4 ??? IPv6 hdr HopByHop Unk. ExtHdr AH TCP data Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 6
7.
The IPsec Myth:
IPsec End-to-End will Save the World IPv6 mandates the implementation of IPsec IPv6 does not require the use of IPsec Some organizations believe that IPsec should be used to secure all flows... Interesting scalability issue (n2 issue with IPsec) Need to trust endpoints and end-users because the network cannot secure the traffic: no IPS, no ACL, no firewall IOS 12.4(20)T can parse the AH Network telemetry is blinded: NetFlow of little use Network services hindered: what about QoS? Recommendation: do not use IPsec end to end within an administrative domain. Suggestion: Reserve IPsec for residential or hostile environment or high profile targets. Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 7
8.
PCI DSS Compliance
and IPv6 Payment Card Industry Data Security Standard requires the use of NAT for security Yes, weird isn’t it? There is no NAT IPv6 <-> IPv6 in most of the firewalls IETF has just started to work on NAT66 PCI DSS compliance cannot be achieved for IPv6 ? How important is NAT for ‘security’? Not clear feedback from customers. Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 8
9.
The security ‘value’
of NAT-PT Does it really bring something? Block connection from the outside Same as a stateful firewall Topology hiding ? Dubious utility Techniques exist to by-pass Counting host by ID field (Steve Bellovin 2002) Counting host by TCP timestamps (Ellie Lupin 2010) Analysis of the TTL field Analysis of e-mail RFC 822 headers Multiple users hidden behind a single address Forensic is more complex Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 9
10.
What Default Security
Policy for CPE? Do we need to do same IPv4 NAT? Allow only all inside initiated connections? IPv6 hosts are usually more secure than legacy OS IPv6 has the benefit of end-to-end connectivity Even IETF is unclear Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 10
11.
Dual-Stack IPS Engines
Service HTTP Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 11
12.
Anti-Spam Challenges
Little SMTPv6 emails… Not a lot of data to test heuristics How to build an address reputation database? Based on /128? /64 ? /56 ? Need more customers, more SMTPv6 Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 12
13.
Summary of Cisco
IPv6 Security Products ASA Firewall Since version 7.0 (released 2005) Flexibility: Dual stack, IPv6 only, IPv4 only SSL VPN for IPv6 (ASA 8.0) Stateful-Failover (ASA 8.2.2) IOS Firewall IOS 12.3(7)T (released 2005) IPS Since 6.2 (released 2008) Email Security Appliance (ESA) under beta testing early 2010 Web Security Appliance (WSA) end 2011 Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 13
14.
Key Take Away
So, nothing really new in IPv6 Lack of operation experience may hinder security for a while: training is required Security enforcement is possible, most vendors have IPv6-enabled security features/appliances Control your IPv6 traffic as you do for IPv4 Leverage IPsec to secure IPv6 when suitable Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 14
15.
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 15
16.
Reference Slides
For Reference Only Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 16
17.
Secure Neighbor Discovery
(SEND) RFC 3971 Certification paths Anchored on trusted parties, expected to certify the authority of the routers on some prefixes Cryptographically Generated Addresses (CGA) IPv6 addresses whose interface identifiers are cryptographically generated RSA signature option Protect all messages relating to neighbor and router discovery Timestamp and nonce options Prevent replay attacks Requires IOS 12.4(24)T Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 17
18.
Cryptographically Generated Addresses
CGA RFC 3972 (Simplified) Each devices has a RSA key pair (no need for cert) Ultra light check for validity Prevent spoofing a valid CGA address RSA Keys Modifier Priv Pub Public Key SHA-1 Subnet Prefix Signature CGA Params Subnet Interface Prefix Identifier SEND Messages Crypto. Generated Address Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 18
19.
Securing Neighbor and
Router Advertisements with SEND Adding a X.509 certificate to RA Subject Name contains the list of authorized IPv6 prefixes Neighbor Advertisement Trust Source Addr = CGA Anchor CGA param block (incl pub key) X.509 cert Signed X.509 Router Advertisement cert Source Addr = CGA CGA param block (incl pub key) Signed Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 19
Télécharger maintenant