Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2799
Views
5
Helpful
5
Replies

Incoming and Outgoing traffic security in IPv6

Sandeepka
Level 1
Level 1

‎08-29-2013 11:12 PM - edited ‎03-01-2019 05:41 PM

                   Hi,

We have a customer and we need to existing IPv4 Network to IPv6. As Natting has been removed from IPv6 and IPSEC is a mandatory feature in IPv6.

I want to know, when my inside network will go outside world then It will carry the Exact inside / Local or Private Network Address. So Outsider user can easily hack or view my inside Network ip address and can access the Core Network.

So, what we can implement in IPv6, so my inside traffic natted with some other global or Public network, so outside user can not use my local ip addresses.

Kindly confirm.

Labels:
0 Helpful
5 Replies 5

Karsten Iwen
VIP
VIP

‎08-29-2013 11:42 PM

First some clarification:

1) IPSec is not mandatory any more. That has been removed in the actual RFCs
2) depending on the devices you can use NAT also for IPv6

One nice thing of IPv6 is end-to-end reachability which makes the operation of the network much easier. (I can't count how many times customer configured their FTP-server wrong to make NAT work). So if you actually don't need NAT, that could be a reason to be happy about it (ok, unless you need to be PCI-compliant; or hat that requirement also changed?)

And yes, by default every one can see your internal IP-addresses. For security you should deploy a firewall solution, but that is not different then it is today. Ok, we all know that many people rely only on NAT, but that's not the best way to connect a network to the internet.

If you wan't that externals can't see the real IP of your inside systems, then you can use privacy-extentions which change the host-portion of the address. But of course your assigned prefix will be the same, but also that is no different then today where your NATed packets always have the public IPs that are assigned to your company.


Sent from Cisco Technical Support iPad App

Service Spring
Level 1
Level 1
In response to Karsten Iwen

‎08-30-2013 06:47 AM

I'm with him; end to end connectivity is so much better.  However, there are also private, non-routeable addresses in IPv6 that you could use for machines that don't need access to the Internet.

0 Helpful

Sandeepka
Level 1
Level 1
In response to Service Spring

‎08-30-2013 09:28 PM

Thanks for Info.

But Actually Customer having a Banking Network Setup which is required Highly secured Traffic over the Internet and ISP.

Currently he is using IPv4 with natting on Firewalls but Natting is not available in IPv6 then How we can Translate our inside Network Addresses in Outside / Global or Public Network, so Outsid user can not access my Network with Inside Networks Addreses. As I understand when the IPv6 packet flows over the network and Internet it will carry the same Inside local addresses which is not secure.

So how we can hide my local inside P / servers IP, Firewall IP and Core IP from Outsid user or how we can nat or Translate these Addresess on Firewall or internet Router.

I have tried to explain my query and I hope u can understand and share some more solution or Documents.

0 Helpful

Sandeepka
Level 1
Level 1
In response to Karsten Iwen

‎08-30-2013 09:29 PM

Thanks for Info.

But Actually Customer having a Banking Network Setup which is required Highly secured Traffic over the Internet and ISP.

Currently he is using IPv4 with natting on Firewalls but Natting is not available in IPv6 then How we can Translate our inside Network Addresses in Outside / Global or Public Network, so Outsid user can not access my Network with Inside Networks Addreses. As I understand when the IPv6 packet flows over the network and Internet it will carry the same Inside local addresses which is not secure.

So how we can hide my local inside P / servers IP, Firewall IP and Core IP from Outsid user or how we can nat or Translate these Addresess on Firewall or internet Router.

I have tried to explain my query and I hope u can understand and share some more solution or Documents.

0 Helpful

Karsten Iwen
VIP
VIP
In response to Sandeepka

‎08-30-2013 11:32 PM 

when the IPv6 packet flows over the network and Internet it will carry the same Inside local addresses which is not secure

In fact it is not more secure, it only seems so. The security comes from strict filtering rules and possibly various deep packet inspection mechanisms that are also IPv6 aware.

But you can use NAT if you want. There are devices that can do NAT on IPv6. The Cisco ASA is one of them and probably there are some more on the market.

Some more reading for IPv6 and NAT/Security:

IPv6 NAT on the ASA:

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/nat_overview.html#wp1220768

Ripe: IPv6 Security - An Overview:

https://labs.ripe.net/Members/johannes_weber/ipv6-security-an-overview

Network Computing: 4 IPv6 Security Fallacies:

http://www.networkcomputing.com/ipv6/4-ipv6-security-fallacies/240159771

RFC 6296 - IPv6-to-IPv6 Network Prefix Translation:

http://tools.ietf.org/html/rfc6296

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents