IPv6 Address in Internal Enterprise

maulik.parekh · ‎06-15-2012

Hello All,

I was looking at a Pilot deploment of IPv6 in our Labs.

I was little confused with rgards to what should I use as IPv6 address on Internal Network Infrastructure and hosts.

This is when I jumped across BRKRST-2301 where Shanon McFarland gives some idea on use of IPv6 in the internal.

So what it said is:

1. ULA Only -- Not recommended as NAT 66 solution does not exist <-- Can I use NPT Solution. But it would require same no. of GUA as well.

2. ULA + Global -- More problems with DNS, DHCP and SAS <-- Is this really that difficult ?

3. Global Only -- Recommended but security folks are not ready. <-- I could even not convince some R&S folks for this!!! Even though I am convinced.

Apart from this, if i use a GUA which is not allocated to anyone internally & then NPT it while going outside.

I would like to know your thoughts and what would you recommend to do.

--

Maulik

sean_evershed · ‎06-16-2012

Hi,

I won't have time to comment on all your questions but I'll provide my thoughts.

As the document states, simplify your network design by using global addresses everywhere.

IPv6 requires a paradigm shift in thinking from what you know about IPv4. This includes Security guys understanding the merits of global addresses.

Bear in mind that ULA addresses are not recommended for organisations that will be connected to the Internet.

There are trillions of IPv6 addresses and so there is no need for address translation like there is in the IPv4 world.

There are several RFCs that state that NATing is not designed as a security measure, rather it's main purpose is to preserve scarce Internet routeable IPv4 addresses.

I have read comments stating that NATing hides your internal topology from hackers. However NAT does not stop attacks from worms, trojan horses, viruses, dumpster diving for network diagrams, social engineering for passwords etc etc.

ULA addresses won't necessarily protect your network from attacks. They are by definition a unique address and in theory could leak out to the Internet thus giving a hacker back door to your network. I have seen several recommendations that you should block outbound ULA addresses on your firewall to prevent this.

Have a look at this document on IPv6

http://www.cisco.com/en/US/partner/prod/collateral/iosswrel/ps6537/ps6553/whitepaper_c11-586154.html

It recommends using Global addresses on your internal network.

Don't forget to rate all posts that are helpful.

Cheers

Sean

maulik.parekh · ‎06-17-2012

Hi Sean,

Thanks for your reply.

1. Bear in mind that ULA addresses are not recommended for organisations that will be connected to the Internet.

<-- Since ULA are like RFC 1918 address I can use NAT 66 ( NPT 66 actually ) to conect them to Internet. However I feel that it is actually not required and I could assign Global address directly. Can you tell me reasons why ULA is not recommended.

2. Traditional Idea of NAT providing security requies a shift and all functions must given to firewall. I agree.

3. ULA leaking to Internet can never happen as SP's will filter out these address and never advertise them onto Internet. Like RFC 1918 adresses are not available on Internet.

Can you please provide comments on following addess scheme:

1. ULA addresses are assigned to Infrastructure Point to Point Links and Ethernet Segmets connectin Routers.

2. All End hosts and Users are assigned both ULA ad GUA IPv6 addresses. Therfore they will have four addresses IPv4, IPv6 ULA, IPv6 GUA, IPv6 LL.

All GUA addresses will be advertised to Internet. For Internal communication ULA must be used.

No Infrastructure Links or Deviceswill e available/pinged or reachable from Internet.

However, for this to work perfectly, Source Address Selection (SAS) by applications must e doe perfectly. Not sure on this.

--

Maulik

sean_evershed · ‎06-18-2012

Hi,

1. NAT 66 is not currently supported. See this reference below:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/15-2mt/ipv6-15-2mt-book.html

I see no reference to NAT 66 here:

http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html#~in_depth

Furthermore NAT 66 appears to still only to be in draft status:

http://tools.ietf.org/html/draft-mrw-behave-nat66-02

RFC 4193 states that ULA addresses are routable inside of a more limited area such as a site. They may also be routed between a limited set of sites. Hence my comment about them not being designed for connection to the Internet.

3. I have had bad experiences with SP's in the past. Therefore I would not trust my IPv6 Security policy to them.

Furthermore the Cisco Press book on IPv6 Security recommends the blocking of outbound ULA addresses.

Regarding the last section of your post I repeat what I said previously. Keep it simple. Stick with Global only.

I'm a bit confused since you say that all hosts will have 4 addresses but ULA must be used internally.

How will you dictate to every server and PC that they will only use their ULA addresses and ignore their global addresses for all internal communications? How will you monitor that this is actaully happening?

You also state that all GUA addresses will be advertised to the Internet but these devices are not be reachable from the Internet. However you have just advertised these addresses to the Internet. I'm puzzled as to how you can achieve both conflicting requirements.

maulik.parekh · ‎06-19-2012

Hi,

Reading many such things I think having GUA to end Hosts is best bet and that is what many people recommend to do.

I'm a bit confused since you say that all hosts will have 4 addresses but ULA must be used internally.

How will you dictate to every server and PC that they will only use their ULA addresses and ignore their global addresses for all internal communications? How will you monitor that this is actaully happening?

<-- SAS should be used for this. Please refer this RFC and the problem statement it gives for SAS. But I am not sure every OS out there has implemented it correctly.

http://tools.ietf.org/html/rfc5220#page-12

You also state that all GUA addresses will be advertised to the Internet but these devices are not be reachable from the Internet. However you have just advertised these addresses to the Internet. I'm puzzled as to how you can achieve both conflicting requirements.

<-- By this I actually meant that on all Infrastructure links and loopbacks of Routers we will use ULA, only end hosts will be given GUA and this GUA will be advertised into the routing protocol (exterior) for reachability. Both GUA and ULA in IGP. Advantage of this is that infrastructure network devices will not be reachable from Internet whatsoever.

I have had bad experiences with SP's in the past. Therefore I would not trust my IPv6 Security policy to them.

<-- I agree, applying policies should be done at enterprise end must never trust SP.

For NAT 66, yes i am aware that it is still not available in major implementations, but some LB do that. So just was giving a thought.

http://tools.ietf.org/html/rfc6296

So I was just giving a thought:

1. To allocate ULA to Infrastructure Links and network devices.

2. Provide only GUA to end hosts. I too feel that should be the best approach.

Let me know on the 1st point. Thanks.