Advanced IPv6 Security in the LAN
This advanced session discusses IPv6 link operations, from a functional, security and scalability standpoint, throughout several use cases as well as deployment applications: campus, datacentre, broadband access, etc. In modern networks, the layer-2 domain has grown in size and functionality, to provide a faster simpler more manageable user experience. With IPv4, security within the layer-2 domain was given a special focus, and many new mechanisms such as IP Source Guard, DHCP snooping, Dynamic ARP Inspection etc. have been developed and deployed. Many if not all of these mechanisms however rely on link operations, link models and associated protocols, which are very different in IPv6. When it comes to IPv6, DHCP has a smaller role, end-nodes are given more autonomy through IPv6 Neighbor Discovery protocol, and securing link operations at layer-2 becomes a brand new challenge. New unique vulnerabilities have been identified for which new mitigation mechanisms has been specified, such as "Secure Neighbor Discovery", "RA Guard" or "Source Address Validation". The session will explore the major challenges and vulnerabilities around IPv6 link operations, from both a theoretical and a practical angle followed by a thorough review of the toolbox available to mitigate the most critical issues. Four essential use cases will be used (and demoed) as vehicles to illustrate the theory, the issues, the mitigation mechanisms and the remaining vulnerabilities: router discovery, address ownership, source address validation and destination address validation. The target audience are network administrators moving towards IPv6. It is recommended that the attendees are familiar with the concept of Layer 2 Security in IPv4. The audience will benefit from the following sessions: BRKSEC-2003 "IPv6 Security Threats and Mitigations".