Archive for the ‘Cisco Live’ Category

IPv6 Security: It Matters

1 Comment

December 31st, 2009 at 06:43 by Eseell in Cisco Live and Networking and The Future Soon

The long-promised IPv6 security post. This was a tough one to write, because when I started five months ago I realized that I don’t really know that much about end system security. I don’t know how Borepatch does it every day.

I’ve written before about IPv6 and about how US service providers are starting to dip their toes into the pool. European and Japanese providers have been dealing with this stuff for a while. A lot of the information in this post comes from a breakout session I attended at Cisco Live in June led by Eric Vyncke, a Cisco Distinguished Engineer and all-around security guru who helped roll out IPv6 in France and other places. He also literally wrote the book on IPv6 security. Some of it is also from NANOG47.

You might be thinking, “Wait a minute, IPv6 isn’t widely deployed, and I’m not even using it. Why should I care?” That may not be a correct assumption. If you run Windows Vista or later, MacOS 10.2 or later, or a recent distribution of Linux, then your computer knows how to speak IPv6 and it’s just waiting for network traffic to start talking.

One example Vyncke used at Cisco Live was that the wireless network at the conference was running over IPv6. Most of us had no idea, but run a quick check revealed that all of our laptops had global (as in public) IPv6 addresses and, moreover, could reach IPv6 enabled websites natively. There were over 800 laptops connected to the wireless network at the conference with IPv6 during peak hours. How many people noticed? No one that I asked after I left that session had noticed. The transition from v4 to v6 was completely seamless, as it should be.

Still, this seamless transition is a bit alarming because, as Vyncke pointed out, lots of folks harden their gear against IPv4 threats, but few have considered IPv6 as an attack vector. However, even if you don’t run IPv6 in your network, if your computer speaks IPv6 then there are a few attacks that you should be aware of.

The first one occurs when an attacker sends false Router Advertisement packets to your computer. They have to be on the same broadcast domain as your computer for it to work. In other words, they have to be on your home wired network or a wireless network that you are connected to. The way it works is the attacker tells your computer, “You can get to the internet through me,” by sending a Router Advertisement message. Since Router Advertisements are not authenticated in most implementations of IPv6, your computer will automatically trust the attacker and send all of its IPv6 traffic through their gateway, setting up a man-in-the-middle attack.

Most of the other end-system vulnerabilities come from tunnels. In this case, a tunnel is a way for a host connected to an IPv4-only system to speak IPv6 with another host across the internet. This makes your system vulnerable to IPv6 attacks from whoever is on the other side of that tunnel. One of the most popular types of tunnel is a Teredo tunnel, which carries a couple of risks. Specifically, in Windows Vista Teredo tunnels bypass the Windows firewall. As far as I can tell, this issue is fixed in Windows 7. Also, some applications (most notably utorrent) will setup Teredo tunnels automatically if you let them. This behavior will open potentially unmonitored connections, so if you see this option in your apps don’t turn it on unless you have IPv6-aware security software on your PC.

That’s the bad news, but Don’t Panic. The good news is that most major security vendors, including Kaspersky, McAfee, and Symantec, have had IPv6 support in their software firewalls for years. Commercial hardware firewall vendors also generally have good support for IPv6, but most home routers (such as Linksys, D-Link, and Netgear) have no support for v6. If you’ve purchased or upgraded your security software since 2007, you’re probably protected.

Even so, to prevent any possible attacks, I would recommend disabling IPv6 on your PC if you do not currently use it in your home network. Truthfully, there’s no compelling reason to use IPv6 at home right now, and you can turn it back on when you do make the move. Here are instructions for disabling it:

In Windows Vista/7 – Only do the first four steps unless you are familiar with the Windows Registry. In fact, I wouldn’t do the last steps even so, because they make it a pain to turn the protocol back on when you do need it (and in a couple of years, you will).

In Mac OS X – Predictably, it’s super easy to do on a Mac.

And in Linux.

One to go.

0 Comments

July 6th, 2009 at 18:24 by Eseell in Blagging and Cisco Live and Networking

I passed the CCIE Routing and Switching written exam today with flying colors. What a difference a good night’s sleep can make. The only thing now between me and a unique CCIE number is the lab exam, which is a little like saying the only thing between me and millions of dollars is a bank vault door. I’ve got another post on IPv6 in the works based on some of the stuff I learned at Cisco Networkers from folks who’ve actually deployed it on a large scale (mostly from Europe and Asia). Hopefully I’ll get that up by the end of the week.

Cisco in ‘Cisco

0 Comments

June 30th, 2009 at 15:31 by Eseell in Cisco Live and Networking

Sorry about not updating. There’s been lots to write about but no time to do so.

I’ve gotta say, flying from Phoenix to San Francisco is like travelling from Arrakis to Caladan. It might seem odd, but the first thing I noticed about San Francisco is the water. It’s everywhere! Imagine that.

I registered for the convention late so I ended up in a different hotel than my co-workers. They’re in a hotel about a mile closer to the convention Moscone Convention Center but I got a room larger than a broom closet and in a place that serves a great steak. I figure I got the better deal. Both hotels charge for internet, though. $13 a day when I’m only awake in my hotel room for 2 hours a night is pretty crappy, even if it does go on the company card.

I’ve been doing a lot of reading on the Kindle instead. Can’t say that I mind all that much. I think I actually read faster on the Kindle, but I’m not sure. I do know that I’m almost done with Hitchhiker’s Guide to the Galaxy and I’ve only been reading it for abut three hours.

So far the convention has been pretty awesome. On Monday I took a mentored CCIE routing and switching practice lab, which was a great experience. I learned a bit about some areas where I’m weak, specifically IPv6 and multicast configuration. I’ve got a good grasp of IPv6 concepts, but there’s so seldom an opportunity to actually configure and troubleshoot IPv6 that it’s going to be a significant hurdle when I take the CCIE Lab exam in a few months. I also got a good look at the format of the exam and the sorts of ‘gotcha’ scenarios Cisco puts on the lab exams. Normally I’d have had to pay $1500 to fail the test to get that kind of experience.

This morning I attended a session on deploying scalable OSPF in a service provider network. The Open Shortest Path First routing protocol is the most common routing protocol in the world, because it’s easy to configure, every vendor supports it, and every engineer learns it forward and backward. It’s a lot like IPv4 (or VHS) in that it’s not the best tool for the job, but everyone knows how to use it and everyone supports it.  It was a good lecture but I spend all day hip deep in OSPF at work, and I didn’t really learn anything new. I’m not sure what I expected. . . I think I was hoping that there was some secret OSPF juju that I don’t know about.

Of course, as I mentioned before, I took the CCIE written exam a couple of hours ago. I failed the exam by 14 points out of 1000. In other words, I failed by one difficult question or two easy questions out of 100. It’s the worst way to fail, in my opinion. The earliest I can retake the exam is Monday, so I’ll study over the weekend and hopefully pass then.

This afternoon I have a class on IPv6 security and tomorrow I’ve got a couple of sessions on multicast deployment and MPLS. These are my weakest subjects, so hopefully they’ll also do some good both on the certification front and in my job, where we’re currently designing a multicast video deployment.

I’ve got to run to the IPv6 session now.

On a Jet Plane

0 Comments

June 27th, 2009 at 23:58 by Eseell in Cisco Live and Networking and w3rk

In 12 hours I’ll be on a flight to San Francisco in order to attend the annual Cisco Live conference (formerly Cisco Networkers) until Thursday. Should be interesting, I’ll be attending seminars on IPv6 security, MPLS traffic engineering[1], multicast routing, and a CCIE Routing and Switching lab tutorial. On Tuesday afternoon I’ll be taking the CCIE R&S written exam.

I’m taking my Eee in addition to my work laptop, so I’ll try to blog frequently, there should be plenty of network coverage. . .

  1. I couldn’t find any good articles to explain MPLS traffic engineering simply. Basically, it’s a way to implement end-to-end QoS and policy-based path selection using label switching. In other words, it’s faster and less CPU intensive than true packet-switched QoS. However, it’s only useful in high-bandwidth, large-scale networks. The benefits are negligible in smaller networks. []