idnits 2.17.1 draft-ietf-opsec-v6-12.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 30, 2017) is 2363 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) -- Obsolete informational reference (is this intentional?): RFC 2740 (Obsoleted by RFC 5340) -- Obsolete informational reference (is this intentional?): RFC 3068 (Obsoleted by RFC 7526) -- Obsolete informational reference (is this intentional?): RFC 3315 (Obsoleted by RFC 8415) -- Obsolete informational reference (is this intentional?): RFC 3627 (Obsoleted by RFC 6547) -- Obsolete informational reference (is this intentional?): RFC 4941 (Obsoleted by RFC 8981) -- Obsolete informational reference (is this intentional?): RFC 5157 (Obsoleted by RFC 7707) -- Obsolete informational reference (is this intentional?): RFC 6145 (Obsoleted by RFC 7915) -- Obsolete informational reference (is this intentional?): RFC 6204 (Obsoleted by RFC 7084) -- Obsolete informational reference (is this intentional?): RFC 6434 (Obsoleted by RFC 8504) -- Obsolete informational reference (is this intentional?): RFC 6506 (Obsoleted by RFC 7166) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 12 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 OPSEC E. Vyncke, Ed. 3 Internet-Draft Cisco 4 Intended status: Informational K. Chittimaneni 5 Expires: May 3, 2018 Dropbox Inc. 6 M. Kaeo 7 Double Shot Security 8 October 30, 2017 10 Operational Security Considerations for IPv6 Networks 11 draft-ietf-opsec-v6-12 13 Abstract 15 Knowledge and experience on how to operate IPv4 securely is 16 available: whether it is the Internet or an enterprise internal 17 network. However, IPv6 presents some new security challenges. RFC 18 4942 describes the security issues in the protocol but network 19 managers also need a more practical, operations-minded document to 20 enumerate advantages and/or disadvantages of certain choices. 22 This document analyzes the operational security issues in all places 23 of a network (enterprises, service providers and residential users) 24 and proposes technical and procedural mitigations techniques. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at https://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on May 3, 2018. 43 Copyright Notice 45 Copyright (c) 2017 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (https://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 61 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 62 2. Generic Security Considerations . . . . . . . . . . . . . . . 4 63 2.1. Addressing Architecture . . . . . . . . . . . . . . . . . 4 64 2.1.1. Statically Configured Addresses . . . . . . . . . . . 4 65 2.1.2. Use of ULAs . . . . . . . . . . . . . . . . . . . . . 5 66 2.1.3. Point-to-Point Links . . . . . . . . . . . . . . . . 6 67 2.1.4. Temporary Addresses - Privacy Extensions for SLAAC . 6 68 2.1.5. Privacy consideration of Addresses . . . . . . . . . 7 69 2.1.6. DHCP/DNS Considerations . . . . . . . . . . . . . . . 7 70 2.1.7. Using a /64 per host . . . . . . . . . . . . . . . . 8 71 2.2. Extension Headers . . . . . . . . . . . . . . . . . . . . 8 72 2.2.1. Order and Repetition of Extension Headers . . . . . . 8 73 2.2.2. Hop-by-Hop Extension Header . . . . . . . . . . . . . 9 74 2.2.3. Fragmentation Extension Header . . . . . . . . . . . 9 75 2.2.4. IP Security Extension Header . . . . . . . . . . . . 9 76 2.3. Link-Layer Security . . . . . . . . . . . . . . . . . . . 9 77 2.3.1. Securing DHCP . . . . . . . . . . . . . . . . . . . . 9 78 2.3.2. ND/RA Rate Limiting . . . . . . . . . . . . . . . . . 10 79 2.3.3. ND/RA Filtering . . . . . . . . . . . . . . . . . . . 11 80 2.3.4. 3GPP Link-Layer Security . . . . . . . . . . . . . . 12 81 2.3.5. SeND and CGA . . . . . . . . . . . . . . . . . . . . 12 82 2.4. Control Plane Security . . . . . . . . . . . . . . . . . 13 83 2.4.1. Control Protocols . . . . . . . . . . . . . . . . . . 14 84 2.4.2. Management Protocols . . . . . . . . . . . . . . . . 15 85 2.4.3. Packet Exceptions . . . . . . . . . . . . . . . . . . 15 86 2.5. Routing Security . . . . . . . . . . . . . . . . . . . . 16 87 2.5.1. Authenticating Neighbors/Peers . . . . . . . . . . . 16 88 2.5.2. Securing Routing Updates Between Peers . . . . . . . 17 89 2.5.3. Route Filtering . . . . . . . . . . . . . . . . . . . 17 90 2.6. Logging/Monitoring . . . . . . . . . . . . . . . . . . . 18 91 2.6.1. Data Sources . . . . . . . . . . . . . . . . . . . . 19 92 2.6.2. Use of Collected Data . . . . . . . . . . . . . . . . 23 93 2.6.3. Summary . . . . . . . . . . . . . . . . . . . . . . . 25 94 2.7. Transition/Coexistence Technologies . . . . . . . . . . . 25 95 2.7.1. Dual Stack . . . . . . . . . . . . . . . . . . . . . 25 96 2.7.2. Transition Mechanisms . . . . . . . . . . . . . . . . 26 97 2.7.3. Translation Mechanisms . . . . . . . . . . . . . . . 30 98 2.8. General Device Hardening . . . . . . . . . . . . . . . . 31 99 3. Enterprises Specific Security Considerations . . . . . . . . 32 100 3.1. External Security Considerations: . . . . . . . . . . . . 32 101 3.2. Internal Security Considerations: . . . . . . . . . . . . 33 102 4. Service Providers Security Considerations . . . . . . . . . . 33 103 4.1. BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 104 4.1.1. Remote Triggered Black Hole Filtering . . . . . . . . 34 105 4.2. Transition Mechanism . . . . . . . . . . . . . . . . . . 34 106 4.3. Lawful Intercept . . . . . . . . . . . . . . . . . . . . 34 107 5. Residential Users Security Considerations . . . . . . . . . . 34 108 6. Further Reading . . . . . . . . . . . . . . . . . . . . . . . 35 109 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 35 110 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 36 111 9. Security Considerations . . . . . . . . . . . . . . . . . . . 36 112 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 36 113 10.1. Normative References . . . . . . . . . . . . . . . . . . 36 114 10.2. Informative References . . . . . . . . . . . . . . . . . 36 115 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 48 117 1. Introduction 119 Running an IPv6 network is new for most operators not only because 120 they are not yet used to large scale IPv6 networks but also because 121 there are subtle differences between IPv4 and IPv6 especially with 122 respect to security. For example, all layer-2 interactions are now 123 done using Neighbor Discovery Protocol [RFC4861] rather than using 124 Address Resolution Protocol [RFC0826]. Also, there are subtle 125 differences between NAT44 [RFC2993] and NPTv6 [RFC6296] which are 126 explicitly pointed out in the latter's security considerations 127 section. 129 IPv6 networks are deployed using a variety of techniques, each of 130 which have their own specific security concerns. 132 This document complements [RFC4942] by listing all security issues 133 when operating a network utilizing varying transition technologies 134 and updating with ones that have been standardized since 2007. It 135 also provides more recent operational deployment experiences where 136 warranted. 138 1.1. Requirements Language 140 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 141 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 142 document are to be interpreted as described in [RFC2119] when they 143 appear in ALL CAPS. These words may also appear in this document in 144 lower case as plain English words, absent their normative meanings. 146 2. Generic Security Considerations 148 2.1. Addressing Architecture 150 IPv6 address allocations and overall architecture are an important 151 part of securing IPv6. Initial designs, even if intended to be 152 temporary, tend to last much longer than expected. Although 153 initially IPv6 was thought to make renumbering easy, in practice, it 154 may be extremely difficult to renumber without a good IP Addresses 155 Management (IPAM) system. 157 Once an address allocation has been assigned, there should be some 158 thought given to an overall address allocation plan. With the 159 abundance of address space available, an address allocation may be 160 structured around services along with geographic locations, which 161 then can be a basis for more structured security policies to permit 162 or deny services between geographic regions. 164 A common question is whether companies should use PI vs PA space 165 [RFC7381], but from a security perspective there is little 166 difference. However, one aspect to keep in mind is who has 167 administrative ownership of the address space and who is technically 168 responsible if/when there is a need to enforce restrictions on 169 routability of the space due to malicious criminal activity. Using 170 PA space exposes the organization to a renumbering of the complete 171 network including security policies (based on ACL), audit system, ... 172 in short a complex task which could lead to some security risk if 173 done for a large network and without automation; hence, for large 174 network, PI space should be preferred. 176 2.1.1. Statically Configured Addresses 178 When considering how to assign statically configured addresses it is 179 necessary to take into consideration the effectiveness of perimeter 180 security in a given environment. There is a trade-off between ease 181 of operation (where some portions of the IPv6 address could be easily 182 recognizable for operational debugging and troubleshooting) versus 183 the risk of trivial scanning used for reconnaissance. [SCANNING] 184 shows that there are scientifically based mechanisms that make 185 scanning for IPv6 reachable nodes more realizable than expected; see 186 also [RFC7707]. The use of common multicast groups which are defined 187 for important networked devices and the use of commonly repeated 188 addresses could make it easy to figure out which devices are name 189 servers, routers or other critical devices; even a simple traceroute 190 will expose most of the routers on a path. There are many scanning 191 techniques and more to come possible, hence, operators should never 192 relly on the 'impossible to find because my address is random' 193 paradigm. 195 While in some environments the security is so poor that obfuscating 196 addresses could be considered a benefit; it is a better practice to 197 ensure that perimeter rules are actively checked and enforced and 198 that statically configured addresses follow some logical allocation 199 scheme for ease of operation (as simplicity always helps security). 201 2.1.2. Use of ULAs 203 It is important to carefully weigh the benefits of using ULAs versus 204 utilizing a section of the global allocation and creating a more 205 effective filtering strategy. It is also important to note that the 206 IETF does not recommend the use of ULA and NPTv6. 208 ULAs are intended for scenarios where IP addresses will not have 209 global scope so they should not appear in the global BGP routing 210 table. The implicit expectation from the RFC is that all ULAs will 211 be randomly created as /48s. Any use of ULAs that are not created as 212 a /48 violates RFC4193 [RFC4193]. 214 ULAs could be useful for infrastructure hiding as described in 215 RFC4864 [RFC4864]. Alternatively Link-Local addresses RFC7404 216 [RFC7404] could also be used. Although ULAs are supposed to be used 217 in conjunction with global addresses for hosts that desire external 218 connectivity, a few operators chose to use ULAs in conjunction with 219 some sort of address translation at the border in order to maintain a 220 perception of parity between their IPv4 and IPv6 setup. Some 221 operators believe that stateful IPv6 Network Address and Port 222 Translation (NAPT) provides some security not provided by NPTv6 (the 223 authors of this document do not share this point of view). The use 224 of stateful IPv6 NAPT would be problematic in trying to track 225 specific machines that may source malware although this is less of an 226 issue if appropriate logging is done which includes utilizing 227 accurate timestamps and logging a node's source ports RFC6302 228 [RFC6302]. Another typical argument in favor of ULA is that there 229 are too many mistakes made with ACL filters at the edge and the use 230 of ULAs could make things easier to set filters. 232 The use of ULA does not isolate 'by magic' the part of the network 233 using ULA from other parts of the network (including the Internet). 234 Although section 4.1 of RFC4193 [RFC4193] explicitly states "If BGP 235 is being used at the site border with an ISP, the default BGP 236 configuration must filter out any Local IPv6 address prefixes, both 237 incoming and outgoing.", the operational reality is that this 238 guideline is not always followed. As written, RFC4193 makes no 239 changes to default routing behavior of exterior protocols. 240 Therefore, routers will happily forward packets whose source or 241 destination address is ULA as long as they have a route to the 242 destination and there is no ACL blocking those packets. This means 243 that using ULA does not prevent route and packet filters having to be 244 implemented and monitored. This also means that all Internet transit 245 networks should consider ULA as source or destination as bogons 246 packets and drop them. 248 2.1.3. Point-to-Point Links 250 RFC6164 [RFC6164] recommends the use of /127 for inter-router point- 251 to-point links. A /127 prevents the ping-pong attack between 252 routers. However, it should be noted that at the time of this 253 writing, there are still many networks out there that follow the 254 advice provided by RFC3627 [RFC3627] (obsoleted and marked Historic 255 by RFC6547 [RFC6547]) and therefore continue to use /64's and/or 256 /112's. We recommend that the guidance provided by RFC6164 be 257 followed. 259 Some environments are also using link-local addressing for point-to- 260 point links. While this practice could further reduce the attack 261 surface against infrastructure devices, the operational disadvantages 262 need also to be carefully considered RFC7404 [RFC7404]. 264 2.1.4. Temporary Addresses - Privacy Extensions for SLAAC 266 Normal stateless address autoconfiguration (SLAAC) relies on the 267 automatically generated EUI-64 address, which together with the /64 268 prefix makes up the global unique IPv6 address. The EUI-64 address 269 is generated from the MAC address. Randomly generating an interface 270 ID, as described in [RFC4941], is part of SLAAC with so-called 271 privacy extension addresses and used to address some privacy 272 concerns. Privacy extension addresses a.k.a. temporary addresses may 273 help to mitigate the correlation of activities of a node within the 274 same network, and may also reduce the attack exposure window. 276 As privacy extension addresses could also be used to obfuscate some 277 malevolent activities (whether on purpose or not), it is advised in 278 scenarios where user attribution is important to rely on a layer-2 279 authentication mechanism such as IEEE 802.1X [IEEE-802.1X] with the 280 appropriate RADIUS accounting (Section 2.6.1.6) or to disable SLAAC 281 and rely only on DHCPv6. However, in scenarios where anonymity is a 282 strong desire (protecting user privacy is more important than user 283 attribution), privacy extension addresses should be used. When 284 [RFC8064] is available, the stable temporary address are probably a 285 good balance between privacy (among multiple networks) and security/ 286 user attribution (within a network). 288 Using privacy extension addresses prevents the operator from building 289 a priori host specific access control lists (ACLs). It must be noted 290 that recent versions of Windows do not use the MAC address anymore to 291 build the stable address but use a mechanism similar to the one 292 described in [RFC7217], this also means that such an ACL cannot be 293 configured based solely on the MAC address of the nodes, diminishing 294 the value of such ACL. On the other hand, different VLANs are often 295 used to segregate users, in this case ACL can rely on a /64 prefix 296 per VLAN rather than a per host ACL entry. 298 The decision to utilize privacy extension addresses can come down to 299 whether the network is managed versus unmanaged. In some 300 environments full visibility into the network is required at all 301 times which requires that all traffic be attributable to where it is 302 sourced or where it is destined to within a specific network. This 303 situation is dependent on what level of logging is performed. If 304 logging considerations include utilizing accurate timestamps and 305 logging a node's source ports [RFC6302] then there should always 306 exist appropriate user attribution needed to get to the source of any 307 malware originator or source of criminal activity. 309 Disabling SLAAC and privacy extensions addresses can be done for 310 normal users by sending Router Advertisement with a hint to get 311 addresses via DHCPv6 by setting the M-bit but also disabling SLAAC by 312 resetting all A-bits in all prefix information options sent in the 313 Router Advertisement message. Hackers will find a way to bypass this 314 mechanism if not enforced at the swicth/router level by snooping the 315 DHCPv6 exchanges and enforcing the mapping between the switch/router 316 port, the MAC address and the leased IPv6 address. 318 2.1.5. Privacy consideration of Addresses 320 However, there are several privacy issues still present with 321 [RFC4941] such as host tracking, and address scanning attacks are 322 still possible. More details are provided in Appendix A. of 323 [RFC7217] and in [RFC7721]. 325 2.1.6. DHCP/DNS Considerations 327 Many environments use DHCPv6 to allocate addresses to ensure audit- 328 ability and traceability (but see Section 2.6.1.5). A main security 329 concern is the ability to detect and counteract against rogue DHCP 330 servers (Section 2.3.1). 332 DNS is often used for malware activities and while there are no 333 fundamental differences with IPv4 and IPv6 security concerns, there 334 are specific consideration in DNS64 RFC6147 [RFC6147] environments 335 that need to be understood. Specifically the interactions and 336 potential to interference with DNSsec implementation need to be 337 understood - these are pointed out in detail in Section 2.7.3.2. 339 2.1.7. Using a /64 per host 341 An interesting approach is using a /64 per host as proposed in 342 [I-D.ietf-v6ops-unique-ipv6-prefix-per-host]. This allows an easier 343 user attribution (typically based on the host MAC address) as its /64 344 prefix is stable even if applications, containers within the host can 345 change of IPv6 address within this /64. 347 2.2. Extension Headers 349 The extension headers are one of the most critical differentiator 350 between IPv4 and IPv6. They have also become a very controversial 351 topic since forwarding nodes that discard packets containing 352 extension headers are known to cause connectivity failures and 353 deployment problems. Understanding the role of varying extension 354 headers is important and this section enumerates the ones that need 355 careful consideration. The IANA has closed the existing empty "Next 356 Header Types" registry to new entries and is redirecting its users to 357 a new "IPv6 Extension Header Types" registry. 359 A clarification on how intermediate nodes should handle existing 360 packets with extension headers and any extension headers that are 361 defined in the future is found in RFC7045 [RFC7045]. The uniform TLV 362 format to be used for defining future extension headers is described 363 in RFC6564 [RFC6564]. Some observations listed in RFC7872 [RFC7872] 364 seems to indicate that packets with certain extension headers may not 365 traverse the Internet to its intended destination based on operator 366 policies. 368 It must also be noted that there is no indication in the packet 369 whether the Next Protocol field points to an extension header or to a 370 transport header. This may confuse some filtering rules. 372 2.2.1. Order and Repetition of Extension Headers 374 While RFC2460 [RFC2460]RFC2460 defines the order and the maximum 375 repetition of extension headers, there are still IPv6 implementations 376 at the time of writing this document which support a wrong order of 377 headers (such as ESP before routing) or an illegal repetition of 378 headers (such as multiple routing headers). The same applies for 379 options contained in the extension headers (see 380 [I-D.kampanakis-6man-ipv6-eh-parsing]). In some cases, it has lead 381 to nodes crashing when receiving or forwarding wrongly formated 382 packets. 384 2.2.2. Hop-by-Hop Extension Header 386 The hop-by-hop extension header, when present in an IPv6 packet, 387 forces all nodes in the path to inspect this header. This is of 388 course a large avenue for a denial of service as most if not all 389 routers cannot process this kind of packets in hardware but have to 390 'punt' this packet for software processing. See also 391 [I-D.ietf-6man-hbh-header-handling]. 393 2.2.3. Fragmentation Extension Header 395 The fragmentation extension header is used by the source when it has 396 to fragment packets. RFC7112 [RFC7112] explains why it is important 397 to: 399 firewall and security devices should drop first fragment not 400 containing enough of the layer-4 header; 402 destination node should ignore first fragment not containing the 403 entire IPv6 header chain. 405 Else, stateless filtering could be bypassed by an hostile party. 406 RFC6980 [RFC6980] applies the same rule to NDP and the RA-guard 407 function. 409 2.2.4. IP Security Extension Header 411 The IPsec [RFC4301] [RFC4301] extension headers (AH [RFC4302] and ESP 412 [RFC4303]) are required if IPsec is to be utilized for network level 413 security functionality. 415 2.3. Link-Layer Security 417 IPv6 relies heavily on the Neighbor Discovery protocol (NDP) RFC4861 418 [RFC4861] to perform a variety of link operations such as discovering 419 other nodes on the link, resolving their link-layer addresses, and 420 finding routers on the link. If not secured, NDP is vulnerable to 421 various attacks such as router/neighbor message spoofing, redirect 422 attacks, Duplicate Address Detection (DAD) DoS attacks, etc. many of 423 these security threats to NDP have been documented in IPv6 ND Trust 424 Models and Threats RFC3756 [RFC3756] and in RFC6583 [RFC6583]. 426 2.3.1. Securing DHCP 428 Dynamic Host Configuration Protocol for IPv6 (DHCPv6), as detailed in 429 RFC3315 [RFC3315], enables DHCP servers to pass configuration 430 parameters such as IPv6 network addresses and other configuration 431 information to IPv6 nodes. DHCP plays an important role in any large 432 network by providing robust stateful configuration and 433 autoregistration of DNS Host Names. 435 The two most common threats to DHCP clients come from malicious 436 (a.k.a. rogue) or unintentionally misconfigured DHCP servers. A 437 malicious DHCP server is established with the intent of providing 438 incorrect configuration information to the client to cause a denial 439 of service attack or mount a man in the middle attack. While 440 unintentionall, a misconfigured DHCP server can have the same impact. 441 Additional threats against DHCP are discussed in the security 442 considerations section of RFC3315 [RFC3315]DHCP-shield. 444 RFC7610 [RFC7610] specifies a mechanism for protecting connected 445 DHCPv6 clients against rogue DHCPv6 servers. This mechanism is based 446 on DHCPv6 packet-filtering at the layer-2 device; the administrator 447 specifies the interfaces connected to DHCPv6 servers. 449 It is recommended to use DHCP-shield and to analyze the log generated 450 by this security feature. 452 2.3.2. ND/RA Rate Limiting 454 Neighbor Discovery (ND) can be vulnerable to denial of service (DoS) 455 attacks in which a router is forced to perform address resolution for 456 a large number of unassigned addresses. Possible side effects of 457 this attack preclude new devices from joining the network or even 458 worse rendering the last hop router ineffective due to high CPU 459 usage. Easy mitigative steps include rate limiting Neighbor 460 Solicitations, restricting the amount of state reserved for 461 unresolved solicitations, and clever cache/timer management. 463 RFC6583 [RFC6583] discusses the potential for DoS in detail and 464 suggests implementation improvements and operational mitigation 465 techniques that may be used to mitigate or alleviate the impact of 466 such attacks. Here are some feasible mitigation options that can be 467 employed by network operators today: 469 o Ingress filtering of unused addresses by ACL, route filtering, 470 longer than /64 prefix; These require static configuration of the 471 addresses. 473 o Tuning of NDP process (where supported). 475 Additionally, IPv6 ND uses multicast extensively for signaling 476 messages on the local link to avoid broadcast messages for on-the- 477 wire efficiency. However, this has some side effects on wifi 478 networks, especially a negative impact on battery life of smartphones 479 and other battery operated devices that are connected to such 480 networks. The following drafts are actively discussing methods to 481 rate limit RAs and other ND messages on wifi networks in order to 482 address this issue: 484 o [I-D.thubert-savi-ra-throttler] 486 o [I-D.chakrabarti-nordmark-6man-efficient-nd] 488 2.3.3. ND/RA Filtering 490 Router Advertisement spoofing is a well-known attack vector and has 491 been extensively documented. The presence of rogue RAs, either 492 intentional or malicious, can cause partial or complete failure of 493 operation of hosts on an IPv6 link. For example, a host can select 494 an incorrect router address which can be used as a man-in-the-middle 495 (MITM) attack or can assume wrong prefixes to be used for stateless 496 address configuration (SLAAC). RFC6104 [RFC6104] summarizes the 497 scenarios in which rogue RAs may be observed and presents a list of 498 possible solutions to the problem. RFC6105 [RFC6105] (RA-Guard) 499 describes a solution framework for the rogue RA problem where network 500 segments are designed around switching devices that are capable of 501 identifying invalid RAs and blocking them before the attack packets 502 actually reach the target nodes. 504 However, several evasion techniques that circumvent the protection 505 provided by RA-Guard have surfaced. A key challenge to this 506 mitigation technique is introduced by IPv6 fragmentation. An 507 attacker can conceal the attack by fragmenting his packets into 508 multiple fragments such that the switching device that is responsible 509 for blocking invalid RAs cannot find all the necessary information to 510 perform packet filtering in the same packet. RFC7113 [RFC7113] 511 describes such evasion techniques, and provides advice to RA-Guard 512 implementers such that the aforementioned evasion vectors can be 513 eliminated. 515 Given that the IPv6 Fragmentation Header can be leveraged to 516 circumvent current implementations of RA-Guard, RFC6980 [RFC6980] 517 updates RFC4861 [RFC4861] such that use of the IPv6 Fragmentation 518 Header is forbidden in all Neighbor Discovery messages except 519 "Certification Path Advertisement", thus allowing for simple and 520 effective measures to counter Neighbor Discovery attacks. 522 The Source Address Validation Improvements (SAVI) working group has 523 worked on other ways to mitigate the effects of such attacks. 524 RFC7513 [RFC7513] would help in creating bindings between a DHCPv4 525 RFC2131 [RFC2131] /DHCPv6 RFC3315 [RFC3315] assigned source IP 526 address and a binding anchor RFC7039 [RFC7039] on a SAVI device. 527 Also, RFC6620 [RFC6620] describes how to glean similar bindings when 528 DHCP is not used. The bindings can be used to filter packets 529 generated on the local link with forged source IP address. 531 It is still recommended that RA-Guard be be employed as a first line 532 of defense against common attack vectors including misconfigured 533 hosts. The generated log should also be analyzed to act on 534 violations. 536 2.3.4. 3GPP Link-Layer Security 538 The 3GPP link is a point-to-point like link that has no link-layer 539 address. This implies there can only be an end host (the mobile 540 hand-set) and the first-hop router (i.e., a GPRS Gateway Support Node 541 (GGSN) or a Packet Gateway (PGW)) on that link. The GGSN/PGW never 542 configures a non link-local address on the link using the advertised 543 /64 prefix on it. The advertised prefix must not be used for on-link 544 determination. There is no need for an address resolution on the 545 3GPP link, since there are no link-layer addresses. Furthermore, the 546 GGSN/PGW assigns a prefix that is unique within each 3GPP link that 547 uses IPv6 stateless address autoconfiguration. This avoids the 548 necessity to perform DAD at the network level for every address built 549 by the mobile host. The GGSN/PGW always provides an IID to the 550 cellular host for the purpose of configuring the link-local address 551 and ensures the uniqueness of the IID on the link (i.e., no 552 collisions between its own link-local address and the mobile host's 553 one). 555 The 3GPP link model itself mitigates most of the known NDP-related 556 Denial-of-Service attacks. In practice, the GGSN/PGW only needs to 557 route all traffic to the mobile host that falls under the prefix 558 assigned to it. As there is also a single host on the 3GPP link, 559 there is no need to defend that IPv6 address. 561 See Section 5 of RFC6459 [RFC6459] for a more detailed discussion on 562 the 3GPP link model, NDP on it and the address configuration detail. 564 2.3.5. SeND and CGA 566 SEcure Neighbor Discovery (SeND), as described in RFC3971 [RFC3971], 567 is a mechanism that was designed to secure ND messages. This 568 approach involves the use of new NDP options to carry public key 569 based signatures. Cryptographically Generated Addresses (CGA), as 570 described in RFC3972 [RFC3972], are used to ensure that the sender of 571 a Neighbor Discovery message is the actual "owner" of the claimed 572 IPv6 address. A new NDP option, the CGA option, was introduced and 573 is used to carry the public key and associated parameters. Another 574 NDP option, the RSA Signature option, is used to protect all messages 575 relating to neighbor and Router discovery. 577 SeND protects against: 579 o Neighbor Solicitation/Advertisement Spoofing 581 o Neighbor Unreachability Detection Failure 583 o Duplicate Address Detection DoS Attack 585 o Router Solicitation and Advertisement Attacks 587 o Replay Attacks 589 o Neighbor Discovery DoS Attacks 591 SeND does NOT: 593 o Protect statically configured addresses 595 o Protect addresses configured using fixed identifiers (i.e. EUI- 596 64) 598 o Provide confidentiality for NDP communications 600 o Compensate for an unsecured link - SEND does not require that the 601 addresses on the link and Neighbor Advertisements correspond 603 However, at this time and after many years after their 604 specifications, CGA and SeND do not have wide support from generic 605 operating systems; hence, their usefulness is limited. 607 2.4. Control Plane Security 609 RFC6192 [RFC6192] defines the router control plane. This definition 610 is repeated here for the reader's convenience. 612 Modern router architecture design maintains a strict separation of 613 forwarding and router control plane hardware and software. The 614 router control plane supports routing and management functions. It 615 is generally described as the router architecture hardware and 616 software components for handling packets destined to the device 617 itself as well as building and sending packets originated locally on 618 the device. The forwarding plane is typically described as the 619 router architecture hardware and software components responsible for 620 receiving a packet on an incoming interface, performing a lookup to 621 identify the packet's IP next hop and determine the best outgoing 622 interface towards the destination, and forwarding the packet out 623 through the appropriate outgoing interface. 625 While the forwarding plane is usually implemented in high-speed 626 hardware, the control plane is implemented by a generic processor 627 (named router processor RP) and cannot process packets at a high 628 rate. Hence, this processor can be attacked by flooding its input 629 queue with more packets than it can process. The control plane 630 processor is then unable to process valid control packets and the 631 router can lose OSPF or BGP adjacencies which can cause a severe 632 network disruption. 634 The mitigation technique is: 636 o To drop non-legit control packet before they are queued to the RP 637 (this can be done by a forwarding plane ACL) and 639 o To rate limit the remaining packets to a rate that the RP can 640 sustain. Protocol specific protection should also be done (for 641 example, a spoofed OSPFv3 packet could trigger the execution of 642 the Dijkstra algorithm, therefore the number of Dijsktra execution 643 should be also rate limited). 645 This section will consider several classes of control packets: 647 o Control protocols: routing protocols: such as OSPFv3, BGP and by 648 extension Neighbor Discovery and ICMP 650 o Management protocols: SSH, SNMP, IPfix, etc 652 o Packet exceptions: which are normal data packets which requires a 653 specific processing such as generating a packet-too-big ICMP 654 message or having the hop-by-hop extension header. 656 2.4.1. Control Protocols 658 This class includes OSPFv3, BGP, NDP, ICMP. 660 An ingress ACL to be applied on all the router interfaces SHOULD be 661 configured such as: 663 o drop OSPFv3 (identified by Next-Header being 89) and RIPng 664 (identified by UDP port 521) packets from a non link-local address 666 o allow BGP (identified by TCP port 179) packets from all BGP 667 neighbors and drop the others 669 o allow all ICMP packets (transit and to the router interfaces) 670 Note: dropping OSPFv3 packets which are authenticated by IPsec could 671 be impossible on some routers whose ACL are unable to parse the IPsec 672 ESP or AH extension headers. 674 Rate limiting of the valid packets SHOULD be done. The exact 675 configuration obviously depends on the power of the Route Processor. 677 2.4.2. Management Protocols 679 This class includes: SSH, SNMP, syslog, NTP, etc 681 An ingress ACL to be applied on all the router interfaces SHOULD be 682 configured such as: 684 o Drop packets destined to the routers except those belonging to 685 protocols which are used (for example, permit TCP 22 and drop all 686 when only SSH is used); 688 o Drop packets where the source does not match the security policy, 689 for example if SSH connections should only be originated from the 690 NOC, then the ACL should permit TCP port 22 packets only from the 691 NOC prefix. 693 Rate limiting of the valid packets SHOULD be done. The exact 694 configuration obviously depends on the power of the Route Processor. 696 2.4.3. Packet Exceptions 698 This class covers multiple cases where a data plane packet is punted 699 to the route processor because it requires specific processing: 701 o generation of an ICMP packet-too-big message when a data plane 702 packet cannot be forwarded because it is too large; 704 o generation of an ICMP hop-limit-expired message when a data plane 705 packet cannot be forwarded because its hop-limit field has reached 706 0; 708 o generation of an ICMP destination-unreachable message when a data 709 plane packet cannot be forwarded for any reason; 711 o processing of the hop-by-hop extension header (see also 712 [I-D.ietf-6man-hbh-header-handling]); 714 o or more specific to some router implementation: an oversized 715 extension header chain which cannot be processed by the hardware 716 and force the packet to be punted to the generic router CPU. 718 On some routers, not everything can be done by the specialized data 719 plane hardware which requires some packets to be 'punted' to the 720 generic RP. This could include for example the processing of a long 721 extension header chain in order to apply an ACL based on layer 4 722 information. RFC6980 [RFC6980] and more generally RFC7112 [RFC7112] 723 highlights the security implications of oversized extension header 724 chains on routers and updates RFC2460 [RFC2460] such that the first 725 fragment of a packet is required to contain the entire IPv6 header 726 chain. 728 An ingress ACL cannot help to mitigate a control plane attack using 729 those packet exceptions. The only protection for the RP is to limit 730 the rate of those packet exceptions forwarded to the RP, this means 731 that some data plane packets will be dropped without any ICMP 732 messages back to the source which will cause Path MTU holes. But, 733 there is no other solution. 735 In addition to limiting the rate of data plane packets queued to the 736 RP, it is also important to limit the generation rate of ICMP 737 messages both the save the RP but also to prevent an amplification 738 attack using the router as a reflector. 740 2.5. Routing Security 742 Routing security in general can be broadly divided into three 743 sections: 745 1. Authenticating neighbors/peers 747 2. Securing routing updates between peers 749 3. Route filtering 751 [RFC7454] covers these sections specifically for BGP in detail. 753 2.5.1. Authenticating Neighbors/Peers 755 A basic element of routing is the process of forming adjacencies, 756 neighbor, or peering relationships with other routers. From a 757 security perspective, it is very important to establish such 758 relationships only with routers and/or administrative domains that 759 one trusts. A traditional approach has been to use MD5 HMAC, which 760 allows routers to authenticate each other prior to establishing a 761 routing relationship. 763 OSPFv3 can rely on IPsec to fulfill the authentication function. 764 However, it should be noted that IPsec support is not standard on all 765 routing platforms. In some cases, this requires specialized hardware 766 that offloads crypto over to dedicated ASICs or enhanced software 767 images (both of which often come with added financial cost) to 768 provide such functionality. An added detail is to determine whether 769 OSPFv3 IPsec implementations use AH or ESP-Null for integrity 770 protection. In early implementations all OSPFv3 IPsec configurations 771 relied on AH since the details weren't specified in RFC5340 [RFC5340] 772 or RFC2740 [RFC2740] that was obsoleted by the former. However, the 773 document which specifically describes how IPsec should be implemented 774 for OSPFv3 RFC4552 [RFC4552] specifically states that ESP-Null MUST 775 and AH MAY be implemented since it follows the overall IPsec 776 standards wordings. OSPFv3 can also use normal ESP to encrypt the 777 OSPFv3 payload to hide the routing information. 779 RFC7166 [RFC7166] (which obsoletes RFC6506 [RFC6506] changes OSPFv3's 780 reliance on IPsec by appending an authentication trailer to the end 781 of the OSPFv3 packets. This document does not specifically provide 782 for a mechanism that will authenticate the specific originator of a 783 packet. Rather, it will allow a router to confirm that the packet 784 has indeed been issued by a router that had access to the shared 785 authentication key. 787 With all authentication mechanisms, operators should confirm that 788 implementations can support re-keying mechanisms that do not cause 789 outages. There have been instances where any re-keying cause outages 790 and therefore the tradeoff between utilizing this functionality needs 791 to be weighed against the protection it provides. 793 2.5.2. Securing Routing Updates Between Peers 795 IPv6 initially mandated the provisioning of IPsec capability in all 796 nodes. However, in the updated IPv6 Nodes Requirement standard 797 RFC6434 [RFC6434] is now a SHOULD and not MUST implement. 798 Theoretically it is possible, and recommended, that communication 799 between two IPv6 nodes, including routers exchanging routing 800 information be encrypted using IPsec. In practice however, deploying 801 IPsec is not always feasible given hardware and software limitations 802 of various platforms deployed, as described in the earlier section. 803 Additionally, in a protocol such as OSPFv3 where adjacencies are 804 formed on a one-to-many basis, IPsec key management becomes difficult 805 to maintain and is not often utilized. 807 2.5.3. Route Filtering 809 Route filtering policies will be different depending on whether they 810 pertain to edge route filtering vs internal route filtering. At a 811 minimum, IPv6 routing policy as it pertains to routing between 812 different administrative domains should aim to maintain parity with 813 IPv4 from a policy perspective e.g., 814 o Filter internal-use, non-globally routable IPv6 addresses at the 815 perimeter 817 o Discard packets from and to bogon and reserved space 819 o Configure ingress route filters that validate route origin, prefix 820 ownership, etc. through the use of various routing databases, 821 e.g., RADB. There is additional work being done in this area to 822 formally validate the origin ASs of BGP announcements in RFC6810 823 [RFC6810] 825 Some good recommendations for filtering can be found from Team CYMRU 826 at [CYMRU]. 828 2.6. Logging/Monitoring 830 In order to perform forensic research in case of any security 831 incident or to detect abnormal behaviors, network operators should 832 log multiple pieces of information. 834 This includes: 836 o logs of all applications when available (for example web servers); 838 o use of IP Flow Information Export [RFC7011] also known as IPfix; 840 o use of SNMP MIB [RFC4293]; 842 o use of the Neighbor cache; 844 o use of stateful DHCPv6 [RFC3315] lease cache, especially when a 845 relay agent [RFC6221] in layer-2 switches is used; 847 o use of RADIUS [RFC2866] for accounting records. 849 Please note that there are privacy issues related to how those logs 850 are collected, kept and safely discarded. Operators are urged to 851 check their country legislation. 853 All those pieces of information will be used for: 855 o forensic (Section 2.6.2.1) investigations such as who did what and 856 when? 858 o correlation (Section 2.6.2.3): which IP addresses were used by a 859 specific node (assuming the use of privacy extensions addresses 860 [RFC4941]) 862 o inventory (Section 2.6.2.2): which IPv6 nodes are on my network? 864 o abnormal behavior detection (Section 2.6.2.4): unusual traffic 865 patterns are often the symptoms of a abnormal behavior which is in 866 turn a potential attack (denial of services, network scan, a node 867 being part of a botnet, ...) 869 2.6.1. Data Sources 871 This section lists the most important sources of data that are useful 872 for operational security. 874 2.6.1.1. Logs of Applications 876 Those logs are usually text files where the remote IPv6 address is 877 stored in all characters (not binary). This can complicate the 878 processing since one IPv6 address, 2001:db8::1 can be written in 879 multiple ways such as: 881 o 2001:DB8::1 (in uppercase) 883 o 2001:0db8::0001 (with leading 0) 885 o and many other ways including the reverse DNS mapping into a FQDN 886 (which should not be trusted). 888 RFC 5952 [RFC5952] explains this problem in detail and recommends the 889 use of a single canonical format (in short use lower case and 890 suppress leading 0). This memo recommends the use of canonical 891 format [RFC5952] for IPv6 addresses in all possible cases. If the 892 existing application cannot log under the canonical format, then this 893 memo recommends the use an external program in order to canonicalize 894 all IPv6 addresses. 896 For example, this perl script can be used: 898 #!/usr/bin/perl -w 899 use strict ; 900 use warnings ; 901 use Socket ; 902 use Socket6 ; 904 my (@words, $word, $binary_address) ; 906 ## go through the file one line at a time 907 while (my $line = ) { 908 chomp $line; 909 foreach my $word (split /[\s+]/, $line) { 910 $binary_address = inet_pton AF_INET6, $word ; 911 if ($binary_address) { 912 print inet_ntop AF_INET6, $binary_address ; 913 } else { 914 print $word ; 915 } 916 print " " ; 917 } 918 print "\n" ; 919 } 921 2.6.1.2. IP Flow Information Export by IPv6 Routers 923 IPfix [RFC7012] defines some data elements that are useful for 924 security: 926 o in section 5.4 (IP Header fields): nextHeaderIPv6 and 927 sourceIPv6Address; 929 o in section 5.6 (Sub-IP fields) sourceMacAddress. 931 Moreover, IPfix is very efficient in terms of data handling and 932 transport. It can also aggregate flows by a key such as 933 sourceMacAddress in order to have aggregated data associated with a 934 specific sourceMacAddress. This memo recommends the use of IPfix and 935 aggregation on nextHeaderIPv6, sourceIPv6Address and 936 sourceMacAddress. 938 2.6.1.3. SNMP MIB by IPv6 Routers 940 RFC 4293 [RFC4293] defines a Management Information Base (MIB) for 941 the two address families of IP. This memo recommends the use of: 943 o ipIfStatsTable table which collects traffic counters per 944 interface; 946 o ipNetToPhysicalTable table which is the content of the Neighbor 947 cache, i.e. the mapping between IPv6 and data-link layer 948 addresses. 950 2.6.1.4. Neighbor Cache of IPv6 Routers 952 The neighbor cache of routers contains all mappings between IPv6 953 addresses and data-link layer addresses. It is usually available by 954 two means: 956 o the SNMP MIB (Section 2.6.1.3) as explained above; 958 o also by connecting over a secure management channel (such as SSH 959 or HTTPS) and explicitely requesting a neighbor cache dump. 961 The neighbor cache is highly dynamic as mappings are added when a new 962 IPv6 address appears on the network (could be quite often with 963 privacy extension addresses [RFC4941] or when they are removed when 964 the state goes from UNREACH to removed (the default time for a 965 removal per Neighbor Unreachability Detection [RFC4861] algorithm is 966 38 seconds for a typical host such as Windows 7). This means that 967 the content of the neighbor cache must periodically be fetched every 968 30 seconds (to be on the safe side) and stored for later use. 970 This is an important source of information because it is trivial (on 971 a switch not using the SAVI [RFC7039] algorithm) to defeat the 972 mapping between data-link layer address and IPv6 address. Let us 973 rephrase the previous statement: having access to the current and 974 past content of the neighbor cache has a paramount value for forensic 975 and audit trail. 977 Using the approach of one /64 per host (Section 2.1.7) replaces the 978 neighbor cache dumps by a mere caching of the allocated /64 prefix 979 when combined with strict enforcement rule on the router and switches 980 to prevent IPv6 spoofing. 982 2.6.1.5. Stateful DHCPv6 Lease 984 In some networks, IPv6 addresses are managed by stateful DHCPv6 985 server [RFC3315] that leases IPv6 addresses to clients. It is indeed 986 quite similar to DHCP for IPv4 so it can be tempting to use this DHCP 987 lease file to discover the mapping between IPv6 addresses and data- 988 link layer addresses as it was usually done in the IPv4 era. 990 It is not so easy in the IPv6 era because not all nodes will use 991 DHCPv6 (there are nodes which can only do stateless 992 autoconfiguration) but also because DHCPv6 clients are identified not 993 by their hardware-client address as in IPv4 but by a DHCP Unique ID 994 (DUID) which can have several formats: some being the data-link layer 995 address, some being data-link layer address prepended with time 996 information or even an opaque number which is useless for operation 997 security. Moreover, when the DUID is based on the data-link address, 998 this address can be of any interface of the client (such as the 999 wireless interface while the client actually uses its wired interface 1000 to connect to the network). 1002 If a lightweight DHCP relay agent [RFC6221] is used in the layer-2 1003 switches, then the DHCP server also receives the Interface-ID 1004 information which could be save in order to identifity the interface 1005 of the switches which received a specific leased IPv6 address. Also, 1006 if a relay agent adds the data-link layer address in the option for 1007 Relay Agent Remote-ID [RFC4649], then the DHCPv6 server can keep 1008 track of the data-link and leased IPv6 addresses. 1010 In short, the DHCPv6 lease file is less interesting than in the IPv4 1011 era. DHCPv6 servers that keeps the relayed data-link layer address 1012 in addition to the DUID in the lease file do not suffer from this 1013 limitation. On a managed network where all hosts support DHCPv6, 1014 special care must be taken to prevent stateless autoconfiguration 1015 anyway (and if applicable) by sending RA with all announced prefixes 1016 without the A-bit set. 1018 The mapping between data-link layer address and the IPv6 address can 1019 be secured by using switches implementing the SAVI [RFC7513] 1020 algorithms. Of course, this also requires that data-link layer 1021 address is protected by using layer-2 mechanism such as 1022 [IEEE-802.1X]. 1024 2.6.1.6. RADIUS Accounting Log 1026 For interfaces where the user is authenticated via a RADIUS [RFC2866] 1027 server, and if RADIUS accounting is enabled, then the RADIUS server 1028 receives accounting Acct-Status-Type records at the start and at the 1029 end of the connection which include all IPv6 (and IPv4) addresses 1030 used by the user. This technique can be used notably for Wi-Fi 1031 networks with Wi-Fi Protected Address (WPA) or any other IEEE 802.1X 1032 [IEEE-802.1X]wired interface on an Ethernet switch. 1034 2.6.1.7. Other Data Sources 1036 There are other data sources that must be kept exactly as in the IPv4 1037 network: 1039 o historical mapping of IPv6 addresses to users of remote access 1040 VPN; 1042 o historical mapping of MAC address to switch interface in a wired 1043 network. 1045 2.6.2. Use of Collected Data 1047 This section leverages the data collected as described before 1048 (Section 2.6.1) in order to achieve several security benefits. 1050 2.6.2.1. Forensic 1052 The forensic use case is when the network operator must locate an 1053 IPv6 address that was present in the network at a certain time or is 1054 still currently in the network. 1056 The source of information can be, in decreasing order, neighbor 1057 cache, DHCP lease file. Then, the procedure is: 1059 1. based on the IPv6 prefix of the IPv6 address find the router(s) 1060 which are used to reach this prefix; 1062 2. based on this limited set of routers, on the incident time and on 1063 IPv6 address to retrieve the data-link address from live neighbor 1064 cache, from the historical data of the neighbor cache, or from 1065 the DHCP lease file; 1067 3. based on the data-link layer address, look-up on which switch 1068 interface was this data-link layer address. In the case of 1069 wireless LAN, the RADIUS log should have the mapping between user 1070 identification and the MAC address. 1072 At the end of the process, the interface the host originating 1073 malicious activity or the username which was abused for malicious 1074 activity has been determined. 1076 2.6.2.2. Inventory 1078 RFC 7707 [RFC7707] (which obsoletes RFC 5157 [RFC5157]) is about the 1079 difficulties to scan an IPv6 network due to the vast number of IPv6 1080 addresses per link. This has the side effect of making the inventory 1081 task difficult in an IPv6 network while it was trivial to do in an 1082 IPv4 network (a simple enumeration of all IPv4 addresses, followed by 1083 a ping and a TCP/UDP port scan). Getting an inventory of all 1084 connected devices is of prime importance for a secure operation of a 1085 network. 1087 There are many ways to do an inventory of an IPv6 network. 1089 The first technique is to use the IPfix information and extract the 1090 list of all IPv6 source addresses to find all IPv6 nodes that sent 1091 packets through a router. This is very efficient but alas will not 1092 discover silent node that never transmitted such packets... Also, it 1093 must be noted that link-local addresses will never be discovered by 1094 this means. 1096 The second way is again to use the collected neighbor cache content 1097 to find all IPv6 addresses in the cache. This process will also 1098 discover all link-local addresses. See Section 2.6.1.4. 1100 Another way works only for local network, it consists in sending a 1101 ICMP ECHO_REQUEST to the link-local multicast address ff02::1 which 1102 is all IPv6 nodes on the network. All nodes should reply to this 1103 ECHO_REQUEST per [RFC4443]. 1105 Other techniques involve enumerating the DNS zones, especially 1106 looking at reverse DNS records and CNAMES. Or scanning for DNS 1107 misconfigurations to find DNS servers that send NXDOMAIN instead of 1108 NOERROR for non-existing nodes with children, which violates RFC8020 1109 [RFC8020]. 1111 Other techniques involve obtaining data from DNS, parsing log files, 1112 leveraging service discovery such as mDNS RFC6761 [RFC6762] and 1113 RFC6763 [RFC6763]. 1115 Enumerating DNS zones, especially looking at reverse DNS records and 1116 CNAMES, can be done by exploiting RFC8020 [RFC8020]. As already 1117 metioned in RFC7707 [RFC7707], this allows an attacker to prune the 1118 IPv6 reverse DNS tree, and hence enumerate it in a feasible time. 1119 Furthermore, authoritative servers that allow zone transfers (AXFR) 1120 may be a further information source. 1122 2.6.2.3. Correlation 1124 In an IPv4 network, it is easy to correlate multiple logs, for 1125 example to find events related to a specific IPv4 address. A simple 1126 Unix grep command was enough to scan through multiple text-based 1127 files and extract all lines relevant to a specific IPv4 address. 1129 In an IPv6 network, this is slightly more difficult because different 1130 character strings can express the same IPv6 address. Therefore, the 1131 simple Unix grep command cannot be used. Moreover, an IPv6 node can 1132 have multiple IPv6 addresses. 1134 In order to do correlation in IPv6-related logs, it is advised to 1135 have all logs with canonical IPv6 addresses. Then, the neighbor 1136 cache current (or historical) data set must be searched to find the 1137 data-link layer address of the IPv6 address. Then, the current and 1138 historical neighbor cache data sets must be searched for all IPv6 1139 addresses associated to this data-link layer address: this is the 1140 search set. The last step is to search in all log files (containing 1141 only IPv6 address in canonical format) for any IPv6 addresses in the 1142 search set. 1144 2.6.2.4. Abnormal Behavior Detection 1146 Abnormal behaviors (such as network scanning, spamming, denial of 1147 service) can be detected in the same way as in an IPv4 network 1149 o sudden increase of traffic detected by interface counter (SNMP) or 1150 by aggregated traffic from IPfix records [RFC7012]; 1152 o change of traffic pattern (number of connection per second, number 1153 of connection per host...) with the use of IPfix [RFC7012] 1155 2.6.3. Summary 1157 While some data sources (IPfix, MIB, switch CAM tables, logs, ...) 1158 used in IPv4 are also used in the secure operation of an IPv6 1159 network, the DHCPv6 lease file is less reliable and the neighbor 1160 cache is of prime importance. 1162 The fact that there are multiple ways to express in a character 1163 string the same IPv6 address renders the use of filters mandatory 1164 when correlation must be done. 1166 2.7. Transition/Coexistence Technologies 1168 As it is expected that network will not run in a pure IPv6-only way, 1169 the different transition mechanisms must be deployed and operated in 1170 a secure way. This section proposes operational guidelines for the 1171 most known and deployed transition techniques. 1173 2.7.1. Dual Stack 1175 Dual stack is often the first deployment choice for most existing 1176 network operators without an MPLS core where 6PE RFC4798 [RFC4798] is 1177 quite common. Dual stacking the network offers some advantages over 1178 other transition mechanisms. Firstly, it is easy to turn on without 1179 impacting normal IPv4 operations. Secondly, perhaps more 1180 importantly, it is easier to troubleshoot when things break. Dual 1181 stack allows you to gradually turn IPv4 operations down when your 1182 IPv6 network is ready for prime time. On the other, the operators 1183 have to manage two networks with the added complexities. 1185 From an operational security perspective, this now means that you 1186 have twice the exposure. One needs to think about protecting both 1187 protocols now. At a minimum, the IPv6 portion of a dual stacked 1188 network should maintain parity with IPv4 from a security policy point 1189 of view. Typically, the following methods are employed to protect 1190 IPv4 networks at the edge: 1192 o ACLs to permit or deny traffic 1194 o Firewalls with stateful packet inspection 1196 It is recommended that these ACLs and/or firewalls be additionally 1197 configured to protect IPv6 communications. Also, given the end-to- 1198 end connectivity that IPv6 provides, it is also recommended that 1199 hosts be fortified against threats. General device hardening 1200 guidelines are provided in Section 2.8 1202 For many years, all host operating systems have IPv6 enabled by 1203 default, so, it is possible even in an 'IPv4-only' network to attack 1204 layer-2 adjacent victims over IPv6 link-local address or over a 1205 global IPv6 address is rogue RA or rogue DHCPv6 addresses are 1206 provided by an attacker. 1208 2.7.2. Transition Mechanisms 1210 There are many tunnels used for specific use cases. Except when 1211 protected by IPsec [RFC4301], all those tunnels have a couple of 1212 security issues (most of them being described in RFC 6169 [RFC6169]); 1214 o tunnel injection: a malevolent person knowing a few pieces of 1215 information (for example the tunnel endpoints and the used 1216 protocol) can forge a packet which looks like a legit and valid 1217 encapsulated packet that will gladly be accepted by the 1218 destination tunnel endpoint, this is a specific case of spoofing; 1220 o traffic interception: no confidentiality is provided by the tunnel 1221 protocols (without the use of IPsec), therefore anybody on the 1222 tunnel path can intercept the traffic and have access to the 1223 clear-text IPv6 packet; 1225 o service theft: as there is no authorization, even a non authorized 1226 user can use a tunnel relay for free (this is a specific case of 1227 tunnel injection); 1229 o reflection attack: another specific use case of tunnel injection 1230 where the attacker injects packets with an IPv4 destination 1231 address not matching the IPv6 address causing the first tunnel 1232 endpoint to re-encapsulate the packet to the destination... Hence, 1233 the final IPv4 destination will not see the original IPv4 address 1234 but only one IPv4 address of the relay router. 1236 o bypassing security policy: if a firewall or an IPS is on the path 1237 of the tunnel, then it will probably neither inspect not detect an 1238 malevolent IPv6 traffic contained in the tunnel. 1240 To mitigate the bypassing of security policies, it is recomended to 1241 block all default configuration tunnels by denying all IPv4 traffic 1242 matching: 1244 o IP protocol 41: this will block ISATAP (Section 2.7.2.2), 6to4 1245 (Section 2.7.2.4), 6rd (Section 2.7.2.5) as well as 6in4 1246 (Section 2.7.2.1) tunnels; 1248 o IP protocol 47: this will block GRE (Section 2.7.2.1) tunnels; 1250 o UDP protocol 3544: this will block the default encapsulation of 1251 Teredo (Section 2.7.2.3) tunnels. 1253 Ingress filtering [RFC2827] should also be applied on all tunnel 1254 endpoints if applicable to prevent IPv6 address spoofing. 1256 As several of the tunnel techniques share the same encapsulation 1257 (i.e. IPv4 protocol 41) and embed the IPv4 address in the IPv6 1258 address, there are a set of well-known looping attacks described in 1259 RFC 6324 [RFC6324], this RFC also proposes mitigation techniques. 1261 2.7.2.1. Site-to-Site Static Tunnels 1263 Site-to-site static tunnels are described in RFC 2529 [RFC2529] and 1264 in GRE [RFC2784]. As the IPv4 endpoints are statically configured 1265 and are not dynamic they are slightly more secure (bi-directional 1266 service theft is mostly impossible) but traffic interception and 1267 tunnel injection are still possible. Therefore, the use of IPsec 1268 [RFC4301] in transport mode and protecting the encapsulated IPv4 1269 packets is recommended for those tunnels. Alternatively, IPsec in 1270 tunnel mode can be used to transport IPv6 traffic over a non-trusted 1271 IPv4 network. 1273 2.7.2.2. ISATAP 1275 ISATAP tunnels [RFC5214] are mainly used within a single 1276 administrative domain and to connect a single IPv6 host to the IPv6 1277 network. This means that endpoints and and the tunnel endpoint are 1278 usually managed by a single entity; therefore, audit trail and strict 1279 anti-spoofing are usually possible and this raises the overall 1280 security. 1282 Special care must be taken to avoid looping attack by implementing 1283 the measures of RFC 6324 [RFC6324] and of RFC6964 [RFC6964]. 1285 IPsec [RFC4301] in transport or tunnel mode can be used to secure the 1286 IPv4 ISATAP traffic to provide IPv6 traffic confidentiality and 1287 prevent service theft. 1289 2.7.2.3. Teredo 1291 Teredo tunnels [RFC4380] are mainly used in a residential environment 1292 because that can easily traverse an IPv4 NAT-PT device thanks to its 1293 UDP encapsulation and they connect a single host to the IPv6 1294 Internet. Teredo shares the same issues as other tunnels: no 1295 authentication, no confidentiality, possible spoofing and reflection 1296 attacks. 1298 IPsec [RFC4301] for the transported IPv6 traffic is recommended. 1300 The biggest threat to Teredo is probably for IPv4-only network as 1301 Teredo has been designed to easily traverse IPV4 NAT-PT devices which 1302 are quite often co-located with a stateful firewall. Therefore, if 1303 the stateful IPv4 firewall allows unrestricted UDP outbound and 1304 accept the return UDP traffic, then Teredo actually punches a hole in 1305 this firewall for all IPv6 traffic to the Internet and from the 1306 Internet. While host policies can be deployed to block Teredo in an 1307 IPv4-only network in order to avoid this firewall bypass, it would be 1308 more efficient to block all UDP outbound traffic at the IPv4 firewall 1309 if deemed possible (of course, at least port 53 should be left open 1310 for DNS traffic). 1312 Teredo is now mostly never used and it is no more automated in most 1313 environment, so, it is less of a threat. 1315 2.7.2.4. 6to4 1317 6to4 tunnels [RFC3056] require a public routable IPv4 address in 1318 order to work correctly. They can be used to provide either one IPv6 1319 host connectivity to the IPv6 Internet or multiple IPv6 networks 1320 connectivity to the IPv6 Internet. The 6to4 relay is usually the 1321 anycast address defined in RFC3068 [RFC3068] which has been 1322 deprecated by RFC7526 [RFC7526], and is no more used by recent 1323 Operating Systems. Some security considerations are explained in 1324 RFC3694 [RFC3964]. 1326 RFC6343 [RFC6343] points out that if an operator provides well- 1327 managed servers and relays for 6to4, non-encapsulated IPv6 packets 1328 will pass through well- defined points (the native IPv6 interfaces of 1329 those servers and relays) at which security mechanisms may be 1330 applied. Client usage of 6to4 by default is now discouraged, and 1331 significant precautions are needed to avoid operational problems. 1333 2.7.2.5. 6rd 1335 While 6rd tunnels share the same encapsulation as 6to4 tunnels 1336 (Section 2.7.2.4), they are designed to be used within a single SP 1337 domain, in other words they are deployed in a more constrained 1338 environment than 6to4 tunnels and have little security issues except 1339 lack of confidentiality. The security considerations (Section 12) of 1340 RFC5969 [RFC5969] describes how to secure the 6rd tunnels. 1342 IPsec [RFC4301] for the transported IPv6 traffic can be used if 1343 confidentiality is important. 1345 2.7.2.6. 6PE and 6VPE 1347 Organizations using MPLS in their core can also use 6PE [RFC4798] and 1348 6VPE RFC4659 [RFC4659] to enable IPv6 access over MPLS. As 6PE and 1349 6VPE are really similar to BGP/MPLS IP VPN described in RFC4364 1350 [RFC4364], the security of these networks is also similar to the one 1351 described in RFC4381 [RFC4381]. It relies on: 1353 o Address space, routing and traffic seperation with the help of VRF 1354 (only applicable to 6VPE); 1356 o Hiding the IPv4 core, hence removing all attacks against 1357 P-routers; 1359 o Securing the routing protocol between CE and PE, in the case of 1360 6PE and 6VPE, link-local addresses (see [RFC7404]) can be used and 1361 as these addresses cannot be reached from outside of the link, the 1362 security of 6PE and 6VPE is even higher than the IPv4 BGP/MPLS IP 1363 VPN. 1365 2.7.2.7. DS-Lite 1367 DS-lite is more a translation mechanism and is therefore analyzed 1368 further (Section 2.7.3.3) in this document. 1370 2.7.2.8. Mapping of Address and Port 1372 With the tunnel and encapsulation versions of mapping of Address and 1373 Port (MAP-E [RFC7597] and MAP-T [RFC7599]), the access network is 1374 purely an IPv6 network and MAP protocols are used to give IPv4 hosts 1375 on the subscriber network, access to IPv4 hosts on the Internet. The 1376 subscriber router does stateful operations in order to map all 1377 internal IPv4 addresses and layer-4 ports to the IPv4 address and the 1378 set of layer-4 ports received through MAP configuration process. The 1379 SP equipment always does stateless operations (either decapsulation 1380 or stateless translation). Therefore, as opposed to Section 2.7.3.3 1381 there is no state-exhaustion DoS attack against the SP equipment 1382 because there is no state and there is no operation caused by a new 1383 layer-4 connection (no logging operation). 1385 The SP MAP equipment MUST implement all the security considerations 1386 of [RFC7597]; notably, ensuring that the mapping of the IPv4 address 1387 and port are consistent with the configuration. As MAP has a 1388 predictable IPv4 address and port mapping, the audit logs are easier 1389 to manager. 1391 2.7.3. Translation Mechanisms 1393 Translation mechanisms between IPv4 and IPv6 networks are alternative 1394 coexistence strategies while networks transition to IPv6. While a 1395 framework is described in [RFC6144] the specific security 1396 considerations are documented in each individual mechanism. For the 1397 most part they specifically mention interference with IPsec or DNSSEC 1398 deployments, how to mitigate spoofed traffic and what some effective 1399 filtering strategies may be. 1401 2.7.3.1. Carrier-Grade Nat (CGN) 1403 Carrier-Grade NAT (CGN), also called NAT444 CGN or Large Scale NAT 1404 (LSN) or SP NAT is described in [RFC6264] and is utilized as an 1405 interim measure to prolong the use of IPv4 in a large service 1406 provider network until the provider can deploy and effective IPv6 1407 solution. [RFC6598] requested a specific IANA allocated /10 IPv4 1408 address block to be used as address space shared by all access 1409 networks using CGN. This has been allocated as 100.64.0.0/10. 1411 Section 13 of [RFC6269] lists some specific security-related issues 1412 caused by large scale address sharing. The Security Considerations 1413 section of [RFC6598] also lists some specific mitigation techniques 1414 for potential misuse of shared address space. 1416 RFC7422 [RFC7422] suggests the use of deterministic address mapping 1417 in order to reduce logging requirements for CGN. The idea is to have 1418 an algorithm mapping back and forth the internal subscriber to public 1419 ports. 1421 2.7.3.2. NAT64/DNS64 1423 Stateful NAT64 translation [RFC6146] allows IPv6-only clients to 1424 contact IPv4 servers using unicast UDP, TCP, or ICMP. It can be used 1425 in conjunction with DNS64 [RFC6147], a mechanism which synthesizes 1426 AAAA records from existing A records. There is also a stateless 1427 NAT64 [RFC6145] which is similar for the security aspects with the 1428 added benefit of being stateless, so, less prone to a state 1429 exhaustion attack. 1431 The Security Consideration sections of [RFC6146] and [RFC6147] list 1432 the comprehensive issues. A specific issue with the use of NAT64 is 1433 that it will interfere with most IPsec deployments unless UDP 1434 encapsulation is used. DNS64 has an incidence on DNSSEC see section 1435 3.1 of [RFC7050]. 1437 2.7.3.3. DS-Lite 1439 Dual-Stack Lite (DS-Lite) [RFC6333] is a transition technique that 1440 enables a service provider to share IPv4 addresses among customers by 1441 combining two well-known technologies: IP in IP (IPv4-in-IPv6) and 1442 Network Address and Port Translation (NAPT). 1444 Security considerations with respect to DS-Lite mainly revolve around 1445 logging data, preventing DoS attacks from rogue devices (as the AFTR 1446 function is stateful) and restricting service offered by the AFTR 1447 only to registered customers. 1449 Section 11 of [RFC6333] describes important security issues 1450 associated with this technology. 1452 2.8. General Device Hardening 1454 There are many environments which rely too much on the network 1455 infrastructure to disallow malicious traffic to get access to 1456 critical hosts. In new IPv6 deployments it has been common to see 1457 IPv6 traffic enabled but none of the typical access control 1458 mechanisms enabled for IPv6 device access. With the possibility of 1459 network device configuration mistakes and the growth of IPv6 in the 1460 overall Internet it is important to ensure that all individual 1461 devices are hardened agains miscreant behavior. 1463 The following guidelines should be used to ensure appropriate 1464 hardening of the host, be it an individual computer or router, 1465 firewall, load-balancer,server, etc device. 1467 o Restrict access to the device to authorized individuals 1469 o Monitor and audit access to the device 1471 o Turn off any unused services on the end node 1472 o Understand which IPv6 addresses are being used to source traffic 1473 and change defaults if necessary 1475 o Use cryptographically protected protocols for device management if 1476 possible (SCP, SNMPv3, SSH, TLS, etc) 1478 o Use host firewall capabilities to control traffic that gets 1479 processed by upper layer protocols 1481 o Use virus scanners to detect malicious programs 1483 3. Enterprises Specific Security Considerations 1485 Enterprises generally have robust network security policies in place 1486 to protect existing IPv4 networks. These policies have been 1487 distilled from years of experiential knowledge of securing IPv4 1488 networks. At the very least, it is recommended that enterprise 1489 networks have parity between their security policies for both 1490 protocol versions. 1492 Security considerations in the enterprise can be broadly categorized 1493 into two sections - External and Internal. 1495 3.1. External Security Considerations: 1497 The external aspect deals with providing security at the edge or 1498 perimeter of the enterprise network where it meets the service 1499 providers network. This is commonly achieved by enforcing a security 1500 policy either by implementing dedicated firewalls with stateful 1501 packet inspection or a router with ACLs. A common default IPv4 1502 policy on firewalls that could easily be ported to IPv6 is to allow 1503 all traffic outbound while only allowing specific traffic, such as 1504 established sessions, inbound (see also [RFC6092]). Here are a few 1505 more things that could enhance the default policy: 1507 o Filter internal-use IPv6 addresses at the perimeter 1509 o Discard packets from and to bogon and reserved space, see also 1510 [CYMRU] 1512 o Accept certain ICMPv6 messages to allow proper operation of ND and 1513 PMTUD, see also [RFC4890] 1515 o Filter specific extension headers by accepting only the required 1516 ones (white list approach) such as ESP, AH (not forgetting the 1517 required transport layers: ICMP, TCP, UDP, ...) , where possible 1518 at the edge and possibly inside the perimeter; see also 1519 [I-D.gont-opsec-ipv6-eh-filtering] 1521 o Filter packets having an illegal IPv6 headers chain at the 1522 perimeter (and possible inside as well), see Section 2.2 1524 o Filter unneeded services at the perimeter 1526 o Implement anti-spoofing 1528 o Implement appropriate rate-limiters and control-plane policers 1530 3.2. Internal Security Considerations: 1532 The internal aspect deals with providing security inside the 1533 perimeter of the network, including the end host. The most 1534 significant concerns here are related to Neighbor Discovery. At the 1535 network level, it is recommended that all security considerations 1536 discussed in Section 2.3 be reviewed carefully and the 1537 recommendations be considered in-depth as well. 1539 As mentioned in Section 2.6.2, care must be taken when running 1540 automated IPv6-in-IP4 tunnels. 1542 Hosts need to be hardened directly through security policy to protect 1543 against security threats. The host firewall default capabilities 1544 have to be clearly understood, especially 3rd party ones which can 1545 have different settings for IPv4 or IPv6 default permit/deny 1546 behavior. In some cases, 3rd party firewalls have no IPv6 support 1547 whereas the native firewall installed by default has it. General 1548 device hardening guidelines are provided in Section 2.8 1550 It should also be noted that many hosts still use IPv4 for transport 1551 for things like RADIUS, TACACS+, SYSLOG, etc. This will require some 1552 extra level of due diligence on the part of the operator. 1554 4. Service Providers Security Considerations 1556 4.1. BGP 1558 The threats and mitigation techniques are identical between IPv4 and 1559 IPv6. Broadly speaking they are: 1561 o Authenticating the TCP session; 1563 o TTL security (which becomes hop-limit security in IPv6); 1565 o Prefix Filtering. 1567 These are explained in more detail in section Section 2.5. 1569 4.1.1. Remote Triggered Black Hole Filtering 1571 RTBH [RFC5635] works identically in IPv4 and IPv6. IANA has 1572 allocated 100::/64 as discard prefix RFC6666 [RFC6666]. 1574 4.2. Transition Mechanism 1576 SP will typically use transition mechanisms such as 6rd, 6PE, MAP, 1577 DS-Lite which have been analyzed in the transition Section 2.7.2 1578 section. 1580 4.3. Lawful Intercept 1582 The Lawful Intercept requirements are similar for IPv6 and IPv4 1583 architectures and will be subject to the laws enforced in varying 1584 geographic regions. The local issues with each jurisdiction can make 1585 this challenging and both corporate legal and privacy personnel 1586 should be involved in discussions pertaining to what information gets 1587 logged and what the logging retention policies will be. 1589 The target of interception will usually be a residential subscriber 1590 (e.g. his/her PPP session or physical line or CPE MAC address). With 1591 the absence of NAT on the CPE, IPv6 has the provision to allow for 1592 intercepting the traffic from a single host (a /128 target) rather 1593 than the whole set of hosts of a subscriber (which could be a /48, a 1594 /60 or /64). 1596 In contrast, in mobile environments, since the 3GPP specifications 1597 allocate a /64 per device, it may be sufficient to intercept traffic 1598 from the /64 rather than specific /128's (since each time the device 1599 powers up it gets a new IID). 1601 A sample architecture which was written for informational purposes is 1602 found in [RFC3924]. 1604 5. Residential Users Security Considerations 1606 The IETF Homenet working group is working on how IPv6 residential 1607 network should be done; this obviously includes operational security 1608 considerations; but, this is still work in progress. 1610 Residential users have usually less experience and knowledge about 1611 security or networking. As most of the recent hosts, smartphones, 1612 tablets have all IPv6 enabled by default, IPv6 security is important 1613 for those users. Even with an IPv4-only ISP, those users can get 1614 IPv6 Internet access with the help of Teredo tunnels. Several peer- 1615 to-peer programs (notably Bittorrent) support IPv6 and those programs 1616 can initiate a Teredo tunnel through the IPv4 residential gateway, 1617 with the consequence of making the internal host reachable from any 1618 IPv6 host on the Internet. It is therefore recommended that all host 1619 security products (personal firewall, ...) are configured with a 1620 dual-stack security policy. 1622 If the Residential Gateway has IPv6 connectivity, [RFC7084] (which 1623 obsoletes [RFC6204]) defines the requirements of an IPv6 CPE and does 1624 not take position on the debate of default IPv6 security policy as 1625 defined in [RFC6092]: 1627 o outbound only: allowing all internally initiated connections and 1628 block all externally initiated ones, which is a common default 1629 security policy enforced by IPv4 Residential Gateway doing NAT-PT 1630 but it also breaks the end-to-end reachability promise of IPv6. 1631 [RFC6092] lists several recommendations to design such a CPE; 1633 o open/transparent: allowing all internally and externally initiated 1634 connections, therefore restoring the end-to-end nature of the 1635 Internet for the IPv6 traffic but having a different security 1636 policy for IPv6 than for IPv4. 1638 [RFC6092] REC-49 states that a choice must be given to the user to 1639 select one of those two policies. 1641 There is also an alternate solution which has been deployed notably 1642 by Swisscom ([I-D.ietf-v6ops-balanced-ipv6-security]: open to all 1643 outbound and inbound connections at the exception of an handful of 1644 TCP and UDP ports known as vulnerable. 1646 6. Further Reading 1648 There are several documents that describe in more details the 1649 security of an IPv6 network; these documents are not written by the 1650 IETF but are listed here for your convenience: 1652 1. Guidelines for the Secure Deployment of IPv6 [NIST] 1654 2. North American IPv6 Task Force Technology Report - IPv6 Security 1655 Technology Paper [NAv6TF_Security] 1657 3. IPv6 Security [IPv6_Security_Book] 1659 7. Acknowledgements 1661 The authors would like to thank the following people for their useful 1662 comments: Mikael Abrahamsson, Fred Baker, Brian Carpenter, Tim Chown, 1663 Markus deBruen, Tobias Fiebig, Fernando Gont, Jeffry Handal, Panos 1664 Kampanakis, Erik Kline, Jouni Korhonen, Mark Lentczner, Bob 1665 Sleigh,Tarko Tikan (by alphabetical order). 1667 8. IANA Considerations 1669 This memo includes no request to IANA. 1671 9. Security Considerations 1673 This memo attempts to give an overview of security considerations of 1674 operating an IPv6 network both in an IPv6-only network and in 1675 utilizing the most widely deployed IPv4/IPv6 coexistence strategies. 1677 10. References 1679 10.1. Normative References 1681 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1682 Requirement Levels", BCP 14, RFC 2119, 1683 DOI 10.17487/RFC2119, March 1997, 1684 . 1686 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1687 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, 1688 December 1998, . 1690 [RFC6104] Chown, T. and S. Venaas, "Rogue IPv6 Router Advertisement 1691 Problem Statement", RFC 6104, DOI 10.17487/RFC6104, 1692 February 2011, . 1694 [RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J. 1695 Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105, 1696 DOI 10.17487/RFC6105, February 2011, 1697 . 1699 10.2. Informative References 1701 [CYMRU] "Packet Filter and Route Filter Recommendation for IPv6 at 1702 xSP routers", . 1706 [I-D.chakrabarti-nordmark-6man-efficient-nd] 1707 Chakrabarti, S., Nordmark, E., Thubert, P., and M. 1708 Wasserman, "IPv6 Neighbor Discovery Optimizations for 1709 Wired and Wireless Networks", draft-chakrabarti-nordmark- 1710 6man-efficient-nd-07 (work in progress), February 2015. 1712 [I-D.gont-opsec-ipv6-eh-filtering] 1713 Gont, F., Will, W., and R. Bonica, "Recommendations on 1714 Filtering of IPv6 Packets Containing IPv6 Extension 1715 Headers", draft-gont-opsec-ipv6-eh-filtering-02 (work in 1716 progress), August 2014. 1718 [I-D.ietf-6man-hbh-header-handling] 1719 Baker, F. and R. Bonica, "IPv6 Hop-by-Hop Options 1720 Extension Header", draft-ietf-6man-hbh-header-handling-03 1721 (work in progress), March 2016. 1723 [I-D.ietf-v6ops-balanced-ipv6-security] 1724 Gysi, M., Leclanche, G., Vyncke, E., and R. Anfinsen, 1725 "Balanced Security for IPv6 Residential CPE", draft-ietf- 1726 v6ops-balanced-ipv6-security-01 (work in progress), 1727 December 2013. 1729 [I-D.ietf-v6ops-unique-ipv6-prefix-per-host] 1730 Brzozowski, J. and G. Velde, "Unique IPv6 Prefix Per 1731 Host", draft-ietf-v6ops-unique-ipv6-prefix-per-host-13 1732 (work in progress), October 2017. 1734 [I-D.kampanakis-6man-ipv6-eh-parsing] 1735 Kampanakis, P., "Implementation Guidelines for parsing 1736 IPv6 Extension Headers", draft-kampanakis-6man-ipv6-eh- 1737 parsing-01 (work in progress), August 2014. 1739 [I-D.thubert-savi-ra-throttler] 1740 Thubert, P., "Throttling RAs on constrained interfaces", 1741 draft-thubert-savi-ra-throttler-01 (work in progress), 1742 June 2012. 1744 [IEEE-802.1X] 1745 IEEE, "IEEE Standard for Local and metropolitan area 1746 networks - Port-Based Network Access Control", IEEE Std 1747 802.1X-2010, February 2010. 1749 [IPv6_Security_Book] 1750 Hogg and Vyncke, "IPv6 Security", ISBN 1-58705-594-5, 1751 Publisher CiscoPress, December 2008. 1753 [NAv6TF_Security] 1754 Kaeo, Green, Bound, and Pouffary, "North American IPv6 1755 Task Force Technology Report - IPv6 Security Technology 1756 Paper", 2006, . 1759 [NIST] Frankel, Graveman, Pearce, and Rooks, "Guidelines for the 1760 Secure Deployment of IPv6", 2010, 1761 . 1764 [RFC0826] Plummer, D., "Ethernet Address Resolution Protocol: Or 1765 Converting Network Protocol Addresses to 48.bit Ethernet 1766 Address for Transmission on Ethernet Hardware", STD 37, 1767 RFC 826, DOI 10.17487/RFC0826, November 1982, 1768 . 1770 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 1771 RFC 2131, DOI 10.17487/RFC2131, March 1997, 1772 . 1774 [RFC2529] Carpenter, B. and C. Jung, "Transmission of IPv6 over IPv4 1775 Domains without Explicit Tunnels", RFC 2529, 1776 DOI 10.17487/RFC2529, March 1999, 1777 . 1779 [RFC2740] Coltun, R., Ferguson, D., and J. Moy, "OSPF for IPv6", 1780 RFC 2740, DOI 10.17487/RFC2740, December 1999, 1781 . 1783 [RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P. 1784 Traina, "Generic Routing Encapsulation (GRE)", RFC 2784, 1785 DOI 10.17487/RFC2784, March 2000, 1786 . 1788 [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: 1789 Defeating Denial of Service Attacks which employ IP Source 1790 Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827, 1791 May 2000, . 1793 [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, 1794 DOI 10.17487/RFC2866, June 2000, 1795 . 1797 [RFC2993] Hain, T., "Architectural Implications of NAT", RFC 2993, 1798 DOI 10.17487/RFC2993, November 2000, 1799 . 1801 [RFC3056] Carpenter, B. and K. Moore, "Connection of IPv6 Domains 1802 via IPv4 Clouds", RFC 3056, DOI 10.17487/RFC3056, February 1803 2001, . 1805 [RFC3068] Huitema, C., "An Anycast Prefix for 6to4 Relay Routers", 1806 RFC 3068, DOI 10.17487/RFC3068, June 2001, 1807 . 1809 [RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins, 1810 C., and M. Carney, "Dynamic Host Configuration Protocol 1811 for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July 1812 2003, . 1814 [RFC3627] Savola, P., "Use of /127 Prefix Length Between Routers 1815 Considered Harmful", RFC 3627, DOI 10.17487/RFC3627, 1816 September 2003, . 1818 [RFC3756] Nikander, P., Ed., Kempf, J., and E. Nordmark, "IPv6 1819 Neighbor Discovery (ND) Trust Models and Threats", 1820 RFC 3756, DOI 10.17487/RFC3756, May 2004, 1821 . 1823 [RFC3924] Baker, F., Foster, B., and C. Sharp, "Cisco Architecture 1824 for Lawful Intercept in IP Networks", RFC 3924, 1825 DOI 10.17487/RFC3924, October 2004, 1826 . 1828 [RFC3964] Savola, P. and C. Patel, "Security Considerations for 1829 6to4", RFC 3964, DOI 10.17487/RFC3964, December 2004, 1830 . 1832 [RFC3971] Arkko, J., Ed., Kempf, J., Zill, B., and P. Nikander, 1833 "SEcure Neighbor Discovery (SEND)", RFC 3971, 1834 DOI 10.17487/RFC3971, March 2005, 1835 . 1837 [RFC3972] Aura, T., "Cryptographically Generated Addresses (CGA)", 1838 RFC 3972, DOI 10.17487/RFC3972, March 2005, 1839 . 1841 [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast 1842 Addresses", RFC 4193, DOI 10.17487/RFC4193, October 2005, 1843 . 1845 [RFC4293] Routhier, S., Ed., "Management Information Base for the 1846 Internet Protocol (IP)", RFC 4293, DOI 10.17487/RFC4293, 1847 April 2006, . 1849 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 1850 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 1851 December 2005, . 1853 [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, 1854 DOI 10.17487/RFC4302, December 2005, 1855 . 1857 [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", 1858 RFC 4303, DOI 10.17487/RFC4303, December 2005, 1859 . 1861 [RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private 1862 Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February 1863 2006, . 1865 [RFC4380] Huitema, C., "Teredo: Tunneling IPv6 over UDP through 1866 Network Address Translations (NATs)", RFC 4380, 1867 DOI 10.17487/RFC4380, February 2006, 1868 . 1870 [RFC4381] Behringer, M., "Analysis of the Security of BGP/MPLS IP 1871 Virtual Private Networks (VPNs)", RFC 4381, 1872 DOI 10.17487/RFC4381, February 2006, 1873 . 1875 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 1876 Control Message Protocol (ICMPv6) for the Internet 1877 Protocol Version 6 (IPv6) Specification", STD 89, 1878 RFC 4443, DOI 10.17487/RFC4443, March 2006, 1879 . 1881 [RFC4552] Gupta, M. and N. Melam, "Authentication/Confidentiality 1882 for OSPFv3", RFC 4552, DOI 10.17487/RFC4552, June 2006, 1883 . 1885 [RFC4649] Volz, B., "Dynamic Host Configuration Protocol for IPv6 1886 (DHCPv6) Relay Agent Remote-ID Option", RFC 4649, 1887 DOI 10.17487/RFC4649, August 2006, 1888 . 1890 [RFC4659] De Clercq, J., Ooms, D., Carugi, M., and F. Le Faucheur, 1891 "BGP-MPLS IP Virtual Private Network (VPN) Extension for 1892 IPv6 VPN", RFC 4659, DOI 10.17487/RFC4659, September 2006, 1893 . 1895 [RFC4798] De Clercq, J., Ooms, D., Prevost, S., and F. Le Faucheur, 1896 "Connecting IPv6 Islands over IPv4 MPLS Using IPv6 1897 Provider Edge Routers (6PE)", RFC 4798, 1898 DOI 10.17487/RFC4798, February 2007, 1899 . 1901 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 1902 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 1903 DOI 10.17487/RFC4861, September 2007, 1904 . 1906 [RFC4864] Van de Velde, G., Hain, T., Droms, R., Carpenter, B., and 1907 E. Klein, "Local Network Protection for IPv6", RFC 4864, 1908 DOI 10.17487/RFC4864, May 2007, 1909 . 1911 [RFC4890] Davies, E. and J. Mohacsi, "Recommendations for Filtering 1912 ICMPv6 Messages in Firewalls", RFC 4890, 1913 DOI 10.17487/RFC4890, May 2007, 1914 . 1916 [RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy 1917 Extensions for Stateless Address Autoconfiguration in 1918 IPv6", RFC 4941, DOI 10.17487/RFC4941, September 2007, 1919 . 1921 [RFC4942] Davies, E., Krishnan, S., and P. Savola, "IPv6 Transition/ 1922 Co-existence Security Considerations", RFC 4942, 1923 DOI 10.17487/RFC4942, September 2007, 1924 . 1926 [RFC5157] Chown, T., "IPv6 Implications for Network Scanning", 1927 RFC 5157, DOI 10.17487/RFC5157, March 2008, 1928 . 1930 [RFC5214] Templin, F., Gleeson, T., and D. Thaler, "Intra-Site 1931 Automatic Tunnel Addressing Protocol (ISATAP)", RFC 5214, 1932 DOI 10.17487/RFC5214, March 2008, 1933 . 1935 [RFC5340] Coltun, R., Ferguson, D., Moy, J., and A. Lindem, "OSPF 1936 for IPv6", RFC 5340, DOI 10.17487/RFC5340, July 2008, 1937 . 1939 [RFC5635] Kumari, W. and D. McPherson, "Remote Triggered Black Hole 1940 Filtering with Unicast Reverse Path Forwarding (uRPF)", 1941 RFC 5635, DOI 10.17487/RFC5635, August 2009, 1942 . 1944 [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 1945 Address Text Representation", RFC 5952, 1946 DOI 10.17487/RFC5952, August 2010, 1947 . 1949 [RFC5969] Townsley, W. and O. Troan, "IPv6 Rapid Deployment on IPv4 1950 Infrastructures (6rd) -- Protocol Specification", 1951 RFC 5969, DOI 10.17487/RFC5969, August 2010, 1952 . 1954 [RFC6092] Woodyatt, J., Ed., "Recommended Simple Security 1955 Capabilities in Customer Premises Equipment (CPE) for 1956 Providing Residential IPv6 Internet Service", RFC 6092, 1957 DOI 10.17487/RFC6092, January 2011, 1958 . 1960 [RFC6144] Baker, F., Li, X., Bao, C., and K. Yin, "Framework for 1961 IPv4/IPv6 Translation", RFC 6144, DOI 10.17487/RFC6144, 1962 April 2011, . 1964 [RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation 1965 Algorithm", RFC 6145, DOI 10.17487/RFC6145, April 2011, 1966 . 1968 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 1969 NAT64: Network Address and Protocol Translation from IPv6 1970 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 1971 April 2011, . 1973 [RFC6147] Bagnulo, M., Sullivan, A., Matthews, P., and I. van 1974 Beijnum, "DNS64: DNS Extensions for Network Address 1975 Translation from IPv6 Clients to IPv4 Servers", RFC 6147, 1976 DOI 10.17487/RFC6147, April 2011, 1977 . 1979 [RFC6164] Kohno, M., Nitzan, B., Bush, R., Matsuzaki, Y., Colitti, 1980 L., and T. Narten, "Using 127-Bit IPv6 Prefixes on Inter- 1981 Router Links", RFC 6164, DOI 10.17487/RFC6164, April 2011, 1982 . 1984 [RFC6169] Krishnan, S., Thaler, D., and J. Hoagland, "Security 1985 Concerns with IP Tunneling", RFC 6169, 1986 DOI 10.17487/RFC6169, April 2011, 1987 . 1989 [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the 1990 Router Control Plane", RFC 6192, DOI 10.17487/RFC6192, 1991 March 2011, . 1993 [RFC6204] Singh, H., Beebee, W., Donley, C., Stark, B., and O. 1994 Troan, Ed., "Basic Requirements for IPv6 Customer Edge 1995 Routers", RFC 6204, DOI 10.17487/RFC6204, April 2011, 1996 . 1998 [RFC6221] Miles, D., Ed., Ooghe, S., Dec, W., Krishnan, S., and A. 1999 Kavanagh, "Lightweight DHCPv6 Relay Agent", RFC 6221, 2000 DOI 10.17487/RFC6221, May 2011, 2001 . 2003 [RFC6264] Jiang, S., Guo, D., and B. Carpenter, "An Incremental 2004 Carrier-Grade NAT (CGN) for IPv6 Transition", RFC 6264, 2005 DOI 10.17487/RFC6264, June 2011, 2006 . 2008 [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and 2009 P. Roberts, "Issues with IP Address Sharing", RFC 6269, 2010 DOI 10.17487/RFC6269, June 2011, 2011 . 2013 [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix 2014 Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, 2015 . 2017 [RFC6302] Durand, A., Gashinsky, I., Lee, D., and S. Sheppard, 2018 "Logging Recommendations for Internet-Facing Servers", 2019 BCP 162, RFC 6302, DOI 10.17487/RFC6302, June 2011, 2020 . 2022 [RFC6324] Nakibly, G. and F. Templin, "Routing Loop Attack Using 2023 IPv6 Automatic Tunnels: Problem Statement and Proposed 2024 Mitigations", RFC 6324, DOI 10.17487/RFC6324, August 2011, 2025 . 2027 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 2028 Stack Lite Broadband Deployments Following IPv4 2029 Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011, 2030 . 2032 [RFC6343] Carpenter, B., "Advisory Guidelines for 6to4 Deployment", 2033 RFC 6343, DOI 10.17487/RFC6343, August 2011, 2034 . 2036 [RFC6434] Jankiewicz, E., Loughney, J., and T. Narten, "IPv6 Node 2037 Requirements", RFC 6434, DOI 10.17487/RFC6434, December 2038 2011, . 2040 [RFC6459] Korhonen, J., Ed., Soininen, J., Patil, B., Savolainen, 2041 T., Bajko, G., and K. Iisakkila, "IPv6 in 3rd Generation 2042 Partnership Project (3GPP) Evolved Packet System (EPS)", 2043 RFC 6459, DOI 10.17487/RFC6459, January 2012, 2044 . 2046 [RFC6506] Bhatia, M., Manral, V., and A. Lindem, "Supporting 2047 Authentication Trailer for OSPFv3", RFC 6506, 2048 DOI 10.17487/RFC6506, February 2012, 2049 . 2051 [RFC6547] George, W., "RFC 3627 to Historic Status", RFC 6547, 2052 DOI 10.17487/RFC6547, February 2012, 2053 . 2055 [RFC6564] Krishnan, S., Woodyatt, J., Kline, E., Hoagland, J., and 2056 M. Bhatia, "A Uniform Format for IPv6 Extension Headers", 2057 RFC 6564, DOI 10.17487/RFC6564, April 2012, 2058 . 2060 [RFC6583] Gashinsky, I., Jaeggli, J., and W. Kumari, "Operational 2061 Neighbor Discovery Problems", RFC 6583, 2062 DOI 10.17487/RFC6583, March 2012, 2063 . 2065 [RFC6598] Weil, J., Kuarsingh, V., Donley, C., Liljenstolpe, C., and 2066 M. Azinger, "IANA-Reserved IPv4 Prefix for Shared Address 2067 Space", BCP 153, RFC 6598, DOI 10.17487/RFC6598, April 2068 2012, . 2070 [RFC6620] Nordmark, E., Bagnulo, M., and E. Levy-Abegnoli, "FCFS 2071 SAVI: First-Come, First-Served Source Address Validation 2072 Improvement for Locally Assigned IPv6 Addresses", 2073 RFC 6620, DOI 10.17487/RFC6620, May 2012, 2074 . 2076 [RFC6666] Hilliard, N. and D. Freedman, "A Discard Prefix for IPv6", 2077 RFC 6666, DOI 10.17487/RFC6666, August 2012, 2078 . 2080 [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, 2081 DOI 10.17487/RFC6762, February 2013, 2082 . 2084 [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service 2085 Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013, 2086 . 2088 [RFC6810] Bush, R. and R. Austein, "The Resource Public Key 2089 Infrastructure (RPKI) to Router Protocol", RFC 6810, 2090 DOI 10.17487/RFC6810, January 2013, 2091 . 2093 [RFC6964] Templin, F., "Operational Guidance for IPv6 Deployment in 2094 IPv4 Sites Using the Intra-Site Automatic Tunnel 2095 Addressing Protocol (ISATAP)", RFC 6964, 2096 DOI 10.17487/RFC6964, May 2013, 2097 . 2099 [RFC6980] Gont, F., "Security Implications of IPv6 Fragmentation 2100 with IPv6 Neighbor Discovery", RFC 6980, 2101 DOI 10.17487/RFC6980, August 2013, 2102 . 2104 [RFC7011] Claise, B., Ed., Trammell, B., Ed., and P. Aitken, 2105 "Specification of the IP Flow Information Export (IPFIX) 2106 Protocol for the Exchange of Flow Information", STD 77, 2107 RFC 7011, DOI 10.17487/RFC7011, September 2013, 2108 . 2110 [RFC7012] Claise, B., Ed. and B. Trammell, Ed., "Information Model 2111 for IP Flow Information Export (IPFIX)", RFC 7012, 2112 DOI 10.17487/RFC7012, September 2013, 2113 . 2115 [RFC7039] Wu, J., Bi, J., Bagnulo, M., Baker, F., and C. Vogt, Ed., 2116 "Source Address Validation Improvement (SAVI) Framework", 2117 RFC 7039, DOI 10.17487/RFC7039, October 2013, 2118 . 2120 [RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing 2121 of IPv6 Extension Headers", RFC 7045, 2122 DOI 10.17487/RFC7045, December 2013, 2123 . 2125 [RFC7050] Savolainen, T., Korhonen, J., and D. Wing, "Discovery of 2126 the IPv6 Prefix Used for IPv6 Address Synthesis", 2127 RFC 7050, DOI 10.17487/RFC7050, November 2013, 2128 . 2130 [RFC7084] Singh, H., Beebee, W., Donley, C., and B. Stark, "Basic 2131 Requirements for IPv6 Customer Edge Routers", RFC 7084, 2132 DOI 10.17487/RFC7084, November 2013, 2133 . 2135 [RFC7112] Gont, F., Manral, V., and R. Bonica, "Implications of 2136 Oversized IPv6 Header Chains", RFC 7112, 2137 DOI 10.17487/RFC7112, January 2014, 2138 . 2140 [RFC7113] Gont, F., "Implementation Advice for IPv6 Router 2141 Advertisement Guard (RA-Guard)", RFC 7113, 2142 DOI 10.17487/RFC7113, February 2014, 2143 . 2145 [RFC7166] Bhatia, M., Manral, V., and A. Lindem, "Supporting 2146 Authentication Trailer for OSPFv3", RFC 7166, 2147 DOI 10.17487/RFC7166, March 2014, 2148 . 2150 [RFC7217] Gont, F., "A Method for Generating Semantically Opaque 2151 Interface Identifiers with IPv6 Stateless Address 2152 Autoconfiguration (SLAAC)", RFC 7217, 2153 DOI 10.17487/RFC7217, April 2014, 2154 . 2156 [RFC7381] Chittimaneni, K., Chown, T., Howard, L., Kuarsingh, V., 2157 Pouffary, Y., and E. Vyncke, "Enterprise IPv6 Deployment 2158 Guidelines", RFC 7381, DOI 10.17487/RFC7381, October 2014, 2159 . 2161 [RFC7404] Behringer, M. and E. Vyncke, "Using Only Link-Local 2162 Addressing inside an IPv6 Network", RFC 7404, 2163 DOI 10.17487/RFC7404, November 2014, 2164 . 2166 [RFC7422] Donley, C., Grundemann, C., Sarawat, V., Sundaresan, K., 2167 and O. Vautrin, "Deterministic Address Mapping to Reduce 2168 Logging in Carrier-Grade NAT Deployments", RFC 7422, 2169 DOI 10.17487/RFC7422, December 2014, 2170 . 2172 [RFC7454] Durand, J., Pepelnjak, I., and G. Doering, "BGP Operations 2173 and Security", BCP 194, RFC 7454, DOI 10.17487/RFC7454, 2174 February 2015, . 2176 [RFC7513] Bi, J., Wu, J., Yao, G., and F. Baker, "Source Address 2177 Validation Improvement (SAVI) Solution for DHCP", 2178 RFC 7513, DOI 10.17487/RFC7513, May 2015, 2179 . 2181 [RFC7526] Troan, O. and B. Carpenter, Ed., "Deprecating the Anycast 2182 Prefix for 6to4 Relay Routers", BCP 196, RFC 7526, 2183 DOI 10.17487/RFC7526, May 2015, 2184 . 2186 [RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S., 2187 Murakami, T., and T. Taylor, Ed., "Mapping of Address and 2188 Port with Encapsulation (MAP-E)", RFC 7597, 2189 DOI 10.17487/RFC7597, July 2015, 2190 . 2192 [RFC7599] Li, X., Bao, C., Dec, W., Ed., Troan, O., Matsushima, S., 2193 and T. Murakami, "Mapping of Address and Port using 2194 Translation (MAP-T)", RFC 7599, DOI 10.17487/RFC7599, July 2195 2015, . 2197 [RFC7610] Gont, F., Liu, W., and G. Van de Velde, "DHCPv6-Shield: 2198 Protecting against Rogue DHCPv6 Servers", BCP 199, 2199 RFC 7610, DOI 10.17487/RFC7610, August 2015, 2200 . 2202 [RFC7707] Gont, F. and T. Chown, "Network Reconnaissance in IPv6 2203 Networks", RFC 7707, DOI 10.17487/RFC7707, March 2016, 2204 . 2206 [RFC7721] Cooper, A., Gont, F., and D. Thaler, "Security and Privacy 2207 Considerations for IPv6 Address Generation Mechanisms", 2208 RFC 7721, DOI 10.17487/RFC7721, March 2016, 2209 . 2211 [RFC7872] Gont, F., Linkova, J., Chown, T., and W. Liu, 2212 "Observations on the Dropping of Packets with IPv6 2213 Extension Headers in the Real World", RFC 7872, 2214 DOI 10.17487/RFC7872, June 2016, 2215 . 2217 [RFC8020] Bortzmeyer, S. and S. Huque, "NXDOMAIN: There Really Is 2218 Nothing Underneath", RFC 8020, DOI 10.17487/RFC8020, 2219 November 2016, . 2221 [RFC8064] Gont, F., Cooper, A., Thaler, D., and W. Liu, 2222 "Recommendation on Stable IPv6 Interface Identifiers", 2223 RFC 8064, DOI 10.17487/RFC8064, February 2017, 2224 . 2226 [SCANNING] 2227 "Mapping the Great Void - Smarter scanning for IPv6", 2228 . 2231 Authors' Addresses 2233 Eric Vyncke (editor) 2234 Cisco 2235 De Kleetlaan 6a 2236 Diegem 1831 2237 Belgium 2239 Phone: +32 2 778 4677 2240 Email: evyncke@cisco.com 2242 Kiran K. Chittimaneni 2243 Dropbox Inc. 2244 185 Berry Street, Suite 400 2245 San Francisco, CA 94107 2246 USA 2248 Email: kk@dropbox.com 2250 Merike Kaeo 2251 Double Shot Security 2252 3518 Fremont Ave N 363 2253 Seattle 98103 2254 USA 2256 Phone: +12066696394 2257 Email: merike@doubleshotsecurity.com