A series of posts on IPv6 connectivity and security


Wed, 03/21/2012 - 07:56
Feb 16th, 2012

IANA's announcement, in february 2011, that the last IPv4 blocks had been allocated to the Regional Internet Registries (RIRs) contributed to a significant increase in the interest for IPv6. (And to the "panic" around such a challenging migration.. )

Within networking and security circles, any mention to "v6" normally unchains a set of diametrically opposite thoughts:

- on one hand about the possibilities of services available to users

- ... and on the other hand about the amount of work (and time) it will take to achieve the migration to this new platform.

It is important to keep in mind that IPv6 differs from v4 in many areas that go beyond the (almost unlimited) addressing capabilities and the new header format. There are new processes that need to be understood so that you can successfully design and deploy a v6 network. For instance, paradigms such as performing Port Address Translation (address hiding) whenever your organization's machines connect to the Internet, need to be reconsidered...

In an attempt to give a basic contribution to your journey to v6, I decided to start a series of articles on my blog

(http://alexandremspmoraes.wordpress.com/), covering both connectivity and security aspects. Check it out and stay tuned for more...!

IPv6: Deriving the EUI-64 Interface Identifier

Understanding some tricky IPv6 Addresses

Introduction to IOS IPv6 ACLs

Gaining visibility of your IPv6 traffic with Flexible Netflow

Some IPv6 link-local processes and the associated ICMPv6 messages

How IOS IPv6 ACLs handle ICMPv6 Neighbor Discovery messages

Sample Configuration of the Cisco IOS Zone-based Policy Firewall with IPv6

Cisco IOS Zone-based Policy Firewall: L7 inspection for FTP over IPv6

** Related posts:

IPv6 series: http://alexandremspmoraes.wordpress.com/tag/ipv6/

Cisco Zone-based Policy Firewall series: http://alexandremspmoraes.wordpress.com/tag/zone-firewall/

Access Control Lists (ACLs) series: http://alexandremspmoraes.wordpress.com/tag/acl/

hobbe Sun, 02/19/2012 - 12:00

I think it is a great idea to talk about ipV6 from a security standpoint.

IP v6 is a different protocoll than ip v4 and since it is installed in many systems already (and in some cases even prefered even though people does not know it), there is a high risk of systems that can talk to eachother even though the ip v4 is filtered just because one misses to either uninstall/disable ip v6 or filter it.

what is the roadmap for cisco devices ?

fx the 2960lite does not support ip v6 and as far as i can see it does not seem to be in the roadmap, why is that ?

The ipbase and securityK9 does not support ipv6ip tunnel mode (v6 over v4) (atleast not in my router), why is that ?

One would think that cisco would want us to use ip v6 as soon as possible but it seems there are many limitations and that ipv6 is not considered "bread and butter" but instead is treated as a "speciality".

Sure in America and Europe we do not have a problem today but in the Apnic region there are huge problems growing.

Will there be a ip v6-v6 NAT ?

It is an important and interesting topic.

I am looking forward to the discussion.

amoraes Thu, 02/23/2012 - 04:12

Hi Hobbe,

First of all, thanks for the comment.

If you want to learn more about IPv6 Security, please check these two Cisco Press titles:

IPv6 Security (IPv6 processes, threats to IPv6, feasible attacks, etc) - Great Reference !


Cisco Firewalls - Complements the first title specifically with regards to firewall functionalities already available on IOS and ASA. It also covers firewall placement on V4-V6 transition environments that employ tunneling.


For more information about IPv6 in general (including "Why Cisco ?"), please visit the following portal:


When you talk about IPv6 support on networking devices, it is advisable to differentiate between "host" and "routing" fucntions:

a) Host: the ability to be inserted in an IPv6 network and managed using the classic protocols (over IPv6). For instance, ICMP, Telnet, Syslog, DNS. L2 devices such as the Catalyst 2960 (LAN Base) already include this type of functionality.

b) Routing: the ability to route IPv6 packets. Support starts on the Catalyst 3560 series for our L3 Switches (IP Services feature set).

Finally, the v6-v6 NAT is a long (philosophical) discussion... (I would start by saying that this was not part of the original IPv6 plans). You can find more information about this on the two Cisco Press books I mentioned (and Í will probably include a post on the subject in my blog soon.)

I hope this helps.




This Blog

Related Content