Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

IPv6 Security - FAQ from live webcast





During the live event, Cisco subject matter experts Eric Vyncke and Andrew Yourtchenko will explain the security myths and security issues in the IPv6 protocol. Though IPv6 is only available to 3 percent of Internet users, this number is doubling every 6 to 9 months, and, more important, all host OSes have IPv6 enabled by default. The session will focus mainly on the protocol security itself, though some product features will also be explained. It is expected that the attendees have some knowledge of IPv6 and also of IPv4 network security.

General Questions

Q: Why does Cisco recommend the use of scanners? Does this not support criminal recon activity?

A: Scanning can be used as an attack vector, but it has less impact with IPv6 because the address space size helps.

Q: Why did Cisco discontinue support for SeND CGA?

A:  Cisco still supports SeND CGA, but there is only minor acceptance in the field. The main issue with SeND CGA is that it only functions well when you also have support in the Operating Systems (OSs) for the end-hosts, where it is still lacking. Cisco routers and switches support SeND CGA, but there is still only minor adoption in end-systems in the field. SeND and CGA work great on Linux, OS/X, and BSD, but not on Microsoft products without add-on products. 

Q: When will Cisco, by default, block extension header options that are not valid?

A:  There are over 24 transition types today.

Q: Regarding SLAAC, all addresses are valid for that particular session?  Not much info on the individual %n suffixes.  Waiting on the Q&A at the end.
A:  There is usually a "stable" and "temporary" address, the API calls allows an application choose which one to use.

Q: Should I use /127 or /64 on links?
A:  Use /64 for any links where a host exists, and use /127 for Point-2-point links.

Q: Should I block UDP 3653 in order to block freenet tunnels ?
A:  Yes. Block UDP 3653 even if Freenet is not automatically installed by default. This helps avoid the possible danger.

Q: If Microsoft turns off their Teredo servers, will it help prevent auto-configure tunnels as well?

A:  Yes, and no. This will help, but there are other Teredo servers/relays on the Internet. However, this is indeed a good step forward. While they are "sunsetting" their public Teredo servers, it does not stop a system administrator from activating those services on your internal network.


Q: In Windows, I see several v6 addresses.  Which one is the "main" one, or can all be used in order to connect to the PC?  Also, is this an OS function (when DHCPv6 is used?)

A:  If you have DHCPv6 configured correctly, you should have two addresses: the link-local (that begins with fe80::) and the DHCPv6 address, which is used for all of the communications beyond the local segment. If you see more addresses, then they are SLAAC addresses.
Q: Are there any Android-based platforms in Cisco that run IPv6 since they do not yet support DHCPv6?

A:  Android technology must use legacy IP, since everything is dual-stack. Completely turning legacy IP (IPv4) in a network could be a very interesting topic for a separate discussion.

Q: Why is my IPv6 address communication blocked by Antivirus on my Windows 7 desktop?

A:  This depends on the Host Security Suite. Many of them incorporate a personal firewall, and some of them can deal with IPv6. However, it should be a tunable feature. If you observe this behavior, it is good to discover the Antivirus that blocks the IPv6 and whether it can be disabled. Hopefully, this behavior will not persist for long.

Q: What is the recommended maximum number of devices/IPv6 addresses per subnet?

A:  This depends on the applications that you run on the segment. The IPv6 addresses do not change the fundamental rules of network design. You should be able to scale beyond the typical 256 host limit of IPv4; however, you must apply similar design principals when you scale your Layer 2 (L2) domain. On Cisco Connection Online (CCO), there are a number of CVDs for IPv6.

Q: Does IPv6 change the security models that are used in IPv4?

A:  Yes. The IPv6 does bring changes. 

Q: Are there plans to implement Border Gateway Protocol (BGP) flowspec with IPv6 support on routers?

A:  BGP flowspec is planned for delivery in IOS XR 5.2.2. However, development of new features is strongly influenced by customer demands and the available resources in development. The Cisco Adaptive Security Appliance (ASA) already has the broadest feature range for firewalls on the market.

Q: Does Cisco now offer blacklist for the email devices for IPv6?

A:  The email security products from Cisco do support IPv6 transport, this includes SenderBase that provides the reputation services.  SenderBase lookup allows you to supply both IPv4 and IPv6 addresses.

Q: Will the OSPF for IPv6 be fixed to support interoperability between other vender products?

A:  Cisco supports the standards-compliant OSPF for IPv6 (OSPFv3) as defined in RFC5340, and participates in further development of the protocols in the IETF so as to ensure the continued interoperability.

Q: Is there a management feature?

A:  The IPv6 FHS is supported on most Cisco switch platforms today. The Catalyst platforms have fairly extensive support. The IPv6 FHS will complete on the Catalyst 6000 Series in the MK2 release, due later CY14/early CY15. FHS will first ship in NXOS in early CY15.

Q: With IPv6, only the ASA firewall from Cisco contains all of the features that are available in the IPv4 space.  Is this possible with the recent firmware? Is feature parity in IPv6 the same as in the routing space with VRF-aware features?

A:  It is always a race between demand and the available resources in development. If there are specific features that you would like to see, please send us an email about what you see outside, and we will follow up.

Webcast Related Links