Annual Computer Security Applications Conference (ACSAC) 2013

Full Program »

Design and Configuration of High Security IPv6 Networks

Many organizations are implementing IPv6 for Internet facing systems as a first step of the transition phase. For these systems, often configuration steps are performed which somehow contradict “traditional IPv6 paradigms” (static addresses instead of autoconfig, deactivation of local RA processing, deviation from /64 etc.). This talk presents possible design approaches and configuration steps for networks with high security requirements, like DMZ segments. Here several decisions have to be taken (/64 or not? – think of neighbor cache exhaustion…, suppressing the A-flag in RAs vs. deactivation of local RA processing et.al.) which might have a huge impact on the security and operational feasibility of the systems in question. We discuss the pros and cons of different design approaches. Typical configurations steps will be shown for the most common operating systems (Windows, Linux, BSD) and network devices (e.g. Cisco). Furthermore, current defense strategies regarding neighbor cache exhaustion will be discussed.

Author(s):

Enno Rey    

 

Powered by OpenConf®
Copyright©2002-2014 Zakon Group LLC