IPv6 Security Training: What to Expect
January 29, 2016
Before signing up for an IPv6 security training course, know what you’re getting yourself into. Understand the course prerequisites and review the course outline to determine whether you and the course fit one another.
IPv6 Security Training Expectations
This blog post outlines the critical material you should expect when researching IPv6 security training.
Are you experienced with IPv4 and IPv6?
This is a good starting point before going into the security considerations for IPv6. Perform a self-evaluation to determine if your IPv4 and IPv6 skills match up to the course subject matter.
Prior to learning about the security aspects of managing or working in an IPv6 environment, whether it’s mixed or completely IPv6 configured and enabled, you must evaluate your understanding and proficiency with both Internet protocols.
You shouldn’t possess expert-level knowledge, but this material is not for the inexperienced. Use these questions as a baseline for measuring your understanding.
- How much networking experience do you have? More specifically, do you have working experience with IPv4 and IPv6 addressing?
- Do you know the main differences between the two protocols and are you capable of explaining them to both technical and nontechnical professional?
- Do you understand how to install, setup, configure, and manage different types of firewalls?
- Do you have the experience and understanding of what it takes to develop, contribute to, and maintain an organizational security architecture?
- Do you have CompTIA Network+, CompTIA Security+, or Cisco CCNA certifications?
You don’t need to answer all the questions in the affirmative nor demonstrate an advanced-level comprehension of all material related to those questions. You don’t need to be a subject matter expert to qualify for IPv6 security training.
But if you do not hold fundamental networking and security skills, then don’t burden yourself with trying to learn concepts and technical details that will go over your head.
Once you come to a conclusion after a self-evaluation, review the course outline.
An IPv6 security training that’s worth it’s weight in gold will examine the importance of being proficient in IPv4 addressing. Even though IPv4 contains several limitations compared to IPv6, a strong understanding of IPv4 is necessary for network management and security.
Why do you need to know IPv6 on an exclusive IPv4 environment? Cyber security experts state that attackers, often with advanced-level comprehension of IPv6, can take advantage of the outdated networking infrastructures by sending attacks through IPv6 packets and traffic that is not accounted for by network admins. This traffic, if not monitored, can penetrate the network perimeter defense and spread across all network segments.
Practical network admins account for IPv4 and IPv6 traffic regardless of the network infrastructure within the environment. They configure routers, firewalls, servers, and all networking software and hardware devices to read and process both protocols.
The training should review the overall structure of IPv4 and its addressing limitations in comparison to IPv6.
Fundamental and Advanced IPv6 Topics
Does the course go into the benefits of the new header formatting and options in IPv6? You should expect a detailed lecture and outline about the header differences between IPv4 and IPv6.
IPv6 Extension Headers
Headers are a critical topic in IPv6 addressing, specially in understanding how IPv6 headers enhance router and network performance with fixed lengths and the application of extension headers. The trainer should go into the functions, strengths, and weaknesses of these extension headers:
- Hop-by-Hop Options Header
- Routing Header
- Fragment Header
- Destination Options Header
- Routing Header
- Authentication Header (AH)
- Encapsulating Security Payload (ESP) Header
ICMPv6, DHCPv6, MIPv6, MLD, and ND
The trainer should cover relevant topics, such as Flow Labels, Traffic Classes, formatting guidelines, configuration methods, DHCPv6, ICMPv6, MIPv6, MLD, and ND.
You should anticipate a side by side comparison of how DHCPv6, ICMPv6, and ND replace specific protocols from IPv4. This proves essential for mixed IPv6/IPv4 networks. This explanation should examine how Neighbor Discovery replaces Address Resolution Protocol (ARP), ICMPv4 Router Discovery, and the ICMPv4 Redirect message. You should learn about the ND processes, including:
- Address Autoconfiguration
- Address Resolution
- Duplicate Address Detection
- Dynamic Updates to DNS
- IPv6 Neighbor Discovery
- Neighbor Unreachability Detection
- Next-Hop Determination
- Parameter Discovery
- Prefix Discovery
- Redirect Function
- Router Discovery
Also, as you will later encounter in security sections, do not overlook the differences between stateful and stateless autoconfiguration. The application of autoconfiguration in IPv6 differs from IPv4. This enables efficient configuration of connected devices, but leaves doors open for attackers to take advantage of vulnerabilities.
Good courses will revisit and further explore addressing types. This includes link-local, special, compatibility, unspecified, unicast, anycast, loopback, and multicast addresses. The conversation should progress into the usage of these address types on network devices and the communication between routers and hosts. The trainer should explain why IPv6 addresses are assigned to interfaces and not nodes.
Review of Security Practices and Tools
Then the training should go into general security best practices, tools, and approaches. These lessons should cover access control, confidentiality, data origin authentication, encryption, integrity, traffic analysis, traffic flow confidentiality, firewall types and functionality.
The course should focus on the noted IPv6 security concerns, such as:
- Stateless Address Autoconfiguration Concerns
- Anycast Address Security
- IPv6 Flow Label Concerns
- IPsec Concerns
- ICMPv6 Concerns
- Neighbor Discovery Attacks
The Neighbor Discovery attacks should include neighbor solicitation, malicious last-hop router, eliminate legitimate routers, spoofed redirect, bogs on-link prefix, bogus parameters, replay attacks, Neighbor Discovery DoS attacks.
In addition to the array of IPv6 security concerns, lessons should closely examine the mandatory implementation of IPsec with IPv6. This includes transport and tunnel mode, Authentication Header, and the Encapsulating Security Payload (ESP) header.
Any good IPv6 security training entails a detailed lesson(s) on firewalls in IPv6. This would cover the role of firewalls for perimeter security, firewall issues, and how the types of firewalls fit within an IPv6 or mixed environment.
The conclusion, as well as the material leading up to this point, should elucidate security implications involved with a migration to an IPv6 only or mixed environment.