Many organizations are implementing IPv6 for Internet facing systems as a first step of the transition phase. For these systems, often configuration steps are performed which somehow contradict “traditional IPv6 paradigms” (static addresses instead of autoconfig, deactivation of local RA processing, deviation from /64 etc.). This talk presents possible design approaches and configuration steps for networks with high security requirements, like DMZ segments. Here several decisions have to be taken (/64 or not? – think of neighbor cache exhaustion…, suppressing the A-flag in RAs vs. deactivation of local RA processing et.al.) which might have a huge impact on the security and operational feasibility of the systems in question. We discuss the pros and cons of different design approaches. Typical configurations steps will be shown for the most common operating systems (Windows, Linux, BSD) and network devices (e.g. Cisco). Furthermore, current defense strategies regarding neighbor cache exhaustion will be discussed.
Enno Rey @Enno_Insinuator is an old school network security guy who has been involved with IPv6 since 1999. In the last years he has contributed to many IPv6 projects in very large environments, both on a planning and on a technical implementation level.