HBT401 - IPv6 Deep Dive for Engineers
IPv6 deep dive designed for those who will deploy IPv6.
Description
Overview:
As with any new technology, IPv6 requires a learning curve for IT administration and operations personnel. Training for IT engineers on IPv6 is important and needs to take place first so the transition can start to take place. IT engineers need in-depth training to prepare them for fast-approaching deployment of IPv6 throughout the enterprise network environment. Your organization will bring together network administrators, NOC staff, system administrators, security administrators, and application teams for a multi-day hands-on IPv6 class taught virtually. This document will cover the contents of this technical hands-on IPv6 training class.
People Who Should Attend This Class:
Anyone in any IT department role who will be involved with the technical implementation of IPv6
System administrators, network administrators, helpdesk support, DevOps teams, application developers, DNS administrators, security administrators
Anyone who wants to learn the basics of IPv6 and advanced topics of IPv6 and who wants to gain a foundation to prepare for implementation of IPv6
Class Logistics:
We will conduct these IPv6 training classes virtually over the Internet. The subsequent sections of this document detail the IPv6 training class agenda. These classes will be a combination of lecture, student hands-on activities, and live demonstrations of IPv6 technology. The goal of the class is to provide introductory to advanced-level information on IPv6 to increase the skills of your IT staff for the support and maintenance in preparation for an impending IPv6 roll-out.
The demonstrations will use a combination of our physical lab, and virtual environments. Students will use their own laptops and/or mobile devices to the class and connect over the Internet to the virtual classroom network to the demonstration lab. The student devices will connect through an Internet jump-host to be able to SSH/RDP/VNC to all devices and run commands that will enhance their learning experience.
Course Outline:
Following is the agenda for the multi-day IPv6 class.
Day 1
IPv6 Introduction – 2 Hours – 8:00AM to 10:00AM
Rationale for IPv6
Requirement for abundant global addresses, IPv4 address exhaustion
Brief review of IPv4 address shortage, CGN/LSN, address transfers
Comparison of IPv4 to IPv6
IPv6 Features and Benefits
IPv6 Header structure, extension headers
IPv6 Addressing and address planning principles, concepts and techniques
ICMPv6 Protocol review and operations (NDP, PMTUD, MLD, ...)
Router Discovery and Neighbor Discovery with ICMPv6
ICMPv6 RA message format
Stateless and Stateful address autoconfiguration
IPv6 Transition Techniques
Dual Protocol/Dual Stack behavior
Tunneling (manual, dynamic), IPv6/IPv4 tunneling
Translation/ALG methods, IPv4 as a Service (v4aaS)
15 Minute Break – 10:00AM to 10:15AM
IPv6 Introduction (Cont.) – 1.75 Hour – 10:15AM to 12:00PM
IPv6-only environments
Performance improvements with IPv6
IPv6 adoption methods, IPv6 Transition planning
Preparing an IPv6 Inventory, Impact Analysis, Transition Plan
Creation of an IPv6 transition team
IPv6 adoption in industry peer-group (higher education, government, commercial enterprises, service providers, etc.)
Current Level of IPv6 Support
Operating System and Application Support
Service Provider Support
Review of current Internet adoption of IPv6
Statistics of IPv6 Internet adoption
IPv6 Summary
IPv6 Advantages and Challenges
IPv6 resources, References & Suggested Reading
Questions and Answers
Basic demo of IPv6, IPv6 enablement on operating system, viewing IPv6 addresses on interfaces, review ICMPv6 RA messages sent by routers
Connecting to the IPv6 lab environment through the jumphosts and bastion servers
Lunch Break - 1 Hour – 12:00PM to 1:00PM
IPv6 Networking Deep Dive – 2 Hours – 1:00PM to 3:00PM
IPv6 deployment strategies to maintain contiguous connectivity
IPv6 Routing Protocols and configuration commands for Cisco, Junos, Arista, FRR, VyOS, and others
IPv6 prefix lengths
Static routing, link-local address for next-hop address
RIPng, EIGRP configuration examples
OSPFv3 (with multiple address families)
IS-IS (single-topology versus multi-topology)
MP-BGP configuration for IPv6, configuration examples of dual-protocol peering
Hands-on configuration exploration and configuration commands for IPv6 routing protocols
Dual Stack router configurations
Exploration of pre-configured dual-protocol routers in the lab environment
Hands-on lab exercises configuring OSPFv3, EIGRP, and BGP on Cisco, Arista, or Juniper
IPv6 capabilities of ISPs, Internet IPv6 routing
Additional IPv6 routing concepts
IPv6 with Multiprotocol Label Switching (MPLS)
IPv6 support by Software Defined Networking (SDN) systems
15 Minute Break – 3:00PM to 3:15PM
IPv6 Networking Deep Dive (Cont.) – 1.75 Hours – 3:15PM to 5:00PM
IPv6 with SD-WAN systems
IPv6 multicast routing
Hands-on exploration of IPv6 multicast sources and receivers in the lab environment
Policy Based Routing (PBR)
DHCPv6 Prefix Delegation
IPv6 First Hop Redundancy Protocols
NUD, HSRPv6, GLBPv6, VRRPv3
IPv6 Quality of Service (QoS) considerations
QoS marking and Flow Label usage
Current level of IPv6 support in networking products
WAN Optimization
Wireless LANs and IPv6
Other networking software and products, FRR, Quagga, CPE devices
Questions and Answers
Day 2
IPv6 Services and Applications – 2 Hours – 8:00AM to 10:00AM
IPv6 DNS operations and configuration
DNS configuration and testing (ISC BIND, Windows, Infoblox, etc.)
Discussion of DNS64/NAT64 and design and deployment considerations
Demonstration of DNS64 and NAT64 from an IPv6-only access network
DHCPv6 configuration and operation (Windows, Infoblox, ISC, etc.)
Discussion of using SLAAC with RDNSS versus DHCPv6
Comparison of techniques based on use-case, data center versus end-user access-networks
IPv6 brokenness, Happy Eyeballs, Host OS implementations and application behavior
IPv6 features in operating systems and applications
IPv6 prefix policy, source/destination address selection rules
Current Level of IPv6 Support in host operating systems
Microsoft Windows, Linux, Apple MAC OS X, and other operating systems
Configuration commands for each IPv6-enabled operating system
Hands-on labs with student VMs and student devices in dual-protocol lab environment
15 Minute Break – 10:00AM to 10:15AM
IPv6 Services and Applications (Cont.) – 1.75 Hours – 10:15AM to 12:00PM
IPv6 in virtualized and cloud environments (VMware, AWS, OpenStack, Containers, among others)
IPv6 in public cloud services
IPv6-enabled web services and applications
Apache, IIS web servers using IPv6
IPv6 application load balancing, reverse proxy configuration
IPv6 and Docker containers
IPv6-capable CDNs, geolocation, public Certificate Authorities (CAs)
Hands on testing of various IPv6 applications
IPv6 Applications and Software
IPv6 coding standards and practices
Review of dual-protocol development for C, Python, Java, JavaScript, and Golang
Hands on testing of dual-protocol python scripts provided to students
Questions and Answers
Lunch Break - 1 Hour – 12:00PM to 1:00PM
Troubleshooting IPv6 Networks and Systems – 2 Hours – 1:00PM to 3:00PM
Troubleshooting methodologies for dual-protocol environments
Troubleshooting with the OSI model
IPv6 documentation techniques
Layer 1 and Layer 2 troubleshooting
Capturing IPv6 packets using Wireshark, tcpdump, and other methods of packet capture
Troubleshooting IPv6 Neighbor Discovery Protocol (NDP)
Hands-on exercises to capture IPv6 packets
IPv6 packet capture and protocol decoding with Wireshark
Layer 3 troubleshooting
Troubleshooting LAN-based and end-to-end dual-protocol connections
Verifying IPv6 addressing and routing on various operating systems
Troubleshooting ICMPv6 messages, RAs, and Neighbor Discovery Protocol (NDP)
Discuss common ICMPv6 issues and examples of troubleshooting methods
Using Ping, traceroute and numerous other end-to-end testing of IPv6 connectivity
Methods of generating synthetic IPv6 testing packets, end-to-end troubleshooting
Troubleshooting DNS
15 Minute Break – 3:00PM to 3:15PM
Troubleshooting IPv6 Networks and Systems (Cont.) – 1.75 Hours – 3:15PM to 5:00PM
Hands-on use of troubleshooting tools in the lab environment
Hands-on testing of end-to-end IPv6 connectivity testing methods and tools
Layer 4 troubleshooting
Troubleshooting TCP and UDP end-to-end connectivity
IPv6 testing and troubleshooting applications and utilities
IPv6 performance measurement methods
Web-based IPv6 troubleshooting utilities
Web Browsers and IPv6
Troubleshooting IPv6-enabled applications
Understanding Path MTU Discovery and OS behavior with fragmentation
Hands-on PMTUD troubleshooting lab exercise
IPv6 Multicast Troubleshooting
IPv6 Network Management methods
Coverage of IPv6-capable management utilities
SNMPv3, NetFlow, syslog, NTP, and other management-plane protocols
Summary, Questions and Answers
Day 3
IPv6 Security – 2 Hours – 8:00AM to 10:00AM
Introductions, review of agenda, class logistics
Overview of IPv6 Security
Security concerns about IPv6 and dual-stack operating systems
Review of the "Latent IPv6 Threat"
State of standards development for IPv6 security specific, well-known issues
Consequences of running two IP versions simultaneously
Security as it relates to the OSI model and the introduction of IPv6 to environments
IPv6 compatible security tools (i.e. routers ACLs, firewalls, proxies, IDS/IPS)
Level of hacker IPv6 experience
Examples of IPv6 security hacker tools available
Examples of documented IPv6 vulnerabilities & vendor response (patches)
IPv6 Threats
Reconnaissance differences in IPv6 compared to IPv4
Describe what techniques attackers will use to perform reconnaissance on IPv6 networks
Comparison of local reconnaissance and remote reconnaissance for IPv6 networks
Attacker reconnaissance methods using IPv6 on a LAN
Hands-on use of utilities to perform IPv6 network reconnaissance
Review how IPv6 addressing changes security paradigms
LAN Threats using Neighbor Discovery Protocol (NDP)
ICMPv6 Threats on a LAN
Rouge ICMPv6 RA messages, using tools to generate rogue RAs
Review methods to detect and/or prevent rogue RAs
Extensive review of IPv6 First-Hop Security (FHS) protection measures
DHCPv6 security
Discuss protection methods of IPv6 on a LAN
Hands-on experience performing link-local IPv6 attacks
15 Minute Break – 10:00AM to 10:15AM
Live IPv6 Security Demonstration – 1.75 Hours – 10:15AM to 12:00PM
Students connect their computers to IPv6 lab and perform IPv6 packet crafting attacks
Demonstrate attacks against Neighbor Discovery Protocol (NDP)
Demonstrate of ICMPv6 crafted RA/RS and NA/NS messages
Show methods to prevent these types of attacks
Hands-on lab for students to try these same techniques
Demonstration of IPv6 First Hop Security (FHS) techniques
Review of common IPv6 security attack tools, use these in the lab environment
Lunch Break - 1 Hour – 12:00PM to 1:00PM
IPv6 Security (Cont.) – 2 Hours – 1:00PM to 3:00PM
IPv6 Threats (Continued)
IPv6 Privacy Addressing
Extension Headers attacks
Creating crafted packets across an IPv6 network
Review of passive Internet scanning for remote reconnaissance
Routing Header (RH0) attacks
Fragmentation attacks
Transition Mechanism Threats
Attacks on tunneling, translation
15 Minute Break – 3:00PM to 3:15PM
Live IPv6 Security Demonstration – 1.75 Hours – 3:15PM to 5:00PM
Hands-on IPv6 hop-by-hop and other crafted packet exploits and how to protect against them
Demonstrate protocol “fuzzing” attacks for IPv6
Demonstrate issues with extension headers
Perform a RH0 attack and show how to disable this attack
Demonstrate attacks using extension headers, fragmentation, DoH, HbH, etc.
Perform fragmentation attacks and other crafted packet attacks in the lab
Execute Layer3/4 spoofing attack and show mitigation techniques
Demonstrate filtering protection measures for these types of attacks
Hands-on labs for students to generate crafted packets, detect or block these packets
Day 4
IPv6 Security (Cont.) – 2 Hours – 8:00AM to 10:00AM
Review Popular IPv6 Protection Measures
Unicast Reverse-Path Forwarding (RPF) for IPv6
Source/Destination Remotely-Triggered Black Hole (RTBH), ACLs, BGP FlowSpec
Filtering IPv6 BOGONS
IPv6 transition mechanism threats
Application-layer Threats
Man-In-The-Middle Threats
Flooding – DoS, Viruses and Worms
IPv6 vulnerability scanning
Hardening host OSs for IPv6
15 Minute Break – 10:00AM to 10:15AM
IPv6 Security (Cont.) – 1.75 Hours – 10:15AM to 12:00PM
IPv6-Capable Firewalls (appliances, host-based firewalls)
IPv6 Access Control Lists (ACLs)
Host-based IPv6 firewalls
Hands on lab exercise with IP6tables with UFW on Ubuntu
Review of IPv6-capable firewalls and how they are configured
Firewall policy creation and naming conventions for policies
Review IPv6 configurations of popular enterprise firewalls
IPv6-Capable Intrusion Prevention Systems (IPS)
Demonstration of IPv6-capable IPS configuration
IPv6-capable Security Information Event Management (SIEMs)
IPv6 Anomaly Detection systems, malware protection systems
Web Application Firewalls (WAFs) for IPv6
Review of other security protection measures and level of IPv6 support
Lunch Break - 1 Hour – 12:00PM to 1:00PM
IPv6 Security (Cont.) – 2 Hours – 1:00PM to 3:00PM
Show configurations of Cisco router ACLs, and IOS firewall
Review Palo Alto Networks firewall configurations
Review Fortinet FortiGate firewall configurations
Demonstrations of other vendor’s stateful firewalls for IPv6
15 Minute Break – 3:00PM to 3:15PM
IPv6 Security (Cont.) – 1.75 Hours – 3:15PM to 5:00PM
Review of IPv6 Router Threats
How to defend routers and switches from IPv6 attacks
Host hardening for IPv6 threats
Host-based firewall lab exercise
IPv6 and VPNs
IPsec configuration for IPv6
SSL VPN configuration for IPv6
Show IPsec configurations between various devices
IPsec configuration between diverse operating systems
Questions and Answers