Setup for IPv6 tunnel test

[UltraZero]

Good day.  I have a question in reference to setting up the Tunnel

I have a small network consisting of several Cisco Switches and routers.

Of course some if these units don't support IPv6 which means I have to work around this problem.

The question is this.  I have a Dlink unit which is attached to my small 6 Meg DSL connection.  It is not IPv6  aware.  Knowing this, will I need to put something else in it's place to allow IPv6 to be tunneled in or can I simply let the tunnel process happen behind the DLINK unit on my Cisco router.  Otherwise, need I run a dual stack router right up to my DSL modem?

Seeing I have never setup something like this before, I'd like a little insight as to how this should work.

I understand the dual stack concept as far as all devices running basically IPv4 and IPv6, but, the tunneling  is something I am wondering how this happens. 

Also, I gather edge routers are what is basically doing the tunneling but, in my situation I have a DLINK unit which I think is going the be the problem for my network.

Can someone confirm this please and maybe provide a solution.

Thanks much.

UltraZero

[cholzhauer]

Knowing this, will I need to put something else in it's place to allow IPv6 to be tunneled in or can I simply let the tunnel process happen behind the DLINK unit on my Cisco router.  Otherwise, need I run a dual stack router right up to my DSL modem?

Either/or.  If you can pass protocol 41 to your cisco router, you can leave your Dlink in place.  If you can't, you'll need to either replace it or put your Cisco router ahead of it in the chain.

Your tunnel would be 6in4...the device you host the tunnel on would just encapsulate ipv6 packets in ipv4 packets and send them to HE, would tears off the v4 stuff and sends the v6 traffic onwards.

Hope that makes sense...let me know if you need something clarified.

[UltraZero]

So, are we talking ISATAP??

 

[cholzhauer]

Um?

I'm not sure how we swiched from HE and 6in4 to ISATAP?

[UltraZero]

Sorry, just that's what i get for having 40 browser windows open.  I was reading about the different type of ways to move IPv6 over or within IPv4.  

I wasn't sure which one you were talking about.  I didn't mean to throw the topic into a tail spin.

BTW - Isn't protocol 41 ISATAP?? so I wasn't too far off??

 

[UltraZero]

FYI - I have been a sleep for mmmm 10 years and I have a lot of catching  up to do.

Lately, I have been eatting, sleeping,drinking swtiches and routers..

What a meal.  Can you say brain pain??

[UltraZero]

Well. I simply decided to rip out the whole thing and start from scratch.

I needed the practice anyway and thought I would rebuild the routers from scratch.

Instead of trying to get the modem side of my dsl connection to work on the DSL module in my Cisco router, I simply took the dlink out of the loop, put in a 3640 in it's place.  Now, I am working on getting security in place from those pesky hackers out there on the net.   I am new to this, funny to say, but, I really like working with hardware. believe it or not, I only started really getting into this about mmm 1 month ago. 

[antillie]

Well if your new to securing internet facing IOS routers the guys over at Cymru have a rather nice template. It only covers IPv4 but securing both protocols is obviously important.

http://www.cymru.com/Documents/secure-ios-template.html

Not everything in the template will apply to every deployment scenario of course but the template is a useful place to start. When adding IPv6 to my router I basically just adapted the the template to IPv6 where appropriate.

! Source routing could let bad people use our router for nasty things so turn it off.
no ipv6 source-route

interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 ! We don't want bad people to try and SSH into our router over IPv6. (Please tell me your not using telnet.)
 ipv6 traffic-filter Block-IPv6-SSH in
 ! Don't send redirects.
 no ipv6 redirects
 ! Enable RPF verification, this prevents ping pong attacks against the LAN.
 ipv6 verify unicast reverse-path

! We should drop traffic bound for IPv6 addresses that should never be on the public internet.

! First is the documentation prefix defined in RFC 3849.
ipv6 route 2001:DB8::/32 Null0

! Next is the unique local address range defined in RFC 4193.
ipv6 route FC00::/7 Null0

! Our SSH blocking ACL.
ipv6 access-list Block-IPv6-SSH
 deny tcp any any eq 22
 permit ipv6 any any

Of course this only covers securing the router itself. Controlling and securing access to the LAN behind the router is an entirely different matter. Personally I would recommend an ASA series firewall for this purpose if you like Cisco gear. That way you can let your router do the tunneling and routing and let the ASA do the firewall and VPN work.

IPv6 security is something of a new field and I'm sure there are plenty of things that haven't been thought of or discovered yet. So we'll just have to try and secure things as best we can at the moment and see how things play out and make changes as needed.

Edit: Added RPF verification to the tunnel interface to prevent ping pong attacks against the LAN. (Especially useful if you are using a /64 on a point to point link to connect the router to a firewall.)

[UltraZero]

Newbie??  Can  you say.   Wake up, turn on the router and start working.  time I go to bed??  2:30ish am.

Telnet usage.   Naaa.   Figure out some time ago that one can get into trouble if you leave that road open. 

SSH currently is all I am using, although I must say, trying to remember all of the cisco routing commands I have shoved my face into doesn't help remembering ssh.  I am trying to deal with security /ACLs on cisco hardware and am getting my butt kicked. When implementing some of my ACLs, the router drops the connection.  Sucks.  I have consulted many people as to why and no one gives me a straight answer.  I don't think they know.  I keep myself in the trenches and I figure it out little by little.  Keeps me practicing which is the way I look at it.

Re the Cisco ASA firewall. I actually was looking at an older PIX firewall just because of cost.  I know it's a little out dated, but, a little firewall is better than none I would think.  I have to move my router to another location behind my wall (garage) cause it's too loud.  This move is not so bad in the since it will put this piece of equipment closer to my equipment rack. 

I have spent some time on the net (articles and you tube) re hacking and I don't see much about hacking throught firewalls like Cisco ASA or PIX, so, maybe that is a good thing, or maybe the less I hear, the more people are doing it,but, just not in the open.

Kinda getting scary out there.  People are doing stupid things for information.  Man..  What a world.

[UltraZero]

Re Pix, I as thinking about a 515e.  I was looking for a 520 but, too old.

A 525 or 535 would be nice seeing is they process alot more packets and have more support for interfaces.

[antillie]

That's kinda odd. Since Cisco's own data sheet on PIX 7.0 seems to suggest otherwise.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/product_data_sheet0900aecd80225ae1.html