Lots of IPv6-related things hit the news cycle in the last few weeks.Here are some of those news items: 2020 IPv6 OMB Mandate: stating all federal agencies must transition at least 20% of their networks to IPv6-only by end of FY 2023 the NIST IPv6 Profile updated to their Revision 1 of the US Government […]
IPv6 in the DoD finally? Read More »
The National Cybersecurity Center Center of Excellence (NCCoE) hosted a great IPv6 workshop today. Spectacular and substantive discussion packed into a morning workshop on the stae of IPv6 deployment in the enterprise network. The workshop was MCed by Doug Montgomery from the National Institute of Standards and Technology (NIST). You can take a look at
IPv6 Enabled Enterprises Workshop Read More »
The DoD has done an excellent job in annotating the best security practices for operating systems for years with its Security Technical Implementation Guides, or STIGs. In fact, STIGs for networking systems like routers, IDS/IPS, switches, devices, etc have been updated to reflect the new reality: IPv6. However, with STIGs on the operating system there
IPv6 Security – Server Operating Systems Read More »
Tomorrow, our very own Jeremy Duncan will be speaking on “IPv6 Best Practices in Network Functions Virtualization (NFV) with Vmware NSX,” tomorrow around 11:10 am MDT. We are also here in the Denver Tech Center, so come on by and let’s talk! We have a booth right in front of the main conference room. If
Tachyon Dynamics Speaking on IPv6 NFV at the North American IPv6 Summit Read More »
A few weeks ago, the IETF updated the newest in a long line of what I like to call “IPv6 capitulations.” Going on a rant here – the IETF fought long and hard to have a robust, secure, and interoperable protocol with IPv6. This is one of the many examples where it is being systematically
OSPFv3 Authentication Trailers – IPv6 Capitulations Read More »
Speaking with quite a few network engineers in the last few months, I was shocked by the lack of real understanding of the Domain Naming System (DNS). It shocked me because it is the singular application functionality that is entirely network-based. Meaning that DNS is the foundation of the Internet, and from their perspective, should
DNS: Back to Basics for Network Engineers Read More »
Bottom line up front: Cisco has a broken implementation of OSPFv3 authentication. This story begins like many do with network engineers trying to do their best in implementing IPv6 after a thorough and exhaustive engineering exercise. Cisco’s Aggregation Services Router (ASR) routing platform running IOS-XE, starting with version 3.1.0 until the most recent 3.09.02 S,
Authentication for OSPFv3 Address Family support in IOS-XE? Think again Read More »
In the DoD there is a strong requirement for 2-factor authentication in the network. For systems and workstations they use a successful implementation with Public Key Infrastructure (PKI) and a DoD common access card (CAC) which has a client certificate. The user has a PIN; therefore, 2-factor. Nothing like this exists for network devices (routers,
Secure and Affordable 2-factor authentication: Yubikey Read More »
***Updated on 14 May 2014 – regarding NET-IPv6-022, See below*** Thousands of network engineers in the DoD out there looking at implementing IPv6 now have to address a few Security and Technical Implementation Guidance (STIG) items that they used to just annotate as “Not Applicable – NA.” Now, IPv6 security is important. If you are
Cisco IPv6 IOS Hardening – DoD Style Read More »
Last month I presented the case as to why 802.1x authentication is not enough for local network (wired or wireless) security (go back here to read). In this post I will present an alternative: IPv6 Secure Neighbor Discovery (SeND). If you have an IPv6 enterprise, small IPv6 deployment, or a little IPv6 lab then pay
Why 802.1x is Not Enough: How to Implement SeND – Part 2 Read More »