APNIC Network Analyst / Technical Trainer Awal Haolader gives the technical keynote presentation on IPv6 deployment and security considerations at the IDNIC OPM 2023, held from 5 to 7 December 2023 in Bandung, Indonesia.

1. 1 v1.2

2. 2 v1.2
IPv6 Deployment Planning
and Security Considerations
Md Abdul Awal | APNIC
awal@apnic.net

3. 3 v1.2
IPv6 in South East Asian Countries
https://stats.labs.apnic.net/ipv6
MM ~40%
TH ~45%
VN ~58%
MY ~70%
PH ~16%
SG ~23%
ID ~14%

4. 4 v1.2
IPv6 Deployment Planning

5. 5 v1.2
IPv6 Deployment – Where to Start?
Get IPv6 Address
from RIR / NIR /
ISP
Assess network
for IPv6
readiness
Prepare IPv6
address plan that
makes sense
Arrange dual-
stack peering
with upstream
Configure IPv6 in
your backbone
network
Test IPv6
connectivity
internally
Start providing
IPv6 to
customers
Monitor and
evaluate

6. 6 v1.2
Subnet at the Nibble Bit Boundary
/36 slices (1 x 4 bits)
2001:db8:0000::/36
2001:db8:1000::/36
2001:db8:2000::/36
2001:db8:3000::/36
….
….
2001:db8:f000::/36
/40 slices (2 x 4 bits)
2001:db8:0000::/40
2001:db8:0100::/40
2001:db8:0200::/40
2001:db8:0300::/40
….
….
2001:db8:ff00::/40
/44 slices (3 x 4 bits)
2001:db8:0000::/44
2001:db8:0010::/44
2001:db8:0020::/44
2001:db8:0030::/44
….
….
2001:db8:fff0::/44
/48 slices (4 x 4 bits)
2001:db8:0000::/48
2001:db8:0001::/48
2001:db8:0002::/48
2001:db8:0003::/48
….
….
2001:db8:ffff::/48
Subnetting at the Nibble Bit is
simple and easy to manage
Nibble bit subnets of 2001:db8::/32

7. 7 v1.2
IPv6 Addressing for Point-to-point Links
2001:db8:0:1::/ 127
2001:db8:0:1::1/127
R1 R2
IPv6 Address Plan
R1 – R2 Link 2001:db8:0:1::/ 64
R3 – R4 Link 2001:db8:0:2::/ 64
R3 R4
/126 for MikroTik P2P Links
2001:db8:0:2::/126
2001:db8:0:2::1/ 126
2001:db8:0:2::2/ 126
2001:db8:0:2::3/126
/127 for P2P Links

8. 8 v1.2
Address Assignment Plan
/34 /34 /34 /34
Contiguous assignment
may not work in the
long run
Customer 1 Customer 3 Customer 2 Customer 4
/32
Customer 1
Customer 3
Customer 2
Customer 4
Split assignment
works better for BGP
traffic engineering

9. 9 v1.2
Customer Address Distribution
ISP
Enterprise Customer
::/127
ISP plans a /64 for each
PE-CE peering, but
configures with /127
::1/127
PE
CE
ISP
Broadband Customer
::1/64
ISP assigns /64 for
customer WAN via
SLAAC/DHCPv6
BNG/
BRAS
CPE
ISP assigns at least
one /48 for enterprise
customer LAN
ISP assigns at least /60
(or bigger) for user LAN
via DHCPv6-PD

10. 10 v1.2
Aggregated BGP Announcements
Aggregated BGP announcements
- Easy to configure and maintain
- Keep global routing table smaller
Long list of /48s may
not be helpful at all

11. 11 v1.2
IPv6 Address Management
• phpipam.net
• github.com/netbox-community/netbox
• spritelink.github.io/NIPAP
Free and open
source IP Address
Management tool

12. 12 v1.2
Dual-stack Vs IPv6-only Deployment
• Advantages
– Comparatively easier
– IPv4 experience can be reused
– Troubleshooting might be easier
• Challenges
– Still need IPv4 (and NAT)
– Everything runs twice
• Advantages
– Only one AF configuration
– Very minimum need of IPv4 space
• Challenges
– Multiple translation might be needed
– Additional challenges to run NAT64,
DNS64 and 464XLAT
Dual-stack IPv6-only
It is easier for ISPs to start deploying dual-stack network

13. 13 v1.2
IPv6 Security Considerations

14. 14 v1.2
Create Minimum ROA - Match Your BGP Announcements
Small number of
prefix announced
Prone to validated
BGP hijack
The Max Length covers
all possible BGP
prefixes (/32 - /48) !!!

15. 15 v1.2
BGP Filters for IPv6 Longer Prefixes (>/48)
These /64s should NOT
exist in the global
routing table

16. 16 v1.2
Inspect Extension Headers
• Attackers use the EH as a covert channel to exchange
information (payload) undetected
• Mitigation:
– Drop unknown EH
– Drop invalid EH (0, 43)
IPv6 Header
Next Header = 4
EH
Next header = 0
TCP header + data
EH
Hidden Data

17. 17 v1.2
Is RA always necessary?
R1 SW
Hosts with static IPv6 Addresses
RA should be disabled RA must be enabled
R1 SW
Hosts with SLAAC / DHCPv6
R1 R2
P2P Links

18. 18 v1.2
RA Guard – Block Rouge RAs (RFC6105/7113)

19. 19 v1.2
Careful with ICMPv6 Filters
• Filtering ICMPv6 is not straight forward
– You block ICMPv6 => you break IPv6!
• RFC4890: “ICMPv6 Filtering Recommendations”
– Permit Error messages
• Destination Unreachable (Type 1) - All codes
• Packet Too Big (Type 2)
• Time Exceeded (Type 3) - Code 0 only
• Parameter Problem (Type 4) - Codes 1 and 2 only
– Permit Connectivity check messages
• Echo Request (Type 128)
• Echo Response (Type 129)
Or, rate limit
ICMPv6 packets

20. 20 v1.2
And, Current Security Best Practices…
• uRPF / BCP38
• Bogon Filters
• RPKI Based Filters
• BGP Policies
• PTR Records / IPv6 Reverse DNS Delegation
• Filters applied for IPv4 should also make sense for IPv6

21. 21 v1.2
Thank You!