Main Nav

Hello NETMAN - 

http://www.worldipv6launch.org/ 


We have enabled IPv6 on some of our user networks.  No problems, except for a stray site or two on the Internet that will resolve to IPv6, but not have their servers ready to server on said resolved address.  Naughty naughty!  It seems to be a problem that Happy Eyeballs doesn't help with, either.

What is your organization doing for IPv6 day on Wednesday, if anything?


-
Pete Hoffswell - Network Manager
pete.hoffswell@davenport.edu
http://www.davenport.edu
616-732-1101
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

Hi NETMAN,

 

We’ve had IPv6 enabled on campus for close to 2 years now, except for a couple locations that are behind ASA’s.  Our primary focus as of late has been implementing first hop security, educating the public about IPv6, and bringing up websites and other services on IPv6.  We have a few websites participating as website operators and are participating as a network operator for World IPv6 Launch Day.  Last year, we participated in World IPv6 Day and didn’t have any issues, so hopefully we will see the same results this year!

 

Hi Michael, Hi Netmans,
We currently have V6 enabled on our ResNet.  I am wondering what access-layer switches folks are using which are capable of providing first-hop security.  In particular, it seems that even the most recent Cisco 3560 do *not* do RA-Guard.  Are folks using higher-end switches?  Do access-layer Juniper and HP support RA Guard?  Also, in terms of first-hop security, this draft of a new proposal may be of interest:

<http://tools.ietf.org/id/draft-gont-opsec-ipv6-nd-shield-00.txt>

Best,
Dennis Bohn
Manager of Network and Systems
Adelphi University
bohn@adelphi.edu
5168773327


Dennis,

 

That’s correct.  Several of the access-layer switch models do not currently support RA-Guard and we’ve been told that it’s a feature that’s coming.  I’m not sure about Juniper and HP, as of right now, but I remember being told by our Juniper SE that RA guard was also coming soon. 

 

There are a few other Rogue-RA mitigation techniques that we’ve run across for Cisco:

-          Setting the router-preference to High on the VLAN, since the default RA priority is medium

-          Disabling SLAAC and using DHCPv6 (although that’s not an option for a lot of networks)

-          SeND (not really ready just yet)

-          A host facing ACL that accomplishes the same thing as RA guard (if you’d like the code for it, I can send it to you)

 

Also, we have included statements that block rogue DHCPv6 servers in the ACL for that performs RA guard-like blocks.

 

Thanks

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Bohn
Sent: Tuesday, June 05, 2012 9:25 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] World IPv6 Day tomorrow!

 

Hi Michael, Hi Netmans,
We currently have V6 enabled on our ResNet.  I am wondering what access-layer switches folks are using which are capable of providing first-hop security.  In particular, it seems that even the most recent Cisco 3560 do *not* do RA-Guard.  Are folks using higher-end switches?  Do access-layer Juniper and HP support RA Guard?  Also, in terms of first-hop security, this draft of a new proposal may be of interest:

<http://tools.ietf.org/id/draft-gont-opsec-ipv6-nd-shield-00.txt>

Best,
Dennis Bohn
Manager of Network and Systems
Adelphi University
bohn@adelphi.edu
5168773327

Your ACL sounds really interesting.  Is that something you can share with the list?


-
Pete Hoffswell - Network Manager
pete.hoffswell@davenport.edu
http://www.davenport.edu
616-732-1101


NETMAN,

 

Sure, both parts were actually found in the following Cisco white paper, we just combined them into one ACL.  The white paper goes into detail about other first-hop security techniques later down the page.

 

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/whitepaper_c11-602135.html

 

The first section of the ACL takes care of the DHCPv6 server messages and the second takes care of the RA’s.

 

ipv6 access-list ipv6-secure

remark Block ipv6 DHCP server

deny udp any eq 547 any eq 546

remark Block router advertisements

deny icmp any any router-advertisement

permit ipv6 any any

 

Btw, thank you Dennis for the RFC on ND Shield, I hadn’t seen that one yet.  Also, is anyone doing anything to block tunneling protocols?  We have a dual-stack environment on campus and have been looking for some time at blocking tunneling protocols, whether it be at the host through a group-policy, black holing IP for 6to4 relays,  or blocking tunneling by IP protocols.  I was wondering if anyone else has tried any of these and how they worked out.  All that we’ve done thus far is turn off the tunneling protocols on the hosts themselves via group-policy, but that only takes care of the Windows hosts that are attached to our domain.

 

Thanks

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Pete Hoffswell
Sent: Tuesday, June 05, 2012 9:59 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] World IPv6 Day tomorrow!

 

Your ACL sounds really interesting.  Is that something you can share with the list?

 


-
Pete Hoffswell - Network Manager
pete.hoffswell@davenport.edu
http://www.davenport.edu
616-732-1101

Dennis,

 

Gotcha, that’s good to know.  I didn’t know of anyone that actually had it implemented.  Thanks

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Bohn
Sent: Tuesday, June 05, 2012 11:13 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] World IPv6 Day tomorrow!

 

Nice discussion. Just to let folks know--those who are still on the fence or are have some trouble convincing higher-ups--I have written a blog post called "Risks of _not_ deploying IPv6 in the R&E community." https://esnetupdates.wordpress.com/2012/05/21/the-risks-of-not-deploying... Have a look if you get a chance. michael ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
NETMAN, We are in the process of finalizing a white paper that chronicles our experience over the past couple years with IPv6 at LSU (deployment, troubleshooting, etc). If anyone is interested, I'll send it out once we are finished.
I'm definitely interested. Thanks! -dan Dan Brisson Network Engineer University of Vermont (Ph) 802.656.8111 dbrisson@uvm.edu On 6/6/12 9:36 AM, Michael R Fazely wrote: > NETMAN, > > We are in the process of finalizing a white paper that chronicles our experience over the past couple years with IPv6 at LSU (deployment, troubleshooting, etc). If anyone is interested, I'll send it out once we are finished. > > > >
I am interested!

Thanks,
Sylvia


At 08:36 AM 6/6/2012, Michael R Fazely wrote:
NETMAN,

We are in the process of finalizing a white paper that chronicles our experience over the past couple years with IPv6 at LSU (deployment, troubleshooting, etc).  If anyone is interested, I'll send it out once we are finished. 



Add me to the interested list! Thanks

Interested as well, and thank you.

 

Brian

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Sylvia Gorman
Sent: Wednesday, June 06, 2012 9:45 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] World IPv6 Day tomorrow!

 

I am interested!

Thanks,
Sylvia


At 08:36 AM 6/6/2012, Michael R Fazely wrote:

NETMAN,

We are in the process of finalizing a white paper that chronicles our experience over the past couple years with IPv6 at LSU (deployment, troubleshooting, etc).  If anyone is interested, I'll send it out once we are finished. 



I am interested as well Thanks, Jim
Message from rrichman@nd.edu

Me too!, thanks
Yes Please....... Joey Rego Network Security Administrator Lynn University Information Technology 3601 North Military Trail Boca Raton, Fla. 33431-5598 Phone: 561-237-7982 Fax: 561-237-7115 E-mail: jrego@lynn.edu    Web: http://www.lynn.edu  Help: http://itsupport.lynn.edu
I am interested as well, thank you!


I am interested. On 6/6/2012 9:36 AM, Michael R Fazely wrote: > NETMAN, > > We are in the process of finalizing a white paper that chronicles our experience over the past couple years with IPv6 at LSU (deployment, troubleshooting, etc). If anyone is interested, I'll send it out once we are finished. > > > >
Message from kwhittaker@keene.edu

    I'm interested as well ...
ken ---
Network Manager 
Keene State College
229 Main St
Keene NH 03435

Message from jeff.obrizok@marist.edu

I am interested – Thanks.

 

 

From: The EDUCAUSE Network Management Constituent Group Listserv <NETMAN@LISTSERV.EDUCAUSE.EDU> [mailto:The EDUCAUSE Network Management Constituent Group Listserv <NETMAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Michael R Fazely <mfazel1@LSU.EDU>
Sent: Wednesday, June 06, 2012 9:36 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] World IPv6 Day tomorrow!

 

NETMAN,

We are in the process of finalizing a white paper that chronicles our experience over the past couple years with IPv6 at LSU (deployment, troubleshooting, etc). If anyone is interested, I'll send it out once we are finished.



Would appreciate seeing it, certainly. -kay-
Message from jeremy@evilrouters.net

Okay, people, he gets the hint. He'll send it to the list, I'm sure.
Add me to the list also! Pino ********************** Peppino Muraca Sr.Network Administrator Stonehill College 508-565-1193 pmuraca@stonehill.edu **********************
please ------------------------------------------------------------------------------- Mary C. Drury USI Network Administrator 812/464-1976 812/465-1080 (Help Desk) ------------------------------------------------------------------------------- Confidentiality Statement: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information.
Add me in. Thanks Jackie Barrett Deputy CIO Tel. 508-588-9100 EXT 1146 Cell No. 508-802-0531
Please add me to the list. Thank you! Harry Zahlis Network Coordinator 1101 E. University Ave, Fresno CA 93741 Voice: 559.442.8206  Fax: 559.265.5708   Fresno City College - Help Desk Help Desk: 559.265-5770 (fcchelpdesk@fresnocitycollege.edu) Security Tip: No matter how authentic the request appears, if you are asked in an email or via the phone to provide your password - it is a SCAM.
Message from kennerhf@uwgb.edu

Please add me to the list. Thanks, FRED KENNERHED *************************** Senior Network Administrator University of Wisconsin - Green Bay 2420 Nicolet Drive Green Bay, WI 54311-7001 Office: (920) 465-2900 Fax: (920) 465-2864 Email: kennerhf@uwgb.edu ***************************
I too am interested, please add me to the list. However, since there is enough interest, why not just share it with the entire list Thanks! Daniel Foerst Assistant Director, Networks & Security The Catholic University of America On 6/25/12 12:43 PM, "Kennerhed, Fred" wrote: >Please add me to the list. > >Thanks, > > >FRED KENNERHED > >*************************** >Senior Network Administrator >University of Wisconsin - Green Bay >2420 Nicolet Drive >Green Bay, WI 54311-7001 >Office: (920) 465-2900 >Fax: (920) 465-2864 >Email: kennerhf@uwgb.edu >*************************** > > >
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.