tailieunhanh - IPv6 Transition/Coexistence Security Considerations

Ensure that system and network administrators are trained and capable. Security testing must be performed by capable and trained staff. Often, individuals recruited for this task are already involved in system administration. While system administration is an increasingly complex task, the numbers of trained system administrators generally has not kept pace with the increase in computing systems. Competent system administration may be the most important security measure an organization can employ, and organizations should ensure they possess a sufficient number with the required skill level to perform system administration and security testing correctly. . | Network Working Group Request for Comments 4942 Category Informational E. Davies Consultant S. Krishnan Ericsson P. Savola CSC Funet September 2007 IPv6 Transition Coexistence Security Considerations Status of This Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Abstract The transition from a pure IPv4 network to a network where IPv4 and IPv6 coexist brings a number of extra security considerations that need to be taken into account when deploying IPv6 and operating the dual-protocol network and the associated transition mechanisms. This document attempts to give an overview of the various issues grouped into three categories o issues due to the IPv6 protocol itself o issues due to transition mechanisms and o issues due to IPv6 deployment. Davies et al. Informational Page 1 RFC 4942 IPv6 Security Overview September 2007 Table of Contents 1. Introduction . 4 2. Issues Due to IPv6 Protocol .4 . IPv6 Protocol-Specific Issues . 5 . Routing Headers and Hosts . 5 . Routing Headers for Mobile IPv6 and Other Purposes . . 6 . Site-Scope Multicast Addresses . 7 . ICMPv6 and Multicast .7 . Bogus Errored Packets in ICMPv6 Error Messages . . . . 8 . Anycast Traffic Identification and Security .9 . Address Privacy Extensions Interact with DDoS Defenses .10 . Dynamic DNS Stateless Address Autoconfiguration Privacy Extensions and SEND .10 . Extension Headers .11 . Fragmentation Reassembly and Deep Packet Inspection .14 . Fragmentation Related DoS Attacks .15 . Link-Local Addresses and Securing Neighbor Discovery .16 . Securing Router Advertisements .17 . Host-to-Router Load Sharing .18 . Mobile IPv6 .18 . IPv4-Mapped IPv6 Addresses .19 . Increased End-to-End Transparency .20 . IPv6 Networks without NATs .20 . Enterprise Network Security Model for IPv6 .21 . IPv6 in IPv6 .