How do I disable all IPv6 channels of an enterprise?

The technology from IPv4 to IPv6 is mainly the application of tunnel technology. This is a technology that loads IPv6 data packets into IPv4 data packets. Therefore, such data packets can be transmitted in IPv4-only networks. These tunnels can also be used in enterprise networks (such as traditional network devices that do not support IPv6 ).

Of course, network operators and security teams do not approve of such a proposal. The main reason is that the tunneling technology can hide the layer-4 and above information provided by the real IPv6 data packets and Network Flow Analyzer, as well as the security ACL and QoS settings. It is rumored that the use of IPv6 in IPv4 Tunnel Technology as a control method will lead to botnets. In short, if such a channel is not deliberately used in an enterprise network, it should be closed. (Note: The above statement is only for enterprise networks, because individual users may be happy to connect their operating systems to IPv6 networks .)

Therefore, the most fundamental problem for network management is whether all channels can be blocked.

For some 6to4 or ISATAP channels, it is not difficult to answer this question: you only need to use the access control list (ACL) to block all 41 protocols, for example:

 
 

  
  
access-list deny 41 any any 
 
 

Another channel is Teredo, which relies on UDP encapsulation technology. The default port used by Teredo is 3544. You may want to use the following access control list:

 
 

  
  
access-list deny udp any any eq 3544  
  
  
access-list deny udp any eq 3544 any 
 
 

However, the above access control list will be intercepted by common data packets that need to use port 3544. In addition, illegal users can also change UDP. in this case, the functionality and flexibility of Cisco Flexible Pattern Matching are useful: FPM can check any data packet based on the specified offset and must be completed in the software of the largest platform; that is, FPM is only available in proper locations. The trick to find Teredo data packets is to search for all UDP data packets to obtain all Teredo IPv6 addresses starting with 2001:/32. Note that we use/32, instead of/16, it should be 2001: 0:/32. further Check of IP data is required.

The complete FPM configuration is as follows:

 
 

  
  
class-map type stack match-all cm-ip-udp  
  
  
match field IP protocol eq 17 next UDP  
  
  
class-map type access-control match-all cm-teredo1  
  
  
match start udp payload-start offset 0 size 1 eq 0x60 mask 15  
  
  
match start udp payload-start offset 8 size 4 eq 0x20010000  
  
  
class-map type access-control match-all cm-teredo2  
  
  
match start udp payload-start offset 0 size 1 eq 0x60 mask 15  
  
  
match start udp payload-start offset 24 size 4 eq 0x20010000  
  
  
policy-map type access-control pm-teredo  
  
  
class cm-teredo1  
  
  
drop  
  
  
class cm-teredo2  
  
  
drop  
  
  
policy-map type access-control pm-udp-teredo  
  
  
class cm-ip-udp  
  
  
service-policy pm-teredo 
 
 

The last step is to apply this service policy to the interface:

 
 

  
  
interface GigabitEthernet1/36  
  
  
service-policy type access-control in pm-udp-teredo 
 
 

Finally, please note that another way to block all channels is to specify the configuration on all network hosts to disable the channel. Of course, this only applies to enterprise networks. For example, you can run the following command on a computer using the Vista system:

 
 

  
  
netsh interface 6to4 set state state=disabled undoonstop=disabled 
  
  
netsh interface isatap set state state=disabled 
  
  
netsh interface teredo set state type=disabled