The technology from IPv4 to IPv6 is mainly the application of tunnel technology. This is a technology that loads IPv6 data packets into IPv4 data packets. Therefore, such data packets can be transmitted in IPv4-only networks. These tunnels can also be used in enterprise networks (such as traditional network devices that do not support IPv6 ).
Of course, network operators and security teams do not approve of such a proposal. The main reason is that the tunneling technology can hide the layer-4 and above information provided by the real IPv6 data packets and Network Flow Analyzer, as well as the security ACL and QoS settings. It is rumored that the use of IPv6 in IPv4 Tunnel Technology as a control method will lead to botnets. In short, if such a channel is not deliberately used in an enterprise network, it should be closed. (Note: The above statement is only for enterprise networks, because individual users may be happy to connect their operating systems to IPv6 networks .)
Therefore, the most fundamental problem for network management is whether all channels can be blocked.
For some 6to4 or ISATAP channels, it is not difficult to answer this question: you only need to use the access control list (ACL) to block all 41 protocols, for example:
- access-list deny 41 any any
Another channel is Teredo, which relies on UDP encapsulation technology. The default port used by Teredo is 3544. You may want to use the following access control list:
- access-list deny udp any any eq 3544
- access-list deny udp any eq 3544 any
However, the above access control list will be intercepted by common data packets that need to use port 3544. In addition, illegal users can also change UDP. in this case, the functionality and flexibility of Cisco Flexible Pattern Matching are useful: FPM can check any data packet based on the specified offset and must be completed in the software of the largest platform; that is, FPM is only available in proper locations. The trick to find Teredo data packets is to search for all UDP data packets to obtain all Teredo IPv6 addresses starting with 2001:/32. Note that we use/32, instead of/16, it should be 2001: 0:/32. further Check of IP data is required.
The complete FPM configuration is as follows:
- class-map type stack match-all cm-ip-udp
- match field IP protocol eq 17 next UDP
- class-map type access-control match-all cm-teredo1
- match start udp payload-start offset 0 size 1 eq 0x60 mask 15
- match start udp payload-start offset 8 size 4 eq 0x20010000
- class-map type access-control match-all cm-teredo2
- match start udp payload-start offset 0 size 1 eq 0x60 mask 15
- match start udp payload-start offset 24 size 4 eq 0x20010000
- policy-map type access-control pm-teredo
- class cm-teredo1
- drop
- class cm-teredo2
- drop
- policy-map type access-control pm-udp-teredo
- class cm-ip-udp
- service-policy pm-teredo
The last step is to apply this service policy to the interface:
- interface GigabitEthernet1/36
- service-policy type access-control in pm-udp-teredo
Finally, please note that another way to block all channels is to specify the configuration on all network hosts to disable the channel. Of course, this only applies to enterprise networks. For example, you can run the following command on a computer using the Vista system:
- netsh interface 6to4 set state state=disabled undoonstop=disabled
- netsh interface isatap set state state=disabled
- netsh interface teredo set state type=disabled