財金資訊-80期.indd

IPv6 / LINE YouTube TCP/IP TCP (Transmission Control Protocol) IP (Internet Protocol) (node) (address) IPv4 168.95.1.1 IPv4 1981 RFC 791 --IP IPv4 32 2 32 42 IP (Internet Service Provider ISP) IP IP IPv4 IP (Network Address Translation NAT) IP IP IPv4 IPv6 128 www.fisc.com.tw 31

IPv6 2 128 IPv6 70 4.86 10 28 IPv6 IP IPv4 IPv6 IPv6 IPv6 IPv6 IPv6 IPv6 IPv6 1 Header 40 IPv6 IPv4 Header Length Service Type Identification Flags Fragment Offset Header Checksum 1 IPv4 IPv6 IPv6 IPv6 128 64 (Prefix) 64 16 8 4 2001:0db8:9095:02e5:0216:cbf f:feb2:7474 0 :0: :: IPv6 Unicast ( ) Anycast ( ) Multicast ( ) IPv4 Broadcast ( ) Unicast 32 / No.80 / 2014.10

IPv6 Global IPv4 (Public Address) Link-Local Layer2 fe80::/10 fe80 64 MAC (Media Access Control ) EUI-64 MAC Link-Local Unique-Local fc00::/7 Link-Local Unique-Local IPv4 (Private Address) Link- Local Multicast FF00::/8 Anycast IPv6 IPv6 DoS (Denial-of-service ) ND (Neighbor Discovery ) ICMP (Internet Control Message Protocol ) MTU (Maximum Transmission Unit ) IPSec (Internet Protocol Security ) ( ) DoS IPv4 /24 255 IPv6 /64 IP 2 64 IP ( 2 ) CPU 2 DoS www.fisc.com.tw 33

IPv6 1. 2. /127 3. Access Control List ( ) ND IPv6 ND IPv4 ARP (Address Resolution Protocol ) ND IP IP Layer 2 ( 3 4 ) ND ICMPv6 6 ICMP type Router solicitation (ICMPv6 type 133) Router advertisement (ICMPv6 type 134) Neighbor solicitation (ICMPv6 type 135) Neighbor advertisement (ICMPv6 type 136) Redirect (ICMPv6 type 137) Router Renumbering. (ICMPv6 Type 138) 3 Cisco 4 Cisco 34 / No.80 / 2014.10

IPv6 ND IPv4 ARP (Redirect) (Denial-of-Service) (Flooding Denial-of- Service) (Spoofing) IP ND I P ND RFC 3971 RFC 6494 Secure Neighbor Discovery (SeND) (option) (Cryptographically Generated Addresses CGA) RSA (RSA signature)nonce (Timestamp and Nonce) SeND CGA IPv6 ND RSA Nonce ( Windows Android ios ) SeND ( ) ICMP ICMP TCP/IP IPv6 ICMPv6 IPv4 ICMP ICMP PING (ICMP Echo Request Echo Reply ) IPv6 ND ICMPv6 ICMPv6 ICMPv6 RFC 4980 IP Any 5 6 Echo Request Echo Reply 5 IPv6 Cisco www.fisc.com.tw 35

IPv6 6 IPv6 Cisco ( ) MTU MTU IPv4 MTU 576 1500 IPv6 MTU 1200 1500 IPv4 IPv6 MTU IPv4 ( ) IPv6 ICMPv6 PMD (Path MTU Discovery) MTU 7 7 PMD Cisco PMD MTU IPv6 1200 PMD ( ) ICMPv6 Type2 Code 0 (Packet Too Big) 36 / No.80 / 2014.10

( ) IPSec IPSec IP IPSec IKE (Internet Key Exchange) (Security Associations)IPSec Key IPSec AH (Authentication Header) ESP (Encapsulating Security Payload) AH ESP IPv4 IPSec IPv6 IPSec 2011 RFC 6434 IPsec SHOULD be supported by all IPv6 nodes IPSec 1. IPSec n n 2 CPU ( ) 2. IPSec key IKE key key (PKI) IPSec IPSec IPv6 IPSec IPv6 IP IPv4 IPv6 IPv6 IPv6 IPv6 IPv6 IPv6 IPv4 IPv6 IPv4 IPv4 2025 ( ) IPv6 IPv6 IPv6 www.fisc.com.tw 37

IPv6 ( ) PCI ( ) IPv6 IPv6 ( Windows 2012) IPv6 IPv6 Link-Local IPv6 ( ) IPv6 IPv6 2015 PCI DSS (Payment Card Industry Data Security Standard ) 3.0 Requirement 1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties. Note: Methods to obscure IP addressing may include, but are not limited to: Network Address Translation (NAT)... The controls used to meet this requirement may be different for IPv4 networks than for IPv6 networks. PCI DSS IP DMZ (Demilitarized Zone) IPv6 ISP Global PCI Cisco ACL BGP PCI DSS ( ) IP ( ) IPv6 IP IP /118 ( /22 IPv4 ) IPv6 38 / No.80 / 2014.10

IPv4 IPv6 IPv4 IPv6 IPv6 / 1. IPv6 1.1 101 11 2. IPv6 3. GSN IPv6 98 10 4. IPv6 Security Threats and Mitigations December 2013 5. Guidelines for the Secure Deployment of IPv6, NIST, December 2010 6. Eric Vyncke, IPv6 Security: Threats and Mitigation, Cisco Live, 2014 7. Dean Robertshaw, Understanding IPv6, Cisco Live, 2014 8. Cisco, Cisco IOS IPv6 Configuration Guide, 2009 9. Carlos E. Caicedo, James B.D. Joshi and Summit R. Tuladhar, IPv6 Security Challenges, IEEE Xplore, September 2009 10. http://en.wikipedia.org/wiki/ Wikipedia www.fisc.com.tw 39