Professional Documents
Culture Documents
and Mitigations
BRKSEC-2003
BRSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3
For Your
For Reference Slides Reference
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5
Shared Issues
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7
Reconnaissance in IPv6
Subnet Size Difference
Default subnets in IPv6 have 264 addresses
10 Mpps = More than 50 000 years
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9
Reconnaissance in IPv6?
Easy with Multicast!
For example, all routers (FF05::2) and all DHCP servers
(FF05::1:3)
No need for reconnaissance anymore
2001:0410::60
2001:0410::70
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12
2001 Interface ID
Microsoft Windows
Deploy a Group Policy Object (GPO)
or
Alternatively
Use DHCP (see later) to a specific pool
Ingress filtering allowing only this pool
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16
Inter-Networking Device
with uRPF Enabled
IPv6
Intranet X IPv6
Intranet/Internet
IPv6 Unallocated
Source Address
No Route to SrcAddr ¼ Drop
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17
L3 Spoofing in IPv6
uRPF Remains the Primary Tool for Protecting
Against L3 Spoofing
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18
Significant changes
More relied upon
For Your
Generic ICMPv4 Reference
Internet
ICMPv4 ICMPv4
Action Src Dst Name
Type Code
Dst. Unreachable—
Permit Any A 3 0
Net Unreachable
Dst. Unreachable—
Permit Any A 3 4
Frag. Needed
Time Exceeded—
Permit Any A 11 0
TTL Exceeded
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20
Internet
ICMPv6 ICMPv6
Action Src Dst Name
Type Code
Time Exceeded—
Permit Any A 3 0
TTL Exceeded
*RFC 4890
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21
For Your
Potential Additional ICMPv6 Reference
Border Firewall Policy* Internal Server A
Firewall B
Internet
ICMPv6 ICMPv6
Action Src Dst Name
Type Code
Neighbor Solicitation
Permit Any B 133/134 0
and Advertisement
*RFC 4890
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23
Next Header = 44
IPv6 Basic Header
Fragment
Header Fragment Header
Fragment Header
Next Header Reserved Fragment Offset
Identification
Fragment Data
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25
IPv6 Fragmentation
Issues for Non-Stateful Filtering Devices
Procedure
1. Parse the next headers until the fragment header
Extract the flags and offset
2. Parse further NHs until the upper layer protocol
3. Check if enough of the upper Layer protocol header
is within the first fragment
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27
Next Header = 43
IPv6 Basic Header
Routing Header
Routing Header
Routing Header
Next Header Ext Hdr Length RH Type Segments Left
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28
Host1 src=host1,dst=web,
payload proto=tcp, dport=80
rtheader=host2, segments
left=1 src=host1,
dst=host2
rtheader=web,
segments left=0
payload proto=tcp,
IPv6 dport=80
Network
Host2
Firewall
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29
A B
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30
Next Header = 43
IPv6 Basic Header
Routing Header
Routing Header
Routing Header
Next Header Ext Hdr Length RH Type = 2 Segments Left = 1
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31
At the edge
With an ACL blocking routing header
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32
1.2.3.0/24
.1
1. RS: 2. RA:
Src = :: Src = Router Link-local
Address
Dst = All-Routers Dst = All-nodes multicast
multicast Address address
ICMP Type = 133 ICMP Type = 134
Data = Query: please send RA Data= options, prefix, lifetime,
autoconfig flag
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34
Src = A
Dst = Solicited-node multicast of B Attack Tool:
Parasite6
ICMP type = 135
Answer to All NS,
Data = link-layer address of A Claiming to Be All
Query: what is your link address? Systems in the LAN...
Src = B
Dst = A
ICMP type = 136
Data = link-layer address of B
A and B Can Now Exchange
Packets on This Link
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35
Attack Tool:
dos-new-ipv6
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36
Src: A
R1 Dst IP: 2001:DB8:C18:2::1
Dst Ethernet: R2 (Default Router)
Redirect:
2001:DB8:C18:2::/64 Src IP: R2 (Default Router)
Dst IP: A
BRKSEC-2003
Data: Good Router = R1
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37
Redirect attacks
A malicious node redirects packets away from a legitimate
receiver to another node on the link
Denial-of-service attacks
A malicious node prevents communication between the node
under attack and other nodes
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38
Certification paths
Anchored on trusted parties, expected to certify the authority
of the routers on some prefixes
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39
Subnet Interface
Prefix Identifier
SEND Messages
Crypto. Generated Address
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40
DHCPv6 Threats
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43
Quick Reminder
IPv4 Broadcast Amplification: Smurf
160.154.5.0
Belgian
ICMP REQ D=160.154.5.255 S= 172.18.1.2 Schtroumpf
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47
For Your
OSPF or EIGRP Authentication Reference
interface Ethernet0/0
ipv6 ospf 1 area 0
ipv6 ospf authentication ipsec spi 500 md5
1234567890ABCDEF1234567890ABCDEF
interface Ethernet0/0
ipv6 authentication mode eigrp 100 md5
ipv6 authentication key-chain eigrp 100 MYCHAIN
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55
Dual stack
Consider security for both protocols
Cross v4/v6 abuse
Resiliency (shared resources)
Tunnels
Bypass firewalls (protocol 41 or UDP)
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57
Your network:
Does not run IPv6
Your assumption:
I’m safe
Reality
You are not safe
Attacker sends Router Advertisements
Your host configures silently to IPv6
You are now under IPv6 attack
IPv6
Public IPv4
Internet
IPv6 Network IPv6 in IPv4 IPv6 Network
Tunnel
Tunnel Tunnel
Termination Termination
Server A Server B
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61
ISATAP Router
Direct
Communication
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62
Teredo Navalis
A shipworm drilling holes in boat hulls
Teredo Microsoftis
IPv6 in IPv4 punching holes
in NAT devices
Teredo Tunnels (1 of 3)
Without Teredo: Controls Are in Place
Without Toredo Tunnels
All outbound traffic inspected: e.g., P2P is blocked
All inbound traffic blocked by firewall
IPv6 Internet
IPv4 Internet
Teredo Relay
IPv4 Firewall
IPv4 Intranet
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64
IPv6 Internet
IPv4 Internet
Teredo Relay
IPv4 Firewall
IPv4 Intranet
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65
Teredo Tunnels (3 of 3)
No More Outbound Control
Once Teredo is configured
Inbound connections are allowed
IPv4 firewall unable to control
IPv6 hackers can penetrate
Host security needs IPv6 support now
IPv6 Internet
IPv4 Internet
Teredo Relay
IPv4 Firewall
IPv4 Intranet
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66
http://www.microsoft.com/technet/network/ipv6/ipv6faq.
mspx
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68
0111111010101010000111000100111110010001000100100010001001
interface GigabitEthernet1/36
service-policy type access-control in pm-udp-teredo
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70
10.1.1.0/24
10.1.2.0/24
PE1 PE3
VRF
v4 and v6 VPN IPv4 only MPLS VRF v4 and v6 VPN
VRF
2001:db8:1:1:/64 Dual-Stack 2001:db8:1:2:/64
Dual-Stack
IPv4-IPv6
10.1.1.0/24 IPv4-IPv6 10.1.2.0/24
PE Routers
PE Routers
VRF
v6 VPN VRF
v6 VPN
PE4 VRF
PE2
2001:db8:1:1:/64 2001:db8:1:2:/64
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71
6VPE Security
Identical to IPv4 MPLS-VPN, see RFC 4381
MPLS VPNs can be secured as well as ATM/FR VPNs
Security depends on correct operation and implementation
QoS prevent flooding attack from one VPN to another one
PE routers must be secured: AAA, iACL, CoPP …
MPLS backbones can be more secure than “normal”
IP backbones
Core not accessible from outside
Separate control and data plane
Key: PE security
Advantage: Only PE-CE interfaces accessible from outside
Makes security easier than in “normal” networks
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73
For Your
Candidate Best Practices Reference
Enforcing a
Security Policy
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77
2001:db8:2c80:1000::1
Others
interface Serial 0
ipv6 traffic-filter MY_ACL in Serial 0
Prefix: 2001:db8:2c80:1000::/64
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80
line vty 0 4
ipv6 access-class VTY in
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81
For Your
Control Plane Policing for IPv6 Reference
policy-map CoPP
class ipv6
police rate 100 pps
conform-action transmit
exceed-action drop
control-plane
service-policy input CoPP
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82
2001:db8:c000:1052::/64
Inside
..::8 ..::7
Outside
2001:db8:c000:1051::37/64
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85
For Your
ASA 7.x: ACL Reference
interface Ethernet0
nameif outside
ipv6 address 2001:db8:c000:1051::37/64
ipv6 enable
interface Ethernet1
nameif inside
ipv6 address 2001:db8:c000:1052::1/64
ipv6 enable
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87
BRSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88
To Any IPv6
Addresses
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91
No traffic sniffing
No traffic injection
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92
IPv6 Network
IPsec
IPv6 in IPv4 Tunnel
IPv4
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94
Hub Spoke
interface Tunnel0 interface Tunnel0
! Optional IPv4 DMVPN configuration ! Optional IPv4 DMVPN configuration
ipv6 address 2001:db8:100::1/64 ipv6 address 2001:db8:100::11/64
ipv6 eigrp 1 ipv6 eigrp 1
no ipv6 split-horizon eigrp 1 ipv6 nhrp map multicast 172.17.0.1
no ipv6 next-hop-self eigrp 1 ipv6 nhrp map 2001:db8:100::1/128 172.17.0.1
ipv6 nhrp map multicast dynamic ipv6 nhrp network-id 100006
ipv6 nhrp network-id 100006 ipv6 nhrp holdtime 300
ipv6 nhrp holdtime 300 ipv6 nhrp nhs 2001:db8:100::1
tunnel source Serial2/0 tunnel source Serial1/0
tunnel mode gre multipoint tunnel mode gre multipoint
tunnel protection ipsec profile PROF tunnel protection ipsec profile PROF
! !
interface Ethernet0/0 interface Ethernet0/0
ipv6 address 2001:db8:0::1/64 ipv6 address 2001:db8:1::1/64
ipv6 eigrp 1 ipv6 eigrp 1
! !
interface Serial2/0 interface Serial1/0
ip address 172.17.0.1 255.255.255.252 ip address 172.16.1.1 255.255.255.252
! !
ipv6 router eigrp 1 ipv6 router eigrp 1
no shutdown no shutdown
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95
interface Tunnel0
no ip address
ipv6 address 2001:DB8::2811/64
ipv6 enable
tunnel source Serial0/0/1
tunnel destination 2001:DB8:7::2
tunnel mode ipsec ipv6
tunnel protection ipsec profile ipv6
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97
IPsec ISATAP
IPv6 PC ISATAP
IPv4 Tunnel Server
on Dual
Stack Router
IPv6 Network
IPv4 and IPv6 Transport in SSL
IPv6 PC ASA 8.0
AnyConnect IPv4 SSL VPN
Concentrator
Dual Stack
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 103
Related Sessions
BRKSEC-4003: Advanced IPv6 Security:
Secure Neighbor Discovery
BRKRST-2301: Enterprise IPv6 deployment
BRKSEC-2105: Securing IP Network Traffic Planes
BRKSEC-2002: Understanding and Preventing
Layer 2 Attacks
BRKSEC-4010: Advanced Concepts of Dynamic
Multipoint VPN
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 104
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 106
Reference Slides
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 108
2001:db8:c18::1
Correspondent Node
Home Agent
Mobile Node
Optimized Routing
Not Possible in IPv4
Mobile Node
2001:2:a010::5
Mobility Means:
Mobile devices are fully supported while moving
Built-in on IPv6
Any node can use it
Optimized routing means performance for end-users
Filtering challenges
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 109
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 110
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 111
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 112
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 113
For Your
IPv6 for Remote Devices Reference
F0/0 Dual-Stack
Router
Dual-stack router configuration
F0/1
ipv6 unicast-routing
Corporate !
Network interface FastEthernet0/0
description TO VPN 3000
ip address 20.1.1.1 255.255.255.0
!
interface FastEthernet0/1
description TO Campus Network
ipv6 address 2001:db8:C003:111C::2/64
!
ISATAP Address Format: interface Tunnel0
64-bit Unicast Prefix 0000:5EFE: IPv4 Addr. no ip address
32-bit 32-bit ipv6 address 2001:db8:C003:1101::/64
eui-64
Interface ID no ipv6 nd suppress-ra
tunnel source FastEthernet0/0
2001:db8:c003:1101:0:5efe:20.1.1.1 tunnel mode ipv6ip isatap
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 114
10.1.99.102—VPN Address
2001:db8:c003:1101:0:5efe:10.1.99.102—IPv6 Address
For Your
Secure Site-to-Site Reference
IPv6 Connectivity
IPv6 Tunnel Is Between the
Spoke Two Static IPv4 Loopbacks Hub
2001:DB8:C000:1053::4/128
2001:DB8:C000:1051::/64
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 117
For Your
Spoke Configuration (1 of 2) Reference
IPv6 Tunnels
interface Loopback0
ip address 192.168.52.4 255.255.255.255
interface Tunnel4
no ip address Static IPv4
ipv6 unnumbered FastEthernet0/0 Addresses
ipv6 enable
tunnel source Loopback0
tunnel destination 192.168.52.7
tunnel mode ipv6ip
!
ip route 192.168.52.0 255.255.255.0 Serial0/0
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 118
IPv6 IPsec
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 119
For Your
Hub Configuration (1 of 2) Reference
IPv4 Tunnels
interface Loopback0
ip address 192.168.52.7 255.255.255.255
!
interface Tunnel4
no ip address
ipv6 unnumbered FastEthernet0/1 Static IPv4
ipv6 enable Addresses
tunnel source Loopback0
tunnel destination 192.168.52.4
tunnel mode ipv6ip
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 120
IPv4 IPsec
BRKSEC-2003
14343_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 121