1 00:00:00,420 --> 00:00:07,770 One protocol that you want to be especially careful with is ICMP V-6 remember an IP version 4 we use 2 00:00:07,770 --> 00:00:11,110 up to determine the MAC address of a neighbor. 3 00:00:11,130 --> 00:00:14,680 OP is no longer used in IP version 6. 4 00:00:15,000 --> 00:00:16,700 Maybe discovery protocol. 5 00:00:16,850 --> 00:00:20,390 NDP is part of ICMP version 6. 6 00:00:20,460 --> 00:00:29,850 So if you have a blanket deny of IP version 6 inadvertently it could affect the communication of devices 7 00:00:29,850 --> 00:00:36,110 in your IP version 6 network ICMP is also used for parthe into discovery. 8 00:00:36,150 --> 00:00:39,270 So don't just block ICMP version 6. 9 00:00:39,510 --> 00:00:43,470 Be careful blocking that protocol in IP version 4. 10 00:00:43,710 --> 00:00:50,730 In some cases you don't want to block ICMP but you can be a little bit more Lassez blocking ICMP IP 11 00:00:50,730 --> 00:00:54,560 version 4 versus IP version 6. 12 00:00:54,600 --> 00:01:04,800 Be careful again that some protocols required for discovery and basic IP version 6 functionality require 13 00:01:04,980 --> 00:01:11,830 ICMP version 6 IP version 6 axis lists once again very similar to IP version 4. 14 00:01:12,150 --> 00:01:18,450 You need to be careful again with protocols that you use to an IP version for such a broad costs and 15 00:01:18,480 --> 00:01:21,840 OP IP version 6 doesn't use broad costs. 16 00:01:21,840 --> 00:01:23,600 It uses multi costs. 17 00:01:23,700 --> 00:01:30,900 So to discover neighbors we use a discovery protocol and multi-course rather than using ops and port 18 00:01:30,900 --> 00:01:39,330 costs IP version 6 also includes new fields such as a flow label and extension headers which are different 19 00:01:39,330 --> 00:01:42,900 to IP version for IP version 6 axis lists. 20 00:01:42,950 --> 00:01:51,090 They allow you to match on traffic Klaas's flow labels IPV 6 and next head a field source and destination 21 00:01:51,090 --> 00:02:00,180 128 bit IPV 6 addresses Apulia headers Khayelitsha protocol such as TZP and UDP and the relevant port 22 00:02:00,180 --> 00:02:03,430 numbers as well as flags such as sin and Ach. 23 00:02:03,600 --> 00:02:11,040 We also have ICMP version 6 types and codes that you could match shown as well as IP version 6 extension 24 00:02:11,040 --> 00:02:13,200 head of valleys and types. 25 00:02:13,200 --> 00:02:14,340 So be careful. 26 00:02:14,460 --> 00:02:22,650 There are differences between IP version 6 access lists an IP version 4 access lists that also limitations 27 00:02:23,040 --> 00:02:29,420 with IP version 6 access lists IP version 6 tends to have more tunnels an IP version 4. 28 00:02:29,640 --> 00:02:37,110 So as an example you may have IP version 6 packets transported over an IP version 4 network using GRV 29 00:02:37,360 --> 00:02:38,400 tunnels. 30 00:02:38,610 --> 00:02:45,600 So be careful if you try to block IP version 6 packets using an IP version 6 access list and that's 31 00:02:45,600 --> 00:02:53,880 tunneled within a IP version for GOP tunnel your access list won't work in IP version for access lists 32 00:02:54,350 --> 00:02:57,990 wildcard mosques don't have to be contiguous. 33 00:02:57,990 --> 00:03:00,660 In other words it doesn't have to looked like this. 34 00:03:00,660 --> 00:03:09,330 You could match all odd IP addresses or even IP addresses by manipulating the inverse mosque of an IP 35 00:03:09,330 --> 00:03:10,970 version 4 access list. 36 00:03:11,430 --> 00:03:19,500 However in IP version 6 you correct IP version Sixaxis list using a prefix lenth a number that indicates 37 00:03:19,500 --> 00:03:22,780 the number of contiguous Prefect's mosque. 38 00:03:22,790 --> 00:03:30,060 Buts that's very different to IP version for an IP version 6 access lists the Prefect's Linta number 39 00:03:30,060 --> 00:03:38,530 represents the number of contiguous bits that will be matched for that IP version 6 address Prefect's. 40 00:03:38,610 --> 00:03:45,350 So we use a slash notation with a number off to the slash indicates the number of bits of the Prefect's 41 00:03:45,360 --> 00:03:46,440 linked. 42 00:03:46,620 --> 00:03:54,390 That means therefore that you can only match on an IP version 6 address Prefect's and can not use discontiguous 43 00:03:54,390 --> 00:03:57,720 mosques with IP version 6 access lists. 44 00:03:57,720 --> 00:04:04,140 In addition it's very common to have prefix lengths that are evenly divisible by four. 45 00:04:04,470 --> 00:04:11,850 So you'd use things such as 48 slash 52 slash 56 slash 64 as an example. 46 00:04:12,330 --> 00:04:20,160 And it's not a standard practice to have a prefix length that doesn't fall on a hex digit boundary. 47 00:04:20,220 --> 00:04:27,060 That's very different again to IP version 4 IP version for addresses you may have a slash 20 to slash 48 00:04:27,060 --> 00:04:29,330 23 slash 24. 49 00:04:29,340 --> 00:04:32,790 But then a slash 25 or 26. 50 00:04:32,820 --> 00:04:40,520 So unlike an IP version for where you don't just use slash a tool slash 16 or slice 24 will slash 32. 51 00:04:40,620 --> 00:04:44,110 That tends to be the practice in IP version 6. 52 00:04:44,190 --> 00:04:50,370 So as an example you will match slushed 64 you matching on a hex digit boundary. 53 00:04:50,370 --> 00:04:58,620 Remember hex digits are for binary bits in length so we use slash 48 slash 52 slash 56 slash 60 slash 54 00:04:58,630 --> 00:05:02,760 64 rather than something like Slash 62. 55 00:05:03,080 --> 00:05:09,000 It's important to remember that excessive logging can negatively impact Rodda performance. 56 00:05:09,020 --> 00:05:15,200 The wrote a CPA is involved when a log entries is created they therefore be careful using the logging 57 00:05:15,200 --> 00:05:24,260 keyword just like with IP vision for IP version 6 access list don't deny packets originating from a 58 00:05:24,260 --> 00:05:25,080 router. 59 00:05:25,460 --> 00:05:31,700 So an outbound access list on a route interface will not block rodded packets sent by that router.