Difference Between RIPv1 and RIPv2

RIP v1	RIP v2
Distance-Vector	Distance-Vector
Maximum hop count = 15	Maximum hop count = 15
Classful	Classless
Broadcast based	Use Multicast 224.0.0.9
No support for VLSM	Support VLSM
No authentication	Allows MD5 authentication
No support for discontinuous networks	Support discontinuous network

RIP v2

RIPv2 is a classless, distance vector routing protocol as defined in RFC 1723. Because RIPv2 is a classless routing protocol, which means, it includes the subnet mask with the network addresses in the routing updates. As with other classless routing protocols, RIPv2 supports CIDR supernets, VLSM and discontiguous networks.

Due to the deficiencies of RIPv1, RIP version 2 (RIPv2) was developed sometime in 1993. It’s equipped with the ability to support subnet information and supports Classless Inter-Domain Routing (CIDR). A router that receives routing updates from multiple routers advertising the same classful summary route cannot determine which subnets belong to which summary route. This inability leads to unexpected results including misrouted packets.

However, with RIPv2 automatic summarization can be disabled with the no auto-summary command. Automatic summarization must be disabled to support discontiguous networks.

RIPv2 still maintains the hop count limit of 15 and incorporated a password authentication mechanism. However, passwords were transmitted in clear-text format, which were found insufficient for secure communications on the Internet.

The default version of RIP is version 1. The command version 2 is used to modify RIPv1 to RIPv2.

Use The show ip protocols command to view that RIP is now sending and receiving version 2 updates and whether or not automatic summarization is in effect.

RIPv2 is actually an enhancement of RIPv1's features and extensions rather than an entirely new protocol. Some of these enhanced features include:

 •Next-hop addresses included in the routing updates

•Use of multicast addresses in sending updates

•Authentication option available

Like RIPv1, RIPv2 is a distance vector routing protocol. Both versions of RIP share the following features and limitations:

•Use of holddown and other timers to help prevent routing loops.

•Use of split horizon or split horizon with poison reverse to also help prevent routing loops.

•Use of triggered updates when there is a change in the topology for faster convergence.

•Maximum hop count limit of 15 hops, with the hop count of 16 signifying an unreachable network.

SSL Vendor List

1. Verisign


2. Thawte


3. Geotrust


4. GoDaddy


5. Comodo 


6. Entrust


7. Digicert


8. Globalsign

What is Smurf attack & How to prevent it ?

 Smurf attack is the form of generating uncontrolled amount of traffic in victims network.

The process of smurf attack is as follows:

1. Send huge amount of ICMP request to the broadcast address of the victim network(Directed Broadcast Address).

2. Source IP of the attacker must be spoofed.

3. The ICMP request reach the gateway of the victim network.

4. Each host on the victim network will respond to the ICMP request (Amplifying the ping requests)

5. It creates uncontrollable amount of traffic from victim's network.

6. It will consume the useful bandwidth and the server will be down in few minutes.



How to prevent smurf attack ?


1. Configure individual hosts and routers not to respond to ping requests or broadcasts.

2. Configure routers not to forward packets directed to broadcast addresses.

Denial of Service (DOS) attacks

 Denial of Service (DOS) attacks are intended to shut down the servers for a period of time. To make site nonfunctional for a time the main part of attack is DOS attack. DOS attacks are usually doing by following methods:

1. Send unlimited amount of packets to the server.

2. Executing malwares

3. Teardrop attack

4. Application level flood

Sending unlimited packets by ping command is also known as ICMP flood. This method can be done in the following way.


A simple DOS attack code would be:

ping {ip} -t -l 20000

On command prompt window you can type the following command. This command sends 20000 bytes of data to the ip, in a single packet. The -t is to ping the specified host until stopped and -l is to specify the buffer size. A Teardrop attack involves sending mangled Internet Packet fragments with overlapping, over-sized, payloads to the target machine. In peer to peer attack thousands of computers will try to access a single computer at the same time. It will break down all the connection from the server at last the target machine will fail. Application level flood is by the mis-programming of an application installed on the server.So it will consume a major portion of server computing power and memory.

DOS attack with ping flood will work only if the following cafeterias are satisfied:

1. Attacker should have higher bandwidth than the victim.

2. Victim should respond to the ping requests

IPV4 vs IPV6

Address Space
IPv4:4 Billion Addresses
IPv6:2^128
79 Octillion times the IPv4 address space

Configuration
IPv4: Manual or use DHCP
IPv6: Universal Plug and Play (UPnP) with or without DHCP
Lower Operation Expenses and reduce error

Broadcast / Multicast
IPv4: Uses both
IPv6: No broadcast and has different forms of multicast
Better bandwidth efficiency

Anycast support
IPv4: Not part of the original protocol
IPv6: Explicit support of anycast
Allows new applications in mobility, data center

Network Configuration
IPv4: Mostly manual and labor intensive
IPv6: Facilitate the re-numbering of hosts and routers
Lower operation expenses and facilitate migration

QoS support
IPv4: ToS using DIFFServ
IPv6: Flow classes and flow labels
More Granular control of QoS

Security
IPv4: Uses IPsec for Data packet protection
IPv6: IPsec becomes the key technology to protect data and control packets
Unified framework for security and more secure computing environment

Mobility
IPv4: Uses Mobile IPv4
IPv6: Mobile IPv6 provides fast handover, better router optimization and hierarchical mobility
Better efficiency and scalability; Work with latest 3G mobile technologies and beyond.

Google Over IPV6

   At Google, we believe that IPv6 is essential to the continued health and openness of the Internet – and that by allowing all devices on a network to talk to each other directly, IPv6 will enable innovation and allow the Internet's continued growth. Typical Google users do not need to do anything to prepare for IPv6, but we are working with network operators to support the transition.

In March 2008, we began offering Google search over IPv6 on IPv6-only websites like ipv6.google.com (IPv6 connection required), but other Google products were not generally available over IPv6. 

That's why we created Google over IPv6. If you operate a network that supports IPv6, we may be able to enable Google over IPv6, letting you give users seamless access to most Google services over IPv6 simply by going to the same websites they usually use, such as www.google.com.

How it works

Google over IPv6 uses the IPv4 address of your DNS resolver to determine whether a network is IPv6-capable. If you enable Google over IPv6 for your resolver, IPv6 users of that resolver will receive AAAA records for IPv6-enabled Google services. 

Normally, if a DNS resolver requests an IPv6 address for a Google web site,
it will not receive one…


…but a DNS resolver with Google over IPv6 will receive an IPv6 address,
and its users will be able to connect to Google web sites using IPv6.

How to get started using Google over IPv6

To qualify for Google over IPv6, your network must meet a number of requirements. These include:

• Low latency, redundant paths to Google using direct peering or reliable transit
• Production-quality IPv6 support and reliability
• Separate DNS servers for your IPv6 users (not shared with IPv4-only users)
• Users who have opted in to IPv6 services and know how to opt out if they experience problems with Google services

Know about IPV6 ?

    IPv6 or IP version 6 is the next generation Internet protocol which will eventually replace the current protocol IPv4. IPv6 has a number of improvements and simplifications when compared to IPv4. The primary difference is that IPv6 uses 128 bit addresses as compared to the 32 bit addresses used with IPv4. This means that there are more available IP addresses using IPv6 than are available with IPv4 alone. For a very clear comparison, in IPv4 there is a total of 4,294,967,296 IP addresses. With IPv6, there is a total of 18,446,744,073,709,551,616 IP addresses in a single /64 allocation. 

    To also help illustrate the sheer magnitude of available IP addresses using IPv6, you can get 65536 /64 allocations out of a single /48, and then 65536 /48 allocations out of a single /32. Many Service Providers are getting /32 allocations from their Regional Internet Registry (RIR) like ARIN, APNIC, RIPE, etc. 

   A significant difference between IPv6 and IPv4 is the address notation. IPv4 uses a period (.) between each octet, compared to IPv6 which uses a colon (:). With IPv6, if you have a series of zeroes in a row, the address need not be written out completely. You can use a double colon (::) to represent that series of zeroes, however you can only use that once. For example, if you have an address like "2001:0DB8:0000:0003:0000:01FF:0000:002E", it can be written like "2001:DB8::3:0:1FF:0:2E" or "2001:DB8:0:3:0:1FF::2E", but would never be written like "2001:DB8::3::1ff::2E". You also cannot have three colons in a row (:::). 

    IPv6 availability depends on your Service Provider, either at home or for work. In a dual-stack environment, IPv4 and IPv6 co-exist along the same connection and don't require any special kind of connection. If dual-stack is not available, you might find yourself using an IP tunneling product or service to bring IPv6 connectivity to you. IPv4 exhaustion, as of this writing, is estimated to happen sometime in early or mid 2011. When this happens, IPv4 won't simply disappear off the face of the Internet, but continued explosive growth requiring more unique IP address assignments will mean using more and more of the abundant IPv6 address space.

    Many Operating System platforms have native IPv6 support these days. The UNIX based platforms like Linux, BSD (Free, Open, Net) & MacOSX have had IPv6 support enabled for years now. Microsoft Windows starting having native IPv6 support enabled by default with it's Vista and Windows 2008 products. Earlier Windows versions like 2000/2003/XP had to have it installed optionally, and did not have as robust features that are available in the newer versions of Windows. Even common web browsing and email software will use IPv6 if it is enabled and available, without having to check off an option or special configuration. The transition from IPv4 to IPv6 is being worked on to be as seamless as possible, and many might not even notice the subtle changes in the coming years.

Prepare for IPV6

Difference between RIP V1 & RIP V2

Difference between RIP V1 & RIP V2.

RIP V1 : Distance Vector Maximum Hop count of 15 Classful No Support for VLSM No support for Discontigious networks.

RIP V2 : Distance Vector Maximum Hop count of 15 Classless Supports VLSM networks Supports Discontigious networks


 Mulitcasting :

Any Communication between a single sender and multiple receivers.

In Networking Multicast messages are sent to a defined subset of the network addresses.

What is classful and classless routing ?

Classful routing : Routing Protocol that do not send subnet mask information when a route update is sent out. All devices in the network must use the same subnet mask.


Eg : RIP V1

Classless routing : Routing that sends subnet mask information in the routing updates. Classless routing allows VLSM (Variable Length Subnet Masking) 

Eg : RIP V2 EIGRP & OSPF.

what is the difference Between BRI & PRI ?

          Both BRI (Basic Rate Interface) and PRI (Primary Rate Interface) provide multiple digital bearer channels over which temporary connections can be made and data can be sent.

Features:

ISDN BRI services 2 B channels (64 kbps) and one D channel (16 kbps). The total bandwidth is 144 kbps.

In North America ISDN PRI service is PRI T1 total bandwidth 1.544 Mbps ( 23 B channel with 64 kbps + 1 D channel with 64 Kbps)

In Europe ISDN PRI service is PRI E1 total bandwidth 2.048 Mbps (30 B channel with 64 kbps + 1 D channel with 64 Kbps)

IPv6 Transition Technology

IPv4 Vs IPv6

PUBLIC DNS SERVER

=> Service provider: Google
Google public dns server IP address:

• 8.8.8.8
• 8.8.4.4

=> Service provider: Dnsadvantage
Dnsadvantage free dns server list:

• 156.154.70.1
• 156.154.71.1

=> Service provider: OpenDNS
OpenDNS free dns server list / IP address:

• 208.67.222.222
• 208.67.220.220

=> Service provider: Norton
Norton free dns server list / IP address:

• 198.153.192.1
• 198.153.194.1

=> Service provider: GTEI DNS (now Verizon)
Public Name server IP address:

• 4.2.2.1
• 4.2.2.2
• 4.2.2.3
• 4.2.2.4
• 4.2.2.5
• 4.2.2.6

=> Service provider: ScrubIt
Public dns server address:

• 67.138.54.100
• 207.225.209.66

IPv6 Header

   IPv6 Header:





IPv6 header contains the following things:

• Version - This field contains the version of the IP used in the packet. It is of 4-bit in IP version 6.
• Traffic class - This is an 8-bits field determining the packet priority. Priority values subdivide into ranges: traffic where the source provides congestion control and non-congestion control traffic.
• Flow label - This 20 bits specifies the QoS management. Originally created for giving real-time applications special service, but currently unused.
• Payload length - This 16 bits determines the payload length in bytes. When cleared to zero, the option is a "Jumbo payload" (hop-by-hop).
• Next header - This 8-bits field specifies the next encapsulated protocol. The values are compatible with those specified for the IPv4 protocol field.
• Hop limit - This is an 8-bits field newly introduced in IPv6. It replaces the time to live field of IPv4.
• Source Address - This 128 bits field determines the logical address of the host that is sending the packet.
• Destination Address - This 128 bits field determines the logical address of the host that is receiving the packet.

Difference Between IPv4 and IPv6

IPv4 

 

• Source and destination addresses are 32 bits (4 bytes) in length.
• IPSec support is optional.
• IPv4 header does not identify packet flow for QoS handling by routers.
• Both routers and the sending host fragment packets.
• Header includes a checksum.
• Header includes options.
• Address Resolution Protocol (ARP) uses broadcast ARP Request frames to resolve an IP address to a link-layer address.
• Internet Group Management Protocol (IGMP) manages membership in local subnet groups.
• ICMP Router Discovery is used to determine the IPv4 address of the best default gateway, and it is optional.
• Broadcast addresses are used to send traffic to all nodes on a subnet.
• Must be configured either manually or through DHCP.
• Uses host address (A) resource records in Domain Name System (DNS) to map host names to IPv4 addresses.
• Uses pointer (PTR) resource records in the IN-ADDR.ARPA DNS domain to map IPv4 addresses to host names.
• Must support a 576-byte packet size (possibly fragmented).
  

IPv6

 

• Source and destination addresses are 128 bits (16 bytes) in length.
• IPSec support is required.
• IPv6 header contains Flow Label field, which identifies packet flow for QoS handling by router.
• Only the sending host fragments packets; routers do not.
• Header does not include a checksum.
• All optional data is moved to IPv6 extension headers.
• Multicast Neighbor Solicitation messages resolve IP addresses to link-layer addresses.
• Multicast Listener Discovery (MLD) messages manage membership in local subnet groups.
• ICMPv6 Router Solicitation and Router Advertisement messages are used to determine the IP address of the best default gateway, and they are required.
• IPv6 uses a link-local scope all-nodes multicast address.
• Does not require manual configuration or DHCP.
• Uses host address (AAAA) resource records in DNS to map host names to IPv6 addresses.
• Uses pointer (PTR) resource records in the IP6.ARPA DNS domain to map IPv6 addresses to host names.
• Must support a 1280-byte packet size (without fragmentation).
  

About IPV6

How to Configure Switch Security ?

Cisco Switch Port Security

Conventional network security often focuses more on routers and blocking traffic from the outside. Switches are internal to the organization and designed to allow ease of connectivity, therefore only limited or no security measures are applied.

The following basic security features can be used to secure your switches and network:

*  Physically secure the device

*  Use secure passwords

*  Enable SSH access

*  Enable port security

*  Disable http access

*  Disable unused ports

*  Disable Telnet

Lets look at how to implement and configure some of the above mentioned switch security features.

1.   How To Configure the privileged EXEC password.

       Use the enable secret command to set the password. For this activity, set the password to orbit.

SW1#configure terminal

SW1(config)#enable secret orbit

SW1(config)#

2.   How To Configure virtual terminal (Telnet) and console passwords and require users to login.

A password should be required to access the console line.  Even the basic user EXEC mode can provide significant information to a malicious user. In addition, the VTY lines must have a password before users can access the switch remotely.

Use the following commands to secure the console and telnet:

SW1(config)#line console 0

SW1(config-line)#password cisco

SW1(config-line)#login

SW1(config-line)#line vty 0 15

SW1(config-line)#password cisco

SW1(config-line)#login

SW1(config-line)#exit

SW1(config)#

3.  How To Configure password encryption.

At this stage, the privileged EXEC password is already encrypted. To encrypt the line passwords that you just configured, enter the service password-encryption command in global configuration mode.

SW1(config)#service password-encryption

SW1(config)#

4.  How To Configure and test the MOTD banner.

Configure the message-of-the-day (MOTD) using Authorized Access Only as the text. Follow these guidelines:

i.   The banner text is case sensitive. Make sure you do not add any spaces before or after the banner text.

ii.   Use a delimiting character before and after the banner text to indicate where the text begins and ends. The delimiting character used in the example below is %, but you can use any character that is not used in the banner text.

iii.   After you have configured the MOTD, log out of the switch to verify that the banner displays when you log back in.

SW1(config)#banner motd %Authorized Access Only%

SW1(config)#end

SW1#exit

5.  How To Configure Port Security

Enter interface configuration mode for FastEthernet 0/11 and enable port security.

Before any other port security commands can be configured on the interface, port security must be enabled.

SW1(config-if)#interface fa0/11

SW1(config-if)#switchport port-security

* Notice that you do not have to exit back to global configuration mode before entering interface configuration mode for fa0/11.

6. How To configure the maximum number of MAC addresses.

To configure the port to learn only one MAC address, set the maximum to 1:

SW1(config-if)#switchport port-security maximum 1

7.  How To configure the port to add the MAC address to the running configuration.

The MAC address learned on the port can be added to (“stuck” to) the running configuration for that port.

SW1(config-if)#switchport port-security mac-address sticky 

8. How To Configure the port to automatically shut down if port security is violated.

If you do not configure the following command, SW1 only logs the violation in the port security statistics but does not shut down the port.

SW1(config-if)#switchport port-security violation shutdown

Use the show-mac-address- table command to confirm that SW1 has learned the MAC address for the intended devices, in this case PC1.

SW1#show mac-address-table

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

20 0060.5c4b.cd22 STATIC Fa0/11

You can use the show port-security interface fa0/11 command to also verify a security violation with the command.

SW1#show port-security interface fa0/11

Port Security : Enabled

Port Status : Secure-shutdown

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 1

Sticky MAC Addresses : 0

Last Source Address:Vlan : 00E0.F7B0.086E:20

Security Violation Count : 1

9.  How To Secure Unused Ports

Disabling unused switch ports a simple method many network administrators use to help secure their network from unauthorized access. Disabling an unused port stops traffic from flowing through the port(s)

Step 1: Disable interface Fa0/10 on SW1.

Enter interface configuration mode for FastEthernet 0/17 and shut down the port.

SW1(config)#interface fa0/10

SW1(config-if)#shutdown

Step 2: Disable interfaces Fa0/1 to Fa0/24 on SW1

SW1(config)#interface range fa0/1-24

SW1(config-if)#shutdown

Sucure your Cisco Routers

How to secure your network with Cisco Routers

• Security passwords configuration
• Pass phrases configuration
• Secure administrative access
• Secure Telnet and SSH
• Maintain Router activity logs

Before we learn how to secure Cisco routers, lets briefly summarise the role routers play in network security

The Role of Routers in Network Security

As you must have known, routers are used to route traffic between different networks based on Layer 3 IP addresses and provide access to network segment and sub networks. So said, that makes routers the definite targets for network attackers. When the border router of an organisation’s network is compromised or gained access to, unauthorized, it poses a potential threat to its sensitive information and other network services and resources.

Routers can be compromised in many ways, (Trust exploitation and MITM attacks) and this exposes the internal network configuration or components to scans and attacks.

In summary, two primary roles router plays in a network.

• Advertise networks and filter (permit/deny) who can use them.
• Provide access to network segments and subnetworks