352-001 · Question #717
Which two best practices for the security design of an IPv6 network are true? (Choose two.)
The correct answer is B. IPv4 ICMP policies are different from IPv6 ICMP policies on the firewall D. IPsec must be used if there is a requirement to secure OSPFv3. IPv6 security design requires distinct firewall policies for ICMPv6 and mandates IPsec to secure OSPFv3, as OSPFv3 has no native authentication mechanism.
Question
Which two best practices for the security design of an IPv6 network are true? (Choose two.)
Options
- ABGP and IS-IS only support unencrypted password authentication when IPv6 is enabled on the
- BIPv4 ICMP policies are different from IPv6 ICMP policies on the firewall
- CuRPF is no longer required with IPv6 FHS implementation
- DIPsec must be used if there is a requirement to secure OSPFv3
- EIPv6 host security controls are enough to block and inspect IPv6 traffic from one device to
How the community answered
(16 responses)- B81% (13)
- C6% (1)
- E13% (2)
Why each option
IPv6 security design requires distinct firewall policies for ICMPv6 and mandates IPsec to secure OSPFv3, as OSPFv3 has no native authentication mechanism.
BGP and IS-IS support cryptographic authentication methods such as MD5 and SHA-HMAC regardless of whether IPv6 is enabled, so they are not limited to unencrypted passwords.
ICMPv6 fulfills critical functions absent in ICMPv4 - such as Neighbor Discovery Protocol (NDP), Router Advertisements, and Multicast Listener Discovery - requiring firewall policies to permit specific ICMPv6 types that would be blocked under a typical ICMPv4 policy. Treating them identically would break core IPv6 functionality.
uRPF remains a necessary anti-spoofing control in IPv6 networks even with IPv6 First Hop Security (FHS) deployed, because FHS addresses link-local threats while uRPF validates source addresses at routed boundaries.
OSPFv3 removed the built-in authentication fields that existed in OSPFv2, leaving no native mechanism for authentication or encryption of routing updates. IPsec must be applied directly to OSPFv3 interfaces to provide integrity and confidentiality when security is required.
Host-level security controls only protect the individual device and cannot inspect or block IPv6 traffic transiting the network between other devices, making network-level enforcement mandatory.
Concept tested: IPv6 security design - OSPFv3 and ICMPv6 policy
Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-16/iro-xe-16-book/ip6-ospfv3-auth-ipsec.html
Topics
Community Discussion
No community discussion yet for this question.