Cisco
352-001 · Question #717
352-001 Question #717: Real Exam Question with Answer & Explanation
The correct answer is B: IPv4 ICMP policies are different from IPv6 ICMP policies on the firewall. IPv6 security design requires distinct firewall policies for ICMPv6 and mandates IPsec to secure OSPFv3, as OSPFv3 has no native authentication mechanism.
Question
Which two best practices for the security design of an IPv6 network are true? (Choose two.)
Options
- ABGP and IS-IS only support unencrypted password authentication when IPv6 is enabled on the
- BIPv4 ICMP policies are different from IPv6 ICMP policies on the firewall
- CuRPF is no longer required with IPv6 FHS implementation
- DIPsec must be used if there is a requirement to secure OSPFv3
- EIPv6 host security controls are enough to block and inspect IPv6 traffic from one device to
Explanation
IPv6 security design requires distinct firewall policies for ICMPv6 and mandates IPsec to secure OSPFv3, as OSPFv3 has no native authentication mechanism.
Common mistakes.
- A. BGP and IS-IS support cryptographic authentication methods such as MD5 and SHA-HMAC regardless of whether IPv6 is enabled, so they are not limited to unencrypted passwords.
- C. uRPF remains a necessary anti-spoofing control in IPv6 networks even with IPv6 First Hop Security (FHS) deployed, because FHS addresses link-local threats while uRPF validates source addresses at routed boundaries.
- E. Host-level security controls only protect the individual device and cannot inspect or block IPv6 traffic transiting the network between other devices, making network-level enforcement mandatory.
Concept tested. IPv6 security design - OSPFv3 and ICMPv6 policy
Community Discussion
No community discussion yet for this question.