IPv6 First-Hop Security
All methods to mitigate IPv6 security issues
Real life security intro
I the process of configuring our corporate network test segment for IPv6 support there was direct demand to pay particular attention to security. In few weeks it was my mayor role to go trough all materials I could get in order to learn more about IPv6 security. In that process first stop was my favorite packetpushers podcast that had exactly one podcast about IPv6 security that I needed between more than 160 available until now. In that security show from last year Healthy Paranoia Show 4:IPv6 Security Smackdown! Mrs. Y with bunch of great host discussed IPv6 security. They speak about almost all stuff that exist today in securing IPv6 enabled networks. One of the guests was Mr. Eric Vyncke, Cisco Distinguished Consulting Engineer who wrote IPv6 Security book for CiscoPress. Later, I did see that this book was everything you need to learn IPv6 security. Of course, it’s easy to get edge router to run IPv6 on Internet facing interface but my goal is to get IPv6 inside our environment and that part is still tricky if you include all the stuff needed to be done (especially on firewall part of the story).
I search for more info and some examples on how to configure Cisco gear for IPv6. Specially helpful were IPv6 webinars from long followed Networking/Cisco genius Ivan Pepelnjak at his great site ipspace.net (one of my homepage tabs). Here the guest is again Eric Vyncke.
After all the knowledge I pull out of those mentioned resources I was ready to carry out my test segment in our network and make it secure. Here are just a few rows about every one of IPv6 first-hop security features that are available on Cisco equipment. Just for the info, not all the equipment has all the features. Some of them came out few months ago so older switches and routers may not have all of these implemented. Sometimes you will be limited by the licence to. I need to mention that other vendors equipment has also implementation of some features mentioned below. For now it seems that Cisco invested the most effort and gathered the best team of engineers to implement all possible features for IPv6 first-hop security.
Let’s go with the list:
IPv6 RA Guard We know that RA messages are important part of IPv6 architecture as they are the only way to get default gateway info to host in the network (beside static configuration). DHCPv6 does not carry this information in his messages unlike DHCPv4. RA messages are Router Advertisement messages send from main router that is default gateway for that specific network segment. Having that in mind it’s clear that only port on the switch that needs to receive RA messages inbound is the port connecting the router. All other switch ports for hosts are only forwarding RA messages to host devices but there is no need for host to send RA messages back to switch. Even better, it is wrong if some host sends RA messages because he is then practically trying to take the role of default gateway away from router. Configuring RA Guard on all switch ports except port that heads to router we prevented rouge RA advertisements on that segment.
DHCPv6 Guard Is similar to RA Guard but it blocks DHCPv6 reply messages coming from DHCPv6 servers and relays that are on wrong ports (which means that they are rouge). It is fairly simple to implement as it works like an Access list that block UDP port 546 on all port on the switch except port on which the DHCP server is connected. Or VLAN interface for the subnet if there is DHCP relay configured.
IPv6 Snooping and device tracking is doing the same thing as in IPv4 except that in IPv4 we have ARP and in IPv6 we have ND that does the same thing. Let’s remember from IPv4 world how this attack works with ARP. Spoofing attack is done when ARP request asks for MAC address for specific IPv4 address in a broadcast message and there is an attacker that responds with his MAC address so that he can receive traffic that was ment to go to IPv4 address of real receiver. In the IPv6 world there is no ARP protocol but there is ND network discovery protocol. If a computer wants to send a message to another computer with IPv6 address he is sending NS network solicitation message with which he requests MAC address of the receiving computer. If attacker responds with fake NA network advertisement message before the real receiver he will get all the traffic destined to that IPv6 address.
IPv6 Snooping and device tracking uses binding table known as ND table and tries to remember/bind all IPv6 addresses on the segment to particular MAC address. It does that by monitoring DHCPv6, ND and other regular data flows. After a while ND table is having all the bindings (MAC-IPv6) and when an intruder sends rouge NA message his MAC address does not correspond to right MAC address from that receiver IPv6 address and he will be prevented from sending.
IPv6 Source Guard uses ND table to drop traffic from rogue sources or IPv6 addresses that are not in the binding table.
IPv6 Prefix Guard will use information from DHCPv6 and RA messages to fill the table with valid prefixes that are in use and it will block all other prefixes.
IPv6 Destination Guard If a packet comes on the router destined for directly connected subnet but for address that is not in the ND table that packet will be dropped to prevent ND exhaustion type of attacks. To explain this, ND exhaustion is made by sending packets to all addresses in the subnet. Subnets in IPv6 are bigger that IPv4 and /64 subnet will have 18446744073709551614 possible addresses. If you send packets to all those addresses you will exhaust the memory of ND cache which will basically disable ND process and all the traffic will become broadcast.
We need to be carefull will this as if our network device reboots it will possibly prevent devices to communicate before they are registered in the ND table and they need to communicate to be registered in the ND table. maybe let dramatic solution to this problem is with Cisco implemented ND resolution rate limiter.
ND resolution rate limiter is limiting number of ND resolution per second per router and cache size limiter limits the size of cache per device interface so that there cannot get to the point where all the memory is consumed and device breaks into reboot. ND resolution rate is 100 resolutions per second per router and cache size is limited to 250 IPv6 address per interface. You can change those values using this interface level commands:
L3SW(config-if)#ipv6 nd cache interface-limit 4 SW(config-if)#ipv6 nd resolution data limit 50
As from Mr. Eric Vyncke suggestion, sometime in datacenter environment default 100 resolution per router per second can be to slow if you have a really big number of hosts. Then it will maybe be needed to change this treshold to someting bigger that 100. Usually this number can be even lower as from my example above.