IPv6 First-Hop Security

All methods to mitigate IPv6 security issues
Real life security intro

I the process of configuring our corporate network test segment for IPv6, there was direct demand to pay particular attention to security. It was my role to go trough all materials I could get to learn more about IPv6 security. In that process first stop was my favorite packetpushers podcast. They published more that 200 podcast till now and one of them was about IPv6 security that I needed. In that security show from last year Healthy Paranoia Show 4:IPv6 Security Smackdown! Mrs. Y with bunch of great hosts discussed IPv6 security. They speak about almost all stuff that exist today in securing IPv6 enabled networks. One of the guests was Mr. Eric Vyncke, Cisco Distinguished Consulting Engineer who wrote IPv6 Security book for CiscoPress. Later, I did see that this book was everything you need to learn IPv6 security.  Of course, it’s easy to get edge router to run IPv6 on Internet facing interface, but my goal is to get IPv6 inside our LAN environment and that part is still tricky if you include all the stuff needed to be done (especially on firewall part of the story).

I searched for additional information and some examples on how to configure Cisco gear for IPv6. Specially helpful were IPv6 webinars from long followed Networking/Cisco genius Ivan Pepelnjak at his great site ipspace.net (one of my homepage tabs). Here the guest is again Eric Vyncke.

After I gathered the knowledge out of those resources, I was ready to deploy IPv6 on my test segments and make it secure. Here are just a few rows about every one of IPv6 first-hop security features that are available on Cisco equipment. Just for the info, not all the equipment has all the features. Some of them came out few months ago so older switches and routers may not have all of these implemented. Sometimes you will be limited by the license to. I need to mention that other vendor’s equipment also supports most features mentioned below. For now it seems that Cisco invested the most effort and gathered the best team of engineers to add all possible features for IPv6 first-hop security inside IOS.

Let’s go with the list:

IPv6 RA Guard – RA messages are important part of IPv6 architecture. They are the only way to get default gateway info to host in the network segment (beside static configuration). DHCPv6 does not carry this information in his messages unlike DHCPv4. RA messages are Router Advertisement messages send from main router that is default gateway for that specific network segment. Having that in mind it’s clear that, only port on the switch that needs to receive RA messages inbound, is the port connecting the router. All other switch ports for hosts are only forwarding RA messages to host devices but there is no need for host to send RA messages back to switch. Even better, it is wrong if some host sends RA messages because he is then practically trying to take the role of default gateway away from router. Configuring RA Guard on all switch ports except port that heads towards the router is preventing rouge RA advertisements on that segment.

DHCPv6 Guard Is similar to RA Guard but it blocks DHCPv6 reply messages coming from DHCPv6 servers and relays that are on wrong ports (which means that they are rouge). It is fairly simple to implement as it works like an Access list that blocks UDP port 546 on all ports on the switch except port on which the DHCP server is connected. This applies to VLAN interface to if DHCP relay is configured.

IPv6 Snooping and device tracking is doing the same thing as in IPv4, except that in IPv4 we have ARP and in IPv6 we have ND. Let’s remember from IPv4 world how this attack works with ARP. Spoofing attack is done when ARP request asks for MAC address for specific IPv4 address in a broadcast message and there is an attacker that responds with his MAC address so that he can receive traffic that was meant to go to IPv4 address of real receiver. In the IPv6 world, there is no ARP protocol but there is ND network discovery protocol. If a computer wants to send a message to another computer using IPv6, he is sending NS network solicitation message with which he is requesting MAC address of the receiving computer. If attacker responds with fake NA network advertisement message before faster than real receiver, he will get all the traffic destined to that IPv6 address.
IPv6 Snooping and device tracking uses binding table known as ND table and tries to remember/bind all IPv6 addresses on the segment to particular MAC address. It does that by monitoring DHCPv6, ND and other regular data flows. After a while ND table is having all the bindings (MAC-IPv6) and when an intruder sends rouge NA message his MAC address does not correspond to right MAC address from that receiver IPv6 address and he will be prevented from sending.

IPv6 Source Guard uses ND table to drop traffic from rogue sources or IPv6 addresses that are not in the binding table.

IPv6 Prefix Guard will use information from DHCPv6 and RA messages to fill the table with valid prefixes that are in use and it will block all other prefixes.

IPv6 Destination Guard If a packet comes on the router, destined for directly connected subnet, but for address that is not in the ND table, that packet will be dropped in order to prevent ND exhaustion type of attacks. To explain this, ND exhaustion is made by sending packets to all addresses in the subnet. Subnets in IPv6 are bigger that IPv4 and /64 subnet will have 18446744073709551614 possible addresses. If you send packets to all those addresses you will exhaust the memory of ND cache which will basically disable ND process and all the traffic will become broadcast.

We need to be careful will this. For example, If our network device reboots, it will possibly prevent devices to communicate before they are registered in the ND table and they need to communicate to be registered in the ND table. Dramatic solution to this problem is with, Cisco implemented, ND resolution rate limiter.

ND resolution rate limiter is limiting number of ND resolution per second per router and cache size limiter limits the size of cache per device interface so that there cannot get to the point where all the memory is consumed and device breaks into reboot. ND default resolution rate is 100 resolutions per second per router and cache size is limited to 250 IPv6 address per interface. You can change those values using this interface level commands:

Cisco

L3SW(config-if)#ipv6 nd cache interface-limit 4
SW(config-if)#ipv6 nd resolution data limit 50

As from Mr. Eric Vyncke suggestion, sometime in datacenter environment default 100 resolution per router per second can be to slow if you have a really big number of hosts. Then it will maybe be needed to change this threshold to something bigger that 100. Usually this number can be even lower as from my example above.

4 Comments

  1. Scott Hogg September 26, 2013
    • Valter September 26, 2013
  2. Twinkle September 22, 2015
    • Valter September 22, 2015

Leave a Reply

%d bloggers like this: