All methods to mitigate IPv6 security issues
Real life security intro
I the process of configuring our corporate network test segment for IPv6 support there was direct demand to pay particular attention to security. In few weeks it was my mayor role to go trough all materials I could get in order to learn more about IPv6 security. In that process first stop was my favorite packetpushers podcast that had exactly one podcast about IPv6 security that I needed between more than 160 available until now. In that security show from last year Healthy Paranoia Show 4:IPv6 Security Smackdown! Mrs. Y with bunch of great host discussed IPv6 security. They speak about almost all stuff that exist today in securing IPv6 enabled networks. One of the guests was Mr. Eric Vyncke, Cisco Distinguished Consulting Engineer who wrote IPv6 Security book for CiscoPress. Later, I did see that this book was everything you need to learn IPv6 security. Of course, it’s easy to get edge router to run IPv6 on Internet facing interface but my goal is to get IPv6 inside our environment and that part is still tricky if you include all the stuff needed to be done (especially on firewall part of the story).
I search for more info and some examples on how to configure Cisco gear for IPv6. Specially helpful were IPv6 webinars from long followed Networking/Cisco genius Ivan Pepelnjak at his great site ipspace.net (one of my homepage tabs). Here the guest is again Eric Vyncke.
After all the knowledge I pull out of those mentioned resources I was ready to carry out my test segment in our network and make it secure. Here are just a few rows about every one of IPv6 first-hop security features that are available on Cisco equipment. Just for the info, not all the equipment has all the features. Some of them came out few months ago so older switches and routers may not have all of these implemented. Sometimes you will be limited by the licence to. I need to mention that other vendors equipment has also implementation of some features mentioned below. For now it seems that Cisco invested the most effort and gathered the best team of engineers to implement all possible features for IPv6 first-hop security.
Let’s go with the list:
IPv6 RA Guard We know that RA messages are important part of IPv6 architecture as they are the only way to get default gateway info to host in the network (beside static configuration). DHCPv6 does not carry this information in his messages unlike DHCPv4. RA messages are Router Advertisement messages send from main router that is default gateway for that specific network segment. Having that in mind it’s clear that only port on the switch that needs to receive RA messages inbound is the port connecting the router. All other switch ports for hosts are only forwarding RA messages to host devices but there is no need for host to send RA messages back to switch. Even better, it is wrong if some host sends RA messages because he is then practically trying to take the role of default gateway away from router. Configuring RA Guard on all switch ports except port that heads to router we prevented rouge RA advertisements on that segment.
| Continue Reading.. |