Professional Documents
Culture Documents
Router
IPv6 link model is essentially distributed, with DHCP playing a minor role
Certificate server
Disadvantages
Applicable only to certain topologies
Requires first-hop to learn about end-nodes First-hop is a bottleneck and single-point of failure
ICMP type = 135 (Neighbor Solicitation) Src = A NS Dst = Solicited-node multicast address of B Data = B Option = link-layer address of A Query = what is Bs link-layer address? ICMP type = 136 (Neighbor Advertisement) Src = one Bs IF address NA Dst = A Data = B Option = link-layer address of B
A and B can now exchange packets on this link
NS
NA
Countermeasures: Static Cache Entries, Address GLEAN, SeND (CGA) on routers, Integrity Guard (Address-Watch).
Address GLEAN
Gleaning means inspecting the
Binding table
IPv6
A1 A21 A22
H1
H2
H3
MAC
MACH1 MACH2 MACH2 MACH3
VLAN
100 100 100 100
IF
P1 P2 P2 P3
DHCPserver
A3
data [IP source=A3, SMAC=MACH3] DAD NS [IP source=UNSPEC, target = A3] NA [IP source=A1, LLA=MACH3]
DHCP LEASEQUERY
DHCP LEASEQUERY_REPLY
H1
H2
H3
ICMP type = 135 (Neighbor Solicitation) Src = UNSPEC = 0::0 Dst = Solicited-node multicast address of A Data = A Query = Does anybody use A already?
NS
Attack On DAD
Attacker hacks any victim's DAD attempts. Victim can't configure IP address and can't communicate. DoS condition.
A
Src = UNSPEC Dst = Solicited-node multicast address of A Data = A Query = Does anybody use A already? NA its mine !
Device tracking
Goal: to track active addresses (devices) on the link
IPv6 MAC
MACH1 H1 MACH2 H2 MACH2 H2 MACH3
VLAN
100 100 100 100
IF
P1 P2 P2 P3
STATE
REACH STALE REACH REACH STALE
H1
H2
A1 1
H3
A21 21
Address GLEAN
A22 22 A3
Binding table
Keep track of device state Probe devices when becoming stale Remove inactive devices from the binding table Record binding creation/deletion/changes
DAD NS [IP source=UNSPEC, target = A1] NA [target = A1LLA=MACH1] DAD NS [IP source=UNSPEC, target = A3]
Binding table
A1 A21 A22
H1
H2
H3
Address GLEAN
DAD NS [IP source=UNSPEC, target = A3] NA [target = A1LLA=MACA3]
A3
Internet ICMP Type = 133 (Router Solicitation) Src = UNSPEC (or Host link-local address) Dst = All-routers multicast address (FF02::2) Query = please send RA
RS
RA
ICMP Type = 134 (Router Advertisement) Src = Router link-local address Dst = All-nodes multicast address (FF02::1) Data = router lifetime, retranstime, autoconfig flag Option = Prefix, lifetime
Internet
RA
Src = Bs link-local address Dst = All-nodes Data = router lifetime=0 Src = Cs link-local address Dst = All-nodes Data = router lifetime, autoconfig flag Options = subnet prefix, slla
RA
RA
Verification succeeded? Forward RA
Switch selectively accepts or rejects RAs based on various criteria ACL (configuration) based, learning-based or challenge (SeND) based. Hosts see only allowed RAs, and RAs with allowed content.
More countermeasures: static routing, SeND, VLAN segmentation, PACL.
Internet ICMP Type = 133 (Router Solicitation) Src = UNSPEC (or Host link-local address) Dst = All-routers multicast address (FF02::2) Query = please send RA
RS
RA
Computes X::x, Y::y, Z::z and DADs them
ICMP Type = 134 (Router Advertisement) Src = Router link-local address Dst = All-nodes multicast address (FF02::1) Data = router lifetime, retranstime, autoconfig flag Options = Prefix X,Y,Z, lifetime
NS
Source traffic with X::x, Y::y, Z::z
RA
Deprecates X::A Computes BAD::A and DAD it
Src = Bs link-local address Dst = All-nodes Options = prefix X Preferred lifetime = 0 Src = Bs link-local address Dst = All-nodes Options = prefix BAD, Preferred lifetime
RA
Node A sourcing off-link traffic to B with BAD::A Router B filters out BAD::A
SHA-1
Signature
CGA Params
Subnet Prefix Interface Identifier
SeND Messages
Router certificate CR
3
provision
2 host
A
ROUTER ADVERTISEMENT (SRC = R)
Router R
4 5 6 7
Each node takes care of its own security Verifies router legitimacy Verifies address ownership
CA CA
CA
Host
Router
Router Host
A chain of trust is easy to establish within the administrative boundaries, but very hard outside
Very few IPv6 stacks support SeND today
Attacker FF05::1:3
2001:db8:3::70
http://www.iana.org/assignments/ipv6-multicast-addresses/
Gateway
PFX::/64
X scanning 2 64 addresses (ping PFX::a, PFX::b, PFX::z)
Dst = Solicited-node multicast address of PFX::a Query = what is PFX::a s link-layer address?
NS
Dst = Solicited-node multicast address of PFX::b Query = what is PFX::b s link-layer address?
3 seconds history
NS
Dst = Solicited-node multicast address of PFX::z Query = what is PFX::zs link-layer address?
NS
Countermeasures: address provisioning mechanisms and filtering on routers, Destination Guard on switches
Internet
Address glean
Src=D1 Src=Dn
Scanning {P/64}
Lookup D1 NO
found
Forward packet
Mitigate prefix-scanning attacks and Protect ND cache Useful at last-hop router and L3 distribution switch Drops packets for destinations without a binding entry
And more?
Detect DNS request for ISATAP Detect traffic to 6to4 anycast server
Extends the Local SPAN to send packets outside local host (VEM) Can be used to monitor the traffic on Virtual Switch remotely One or more source:
NAM ERSPAN DST
ID:2
ID:1
IP based destination ERSPAN ID provides segmentation Permit protocol type header 0x88be for ERSPAN GRE
VM
ERSPAN
Management Console
VMkernel
NEXUS 1000v
VM
VM
VM
ESXi
4. Device Tracking
5. DHCP-guard 6. DAD/Resolution proxy 7. Source-guard (SAVI) 8. Destination-guard 9. DHCP L2 relay
switchport mode access ipv6 traffic-filter ACCESS_PORT in access-group mode prefer port
RA
RA-guard feature in host mode (12.2(33)SXI4 & 12.2(54)SG ): also dropping all RA received on this port
interface FastEthernet3/13 switchport mode access ipv6 nd raguard access-group mode prefer port
RA RA RA
Phase II
DHCP Guard Source Guard Multi Switch operation RA Throttler NDP Multicast Suppress
Phase III
Destination Guard Prefix Guard DAD Proxy Binding Table Recovery SVI support
Beware of the IPv6 latent threat: Your IPv4-only network may be vulnerable to IPv6 attacks now.
THANK YOU.