CL Adv IPV6 Sec

Advanced IPv6 Security
in the LAN
Eric Levy-Abegnoli, Technical Leader
BRKSEC-3003
Abstract summary and pre-requisite
This session focuses on IPv6 security within the layer-2 domain
With a multi-dimensional approach: operations, vulnerabilities, mitigations and

use-cases
It introduces security features at the First Hop, such RA Guard, Source Guard,
Destination guard, etc
Requirements: Knowledge of IPv6 and IPv6 Neighbor Discovery
Making sense out of operations, vulnerabilities, tools

& mitigations
frag6
syn6_flood
thcping6
scan6
fake_router6
Making sense out of YOUR setup
OPERATIONS
ATTACKS
MITIGATIONS
Enterprise
SP Access
Datacenter
Agenda
IPv6 in the layer-2 domain: operations and protocols
IPv6 in the layer-2 domain: vulnerabilities
Example, demo
Mitigating Vulnerabilities
Use Case #1: Enterprise campus network
Use Case #2: Broadband Access network
Use Case #3: Datacenter
Some background on layer-2 & IPv6
Layer-2: what is it?
Layer-2 domain:
also broadcast domain, link, lan, vlan, segment
Nodes:
hosts, routers, switches, access points
Link operations:
operations between nodes on the shared link
Security perimeter:
draws a line between trusted and untrusted devices
First hop:
first trusted device inside the security perimeter
First hop security:
Secures link-operations on First hop
For Your
Reference
Link operations
LINK OPERATIONS
PROTOCOLS
IPv6 RFC
(IPV4)
IPv6
ROUTER DISCOVERY
DHCP
Neighbor Discovery (ND)
RFC4861
PREFIX DISCOVERY
Neighbor Discovery (Hosts)

DHCP-PD (Routers)
RFC3633
PARAMETER DISCOVERY
DHCP
Neighbor Discovery (MTU)

DHCP (DNS server, NTP server, )
RFC4861
ADDRESS ASSIGNMENT
DHCP
Neighbor Discovery (SLACC)

DHCP (Global scope addresses only)
RFC4861, RFC4862
RFC3315
DUPLICATE ADDRESS DETECTION (DAD)
ARP
Neighbor Discovery
RFC4862
ADDRESS RESOLUTION
ARP
Neighbor Discovery
RFC4861
NEIGHBOR UNREACHABILITY DETECTION (NUD)
ARP
Neighbor Discovery
RFC4861
REDIRECTION
ICMP
Neighbor Discovery
RFC4861
Fundamentals On Neighbor Discovery
Provide support for most operations on the link:
Router Discovery
Address Resolution
Address Assignment
Operates above ICMPv6
Relies heavily on (link-local scope) multicast, combined with layer-2 Multicast
Works with few ICMP messages and message options
Router Discovery protocol: discover

Default router, online prefixes
A
ICMP Type = 133 (Router Solicitation)
Source = Host link-local address
Destination = ALL-ROUTERS multicast address (FF02::2)
R
RS
multicast
multicast
RA
RIB ::0/0
LLR
ICMP Type = 134 (Router Advertisement)

Source = Router link-local address LLR
Destination = All-nodes multicast address (FF02::1)
Data = router lifetime, preference=medium,
Option = Prefix X,Y,Z, lifetime
Use R as default gateway
The LINK-LOCAL address is the router identity
10
Router Discovery protocol: select

A
IF1
RA
RIB ::0/0
ADR-DB
IF1
RIB ::0/0
ADR-DB
IF1
LLB
X::A
Y::A
LLC
X::A
Y::A
Z::A
Source = LLB
Data = router lifetime, preference=M
Option = Prefix X,Y, lifetime
RA
Source = LLC
Data = router lifetime, preference=H
Option = Prefix Z, lifetime
Select router based on preference & bild

Addresses after each prefix received
11
Router Discovery protocol: redirect

A
X
C
IF1
RA
RIB
::0/0
ND
LLB
cache
LLB
Source = LLB
Data = router lifetime, preference=M
Option = Prefix X,Y, lifetime, SLLA (MACB)
MACB
Destination X, NH=LLB/MACB
REDIRECT
RIB
::0/0 LLB
X/128 LLC
Source = LLB, Destination = A

Data = Target: LLC, Destination: X
Option = TLLA (MACC)
Destination X, NH=LLC/MACC
12
Address Resolution protocol: resolve

A
B
MAC B
ICMP type = 135 (Neighbor Solicitation)

Source = A, SLLA=MACA
Dst = Solicited-node multicast address of B (SOLB)
target = B
Query = what is Bs Link-Layer Address?
Neighbor
cache
NS-lookup
A
MACA
STALE
Neighbor
cache
INCMPL
NA
B MAC B REACH
ICMP type = 136 (Neighbor Advertisement)

Src = one Bs I/F address , Dst=A
target = B
Option = Target link-layer address (MACB)
data
13
Address Resolution protocol: confirm

A
IF1
MAC B
data
Neighbor
cache
B MAC B STALE

Destination = B, target = B
Query = Are U still there?
NS-NUD
Traffic sent while entry is not yet confirmed
data
NA-NUD
B MAC B REACH

Source = B, Destination = A, target = B
Yes!
14
Address Resolution protocol: update

A
B
MAC B
Neighbor
cache
B MAC B REACH
MAC BB
NA-override unsolicited
B MAC BB REACH

Source = B
Destination = ALL-NODES
target = B
Option = Target link-layer address (MACBB)
15
Address assignment
Several assignment methods:
Static
Stateless Address Auto configuration
Modified EUI-64
Privacy extensions
Cryptographic Generated Address (CGA)
DHCP (only global scope addresses)

Whichever the method, an address MUST be verified for uniqueness with
Duplicate Address Detection (DAD) before it can be used
16
Address assignment
StateLess Address Auto Configuration (DAD success)
A
router
host
EUI-64
CGA
Privacy
RA
Computes HOSTID
Builds A =
HOSTID
DAD A

Options = Prefix X, lifetime
Query = Does anybody use A already?

Source = UNSPEC
Destination = SOL A
target = A
NS-DAD
address A ready to use
17
Address assignment
StateLess Address Auto Configuration (DAD failure)
A
host
EUI-64
CGA
Privacy
host
RA
Computes HOSTID
Builds A =
HOSTID
router

Options = Prefix X, lifetime
DAD A

Source = UNSPEC
Destination = SOL A ,target = A
Address cannot be used
NS-DAD
multicast
NA, target=A
Manual intervention required in most cases
18
Address assignment: DHCP

host
relay
router
server
SOLICIT (ALL_SERVERS_AND_RELAY)
ADVERTISE
REQUEST, option: can I use A
REPLY: Your address is A
Source = UNSPEC
Destination = SOLA, target = A
NS-DAD
LINK-LOCAL addresses cannot be DHCP-assigned

19
Address assignment: DHCP

host
host
relay
router
server
ADVERTISE
REQUEST
REPLY
Source = UNSPEC
Destination = SOLA, target = A
NS-DAD
multicast
NA, target=A
DECLINE
20
Prefix assignment: DHCP-Prefix-Delegation

Home Network
router
relay
server
LLGW
SOLICIT
ADVERTISE
REQUEST-prefix, source-LLGW
RA
Source = link-local address

Option = Prefix P1, lifetime
REPLY-prefix: P1, lifetime
RIB
P1
LLGW
Computes HOSTID
Builds A =
HOSTID
P1
DAD A
Source=A
21
Agenda
Router theft
Address (Identity) theft
DoS attacks
Misdirect attacks
Example, demo
22
Router Theft (and session hijacking!)
23
Router Theft: role (and session hijacking!)

R
RIB
RA
::0/0
Source = LLR, preference=medium
LLR
Session via R
RA
::0/0
Source = LLC, Destination=ALL-NODES,

preference=high
LLC
Session via C
Most frequent issue seen on the link
24
Address Theft
25
Address/Identity Theft (and session hijacking!)

B
ND cache
B
Address resolution flow
MAC B
Session established
(unsolicited) NA
B
MAC C
Source = B
Target = B
Option: SLLA= MACC
Session re-established
26
Router Theft The Return: identity

R
RIB
::0/0
LLR
RA
Source = LLR, SLLA = MACR
ND cache
LLR
MAC R
Session via R / MACR
(unsolicited) NA
LLR
MAC C
Source = R
Target = LLR
Option: SLLA= MACC
Session via R / MACC
27
DoS attacks
denial of Address initialization

denial of Address assignment
denial of Address configuration
denial of Address resolution (one packet)
denial of Address resolution (flood)
denial of link operations (flood)
28
DoS attack: denial of address initialization

host
attacker
RA
Computes A = {P,
HOSTID}

Source = UNSPEC, Destination = SOL A
target = A
its mine !
router
ICMP Type = 134
Options = Prefix P
NS-DAD, target=A
NA, target=A
29
DoS attack: denial of Address assignment

host
attacker
relay
router
server
ADVERTISE
ADVERTISE, preference=255
REQUEST
REPLY, NoAddrsAvail
REPLY, IA=BOGUS
30
DoS
attack: denial of address configuration
Attacker spoofs Router Advertisement with false on-link prefix
Victim generates (topology-bogus) IP address with this prefix
Access router drops outgoing packets from victim (ingress filtering)
Or return path is broken
host
RA
Autoconf BAD::A
and DAD it
attacker
router
Src = Bs link-local address

Dst = All-nodes
Options = prefix BAD
Node A sourcing off-link traffic via B with BAD::A

B filters out BAD::A
OR NOT
31
DoS attack: denial of address resolution

(one packet)
Attacker responds to all Resolution Requests

A
MAC B
NS-lookup

Dst = Solicited-node multicast address of B
target = B
Query = what is Bs Link-Layer Address?
Neighbor
cache
INCMPL
NA
Src = B
Dst = A
Options = TLLA (MACFAKE)
Src = B
Dst = A
Options = TLLA (MACB)
B MAC FAKE REACH

MACFAKE
32
DoS attack: denial of address resolution (Flood)

router
X
PFX::/64
NS
Dst = Multicast SOL PFX::a

Query = Where is PFX::a ?
NS
Dst = Multicast SOL PFX::b

Query = Where is PFX::b ?
NS
Dst = Multicast SOL PFX::z

Query = Where is PFX::z ?
X scanning 2 64 addresses
(ping dest. PFX::a, PFX::b, PFX::z)
Session to A
Max
3
capacity
seconds
history
STOP! reached
Neighbor cache
33
DoS attack: denial of link operations (flood)

A
PFX::/64
Neighbor cache
X claims 2 64 addresses
NS, Src=PFX::1, Dst=SOLR, SLLA = MAC1
NS, Src=PFX::2, Dst=SOLR, SLLA = MAC2
NS, Src=PFX::2 64, Dst=SOLR, SLLA = MACZ
STOP!
PFX::1 MAC1
STALE
PFX::1 MAC1
PFX::2 MAC2
STALE
STALE
PFX::1
PFX::2
PFX::2 64
MAC1
MAC2
MACZ
STALE
STALE
STALE
Src=A, Dst=SOLR, SLLA = MACA
Victim can be any node on the link
34
Misdirecting attacks
35
Misdirecting responses
The attacker use a bogus source: topologically incorrect or unassigned

The destination of attackers traffic is both a victim and an accomplice
The source of attackers traffic is a victim when it exists
The network at large (local or remote) is another victim
Attack can be a flood based DoS, poisoning attack, single packet attack, etc.
36
Router theft
Router Theft Demo: topology

vlan 100
ROUTER
HOST
PEER
SWITCH
VILLAIN
CAT
38
Router theft
More demos on youtube

Demo
Title
link
Router theft & mitigations
Cisco IPv6 Router Advertisement (RA)

Guard Demo
http://www.youtube.com/watch?v=YbDg33vV-0E
Address theft & mitigations
Cisco IPv6 snooping Demo
http://www.youtube.com/watch?v=EjqimySPv7U
DoS attack on ND cache &

mitigation
Cisco IPv6 Destination Guard Demo
http://www.youtube.com/watch?v=QDyqV7u4HSY
Misdirect & mitigation
Cisco IPv6 Source Guard Demo
http://www.youtube.com/watch?v=-vOY0xXLoj0
40
Agenda
Example, demo
Use Case #3: DataCenter
41
The toolbox
Vulnerability
Attack tool
Mitigation
Where
Security level
Deployability
Increase legal router preference

Manual default gateway configuration
SeND Router Authorization
Host isolation (PVLAN)
Port Access Lists (PACL)
RA guard
Static ND cache entry
SeND CGA
Binding Guard (IPv6 snooping)
Binding Guard (IPv6 snooping)
SeND CGA
DHCP guard
DHCP authentication
RA guard
PACL
Binding Guard
Destination Guard
RACL
ND control
Binding Guard control
Source Guard, Prefix Guard
ACL
uRPF
Router
Host
Host
Switch
Switch
Switch
Host
Host
Switch
Switch
Weak
Very Strong
Very Strong
Very Strong
Medium
Medium-Strong
Very Strong
Very Strong
Strong
Strong
Very Strong
Strong
Strong
Medium-Strong
Medium
Medium-Strong
Strong
Medium
Weak
Very Strong
Very Strong
Very Strong
Weak
Low
Medium-Low
Low
Medium
Medium-High
Medium-High
Low
Low
High
High
Medium
High
Low
Medium-High
Medium
Medium-High
Medium
Medium-Low
Low
Very High
Very High
Low
Low
thc, si6,..
Router Role theft
fake_router6
flood_router6
redir6
Router Identity theft/ Address Theft
parasite6
DoS: denial of address initialization
dos-new-IPv6
DoS: denial of address assignment
denial6
fake_advertiser6
DoS: denial of address configuration
thcping6
dos-new-IPv6
DoS: denial of Address Resolution (1pkt)

DoS: denial of Address Resolution (flood)
frag6
scan6
dos-new-IPv6
DoS: denial of Link Operations (flood)
dos-new-IPv6
flood_advertise6
syn6_flood
Misdirecting responses
Switch
Host
Switch
Switch
Switch
Router
Router
Router
Switch
Switch
Router
Router
42
Router Theft mitigation

STOP
43
Router Theft mitigation: Router Authorization

Certificate Authority CA0
Router R
A
Back-end
Provisioning
My certificate is CA0
Your certificate: CERTR, Signed by CA0
ROUTER ADVERTISEMENT, source = LLR ,key = KEYR

Certificate Path Solicit (CPS): I trust CA0, what is your credential?
Certificate Path Advertise (CPA): It is CERTR
Verifies CERTR
against CA0
Insert R as default route
(SEcure Neighbor Discovery, RFC3971)
44
Router Theft mitigation: SeND Deployment

Challenges
ADMINISTRATIVE BOUNDARY
CA
CA
Host
CA
Router
Host
Router
To benefit fully from SeND, nodes must be provisioned with CA certificate

A chain of trust is easy to establish within the administrative boundaries, but very hard outside
It is a 2 player game! And very few IPv6 stacks can play the game today: Cisco IOS, Linux, some
H3C, third party for Windows (from Hasso-Plattner-Institut in Germany!)
45
Router Theft mitigation: Host Isolation
Prevent Node-Node Layer-2 communication by using:
Private VLANs (PVLAN) where nodes (isolated port) can only contact
the official router (promiscuous port)
Promiscuous
Port
RA
RA
WLAN in AP Isolation Mode

Isolated Port
one VLAN per host (SP access network with Broadband Network
Gateway)
RA
Link-local multicast (RA, DHCP request, etc) sent only to

the local official router: no harm
RA
But Duplicate Address Detection does not work anymore...

R
A
Breaks DAD, requires DAD-proxy
46
Router Theft Mitigation: RA Guard (RFC 6105)
Port ACL:
blocks all ICMPv6 RA from hosts
RA
interface FastEthernet0/2
ipv6 traffic-filter ACCESS_PORT in
access-group mode prefer port
RA-guard lite: pre-programmed ACL
Authorized Port
RA
RA-guard:
deep RA packet inspection
ipv6 nd raguard policy HOST

device-role host
ipv6 nd raguard policy ROUTER
device-role router
vlan configuration 100
ipv6 nd raguard attach-policy HOST vlan 100
hop-limit
M & O flag
Router preference
Source
Prefix list
CGA credentials
Port Not
Authorize
d
RA
ipv6 nd raguard
RA
RA
ipv6 nd raguard attach-policy ROUTER
47
Router Theft Here comes fragmentation
Problem
RA Guard works like a stateless ACL filtering ICMP type 134 (no reassembly)
Attackers can exploit that to evade RA guard by pushing ULP header (RA) into second fragment
They can even use overlapping fragments to disguise RA into some other valid message
RFC 3128 is not applicable to IPv6
THC fake_router6 FD implements this attack which bypasses RA Guard
IPv6 hdr HopByHop Routing Fragment1 Destination

IPv6 hdr HopByHop Routing Fragment2 ..Destination ICMP type=134
ICMP header is in 2nd fragment,

RA Guard has no clue where to find it!
Possible solutions
RFC 7112 (First fragment MUST contain entire header chain)

block all fragments sent to ff02::1
- Drop if 1st fragment does not have Upper Layer Protocol header : deny ipv6 any any undetermined-transport
-
How about overlapping fragments? Forbidden: RFC 5722- Use a compliant host stack!
48
General principles on FH command interface
Each FH feature provides a configuration mode to create and populate policies (+

one implicit default policy)
ipv6 nd raguard policy host
device-role host
Each FH feature provides commands to attach policies to targets: box, vlan, port
ipv6 nd raguard attach-policy host
ipv6 snooping
interface e 0/0
ipv6 nd raguard attach-policy router
Packets are processed by the lowest-level matching policy for each feature
Packets received on e0/0 are processed by policy ra-guard router AND policy snooping
default
Packets received on any other port of vlan 100 are processed by policy ra-guard host AND
policy snooping default
For Your
Reference
Configuration examples
Step1: Configure
policies
Step2: Attach policies to target
ipv6 nd raguard policy HOST

device-role host
vlan configuration 100-200

ipv6 nd raguard attach-policy HOST
Vlan
ipv6 nd raguard policy ROUTER

device-role router
ipv6 snooping policy NODE
tracking enable
limit address-count 10
security-level guard
ipv6 snooping policy SERVER
trusted-port
tracking disable
security-level glean
Port
interface Ethernet0/0
ipv6 nd raguard attach-policy ROUTER
vlan configuration 100,101
ipv6 snooping attach-policy NODE
interface Ethernet1/0
ipv6 snooping attach-policy SERVER
50
Upcoming configuration changes

Configure policies
Attach policies to target

Box
IPv4 ip device tracking
ipv6 snooping policy NODE

IPv6
device-tracking policy NODE

Dual
Vlan
Port
ip device tracking maximum nnn

ipv6 snooping attach-policy NODE
device-tracking attach-policy NODE
Configure static entries

ip source binding
IPv4
ipv6 neighbor binding
IPv6
device-tracking binding
Dual
51
Upcoming configuration change - Upgrade

Upgrade command
device-tracking upgrade-cli
Configuration
Before
Configure policy
Attach policy
IPv4
IPv6 ipv6 snooping policy xxx
ip device tracking
ipv6 snooping attach-policy xxx
Configure static
ip source binding
ipv6 neighbor binding
IPv4
IPv6
After
Dual device-tracking policy xxx
device-tracking attach-policy xxx
device-tracking binding
Upgrade command
Exec commands
device-tracking upgrade-cli
Show commands
Clear commands
Before
IPv4 show ip device-tracking

IPv6 show ipv6 neighbor binding
show ipv6 snooping
clear ip device-tracking
clear ipv6 neighbor binding
After
Dual show device-tracking

Clear device tracking database
show ip device=tracking database
52
Address Theft mitigation
STOP
53
Address Theft Mitigation: SeND CGA
1.
Generates pair of RSA keys: Public (KEY) & Private (KEY)
2.
Computes Address: A = PREFIX || hash (KEY)
3.
Sources ND message with A , includes KEY, sign with KEY and include SIGNATURE
Source = A
ND-message
4.
SIGNATUR
E
Extracts A, KEY & SIGNATURE
5.
Verifies A = hash (KEY)
6.
Verifies SIGNATURE against the entire message
KEY
(SEcure Neighbor Discovery, RFC3971)

Has similar deployment issues as Router Authorisation
54
Address Theft mitigation: SeND contd

Extending the 62 bits crypto barrier
-
62 bits is not considered a good protection against brute force
Force delay in the computation to slow down attacker

Generate keys pub and priv
Generate keys pub and priv

hash= SHA-1(pub+pfx)
hash= SHA-1(pub+pfx)
262
attempts
Add tunable delay there!

hash = hash[0..61]
hash = hash[0..61]
hash
=
hash
done
NO
done
55
Address Theft Mitigation: : SeND contd

The real thing
Generate random 16 bytes : mod
Build message = mod || 0 || 0 || key
key: public key in DER format
sec: security level
col: collision count = {0}
Delay is
here!
hash = SHA-1 (message)

bits 016*sec
of hash
0
yes
Increment mod
no
message = mod || prefix || col || key
hash = SHA-1 (message)
no
Increment col
col<2
Compute address =
bytes 0 7 = prefix
bytes 8 15 = hash, bytes 0 7
bits 64 66 = sec
bits 70, 71 = 0 (u and g)
No response
duplicate
yes
Report error
Do
DAD
Start using address
56
Address Theft Mitigation

Binding Guard
Binding table
H1
H2
H3
ADR
MAC
VLAN
IF
Preference
A1
MACH1
100
P1
A21
MACH2
100
P2
A22
MACH2
100
P2
A3
MACH3
100
P3
DHCPserver
DAD NS [target=A1, SMAC=MACH1]

REQUEST [XID, SMAC = MACH2]
REPLY[XID, IPA21, IPA22]

data [IP source=A3, SMAC=MACH3]
DHCP LEASEQUERY
DHCP LEASEQUERY_REPLY
Preference is a function of: configuration, learning method, credential provided

57
Address Theft Mitigation

Binding Guard
host
Binding
table
host
Address glean
Control (NDP, DHCP, )
N
Valid
?
Y
Arbitrate collisions, check ownership

Check against max allowed per box/vlan/port
Record & report changes
Update binding table &

Switch packet
Data
Source
Guard
Upon collision, choose highest preference (for instance static, trusted, CGA, DHCP
preferred over dynamic, not-trusted, not-CGA, SLACC)
For collision with same preference, choose First Come, First Serve or poll old location
58
DoS attacks mitigation
STOP
59
DoS attack mitigation: DHCP Guard

Denial of address assignment
Port ACL:
blocks all DHCPv6 server messages on client-facing ports
ADVERTISE
ipv6 traffic-filter CLIENT_PORT in
DHCP guard: deep DHCP packet inspection

ipv6 nd raguard policy SERVER
device-role server
ipv6 dhcp guard attach-policy CLIENT vlan 100
ipv6 dhcp guard attach-policy SERVER
ADVERTISE
ipv6 dhcp guard policy CLIENT

device-role client
- Source
- Prefix list
- CGA credentials
SOLICIT
DHCPserver
60
DoS attack mitigation: Binding Guard

Denial of address initialization
attacker
host
A
IFA
ICMP DAD-Neighbor Solicitation
Source = UNSPEC, Destination = SOL A
target = A
IFC
NS-DAD, target=A
A
MACA IFA INCPL
its mine !
NA, target=A
61
DoS attack mitigation: RA Guard

Denial of address configuration
host
A
attacker
C
RA
router
B

Dst = All-nodes
Options = prefix BAD
Dst = All-nodes
Options = prefix GOOD
Autoconf GOOD::A
and DAD it
Node A sourcing off-link traffic via B with GOOD::A

62
DoS attack mitigation: Destination Guard

Denial of Address Resolution (flood)
L3 switch
router
host
Internet
Binding table Neighbor cache
Address glean
Scanning {P/64}
Destination = D1 Dn
Lookup D1
NO
found
Forward packet
Mitigate prefix-scanning attacks and Protect ND cache

Useful at last-hop router and L3 distribution switch
Drops packets for destinations without a binding entry
63
DoS attack mitigation: Binding Guard

Denial of link operations
Router
IFA
A
X
PFX::/64
Src=PFX::1, Dst=SOLR, SLLA = MAC1
IFX
Binding table
PFX::1 MAC1 IFX
Neighbor cache
PFX::1 MAC1 STALE

PFX::1 MAC1 IFX
PFX::2 MAC2 IFX
PFX::1 MAC1 STALE

PFX::2 MAC2 STALE
STOP! Max: 2 entries

/port exhausted
Src=A, Dst=SOLR, SLLA = MACA

PFX::1 MAC1 IFX
PFX::2 MAC2 IFX
A
MACA IFA
PFX::1 MAC1 STALE

PFX::2 MAC2 STALE
A
MACA STALE
64
Misdirecting mitigation
65
Misdirecting Mitigation: Source Guard

Binding table
A1
A2
A3
IPv6
MAC
VLAN
IF
A1
MACA1
100
P1
A21
MACA21
100
P2
A22
MACA22
100
P2
Address glean
Allow traffic sourced with known IP/SMAC
Deny traffic sources with unknown IP/SMAC
Tries recovering unknown addresses
P1, data, src= A1, SMAC = MACA1

P2, data src= A21, SMAC = MACA21
66
Misdirecting Mitigation: Source Guard

Binding table
A1
A2
A3
IPv6
MAC
VLAN
IF
A1
MACA1
100
P1
A21
MACA21
100
P2
A22
MACA22
100
P2
A3
MACA3
100
P3
Address glean
DHCP LEASEQUERY
DHCP LEASEQUERY_REPLY
Rate limiting
P3, data src= A3
67
Misdirecting Mitigation: : Prefix Guard

Home
Network
Home
gateway
G1
P1
L2 switch:
- FH security
- DHCP tag
L3 switch:
- FH security
- DHCP relay
Shared
vlan
p1
p2
p3
G2
G3
DHCP server
Prefix MAC
P1
VLAN Port
MACG1 100
Binding table
p1
Prefix NH
P1
LLG1
FIB
DHCP-PD request
DHCP-PD reply: PREFIX=P1
RA [P1]
SLACC
src = P1::iid
src = BAD::iid
68
Agenda
Example, demo
69

Building
DataCenter
WAN
Building
Campus core
Wireless
Building
70

Vulnerabilities
Building
DoS
Misdirect
DataCenter
WAN
Router theft
Address theft
Session hijack
DoS
Misdirect
Building
Campus core
Wireless
Building
Router theft
Address theft
Session hijack
DoS
Misdirect
71

Vulnerabilities mitigations
Building
Access List
DataCenter
WAN
Destination Guard
Building
RA guard/PACL
DHCP guard/PACL
Source guard
ipv6
snooping/Binding
guard
Campus core
IPv6 snooping/trusted
Bindings learnt from trusted

or untrusted access and
from untrusted trunk
Wireless
Building
RA guard/PACL
DHCP guard/PACL
Source guard
ipv6
snooping/Binding
guard
RA throlling
AR proxying
DAD filtering
72
DSL router
ATM
DSLAM
SWITCHES
BRAS/BNG
Firewall
ISP
Internet
DSL router
Enterprise
Ethernet SWITCHES
Ethernet Bridge
CMTS
Provisioning services
DOCSIS 3.0
Cable router
73

Vulnerabilities
Misdirect
Router theft
Address (Next-Hop) theft
Session hijack
DoS
Misdirect
ND Cache poisoning for

session hijacking
Rogue RA for session
hijacking
ATM
DSL router
DSLAM
SWITCHES
BRAS/BNG
Firewall
ISP
Internet
Enterprise
Ethernet SWITCHES
Ethernet Bridge
CMTS
DOCSIS 3.0
Cable router
74

* DAD-proxy
Secure box
PVLAN*
DSL router
ATM
DSLAM
SWITCHES
BRAS/BNG
Ipv6 snooping/Binding guard

Prefix guard (prefix-delegation)
DHCP guard
Firewall
ISP
Internet
DSL router
Enterprise
Ethernet SWITCHES
Ethernet Bridge
CMTS
DOCSIS 3.0
Cable router
75

WAN
Core
Transitioning services
L3
L2
Firewall
Load balancing
Aggregation
Access
VEM
VEM
VM VM VM VM
1 2 3 4
VM VM VM VM
1 2 3 4
Servers
76

Vulnerabilities
DoS
Misdirect
WAN
Core
Transitioning services
L3
L2
Firewall
Load balancing
Router theft
Address theft
Session hijack
DoS
Misdirect
Aggregation
Access
VEM
VEM
VM VM VM VM
3 4
1 2
VM VM VM VM
1 2 3 4
Servers
77

Core
WAN
Transitioning
services
Core
Load
balancin
g
Access List
PVLAN
L3
L2
RA guard/PACL
Aggregation
Access
Servers
DHCP guard/PACL
Source guard
ipv6 snooping/Binding guard
Aggregation
Access
VEM
VEM
VM VM VM VM
3 4
1 2
VM VM VM VM
1 2 3 4
Servers
78
For Your
Reference
IPv6 First Hop Security Platform Support

Catalyst
3850
15.2(4)S
15.0(1)EX
7.2
15.2(4)S
15.0(1)EX
7.2
15.2(4)S
15.0(1)EX
7.2
Catalyst 6500
Series
Catalyst
4500 Series
Catalyst
2K/3K Series
RA Guard
15.0(1)SY
15.1(2)SG
15.0.(2)SE
IPv6 Snooping
15.0(1)SY1
15.1(2)SG
15.0.(2)SE
DHCPv6 Guard
15.2(1)SY
15.1(2)SG
15.0.(2)SE
Source/Prefix
Guard
15.2(1)SY
15.2(1)E
15.0.(2)SE2
XE 3.9.0S
15.3(1)S
Destination Guard
15.2(1)SY
15.1(2)SG
15.2(1)E
XE 3.9.0S
15.2(4)S
RA Throttler
15.2(1)SY
15.2(1)E
15.2(1)E
ND Multicast
Suppress
15.2(1)SY
15.1(2)SG
15.2(1)E
Feature/Platform
ASR1000
Router
Wireless
LAN
Controller
(Flex 7500,
XE 3.9.0S
XE 3.9.0S
7600 Router
5508, 2500,
WISM-2)
7.2
Nexus
3k/5k/6k/7k/
9k
NX-OS 7.3
NX-OS 7.3
NX-OS 7.3
NX-OS 7.3
NX-OS 7.3
15.0(1)EX
7.2
15.0(1)EX
7.2
Note 1: IPv6 Snooping support in 15.0(1)SY does not extend to DHCP or data packets; only ND packets are snooped
Note 2: Only IPv6 Source Guard is supported in 15.0(2)SE; no support for Prefix Guard in that release
Available Now
Not Available
Roadmap
79
Key Take Away
At first glance, nothing really new in IPv6, but devil in the the details
Deploy FHS IF you have deployed dynamic ARP inspection, DHCP snooping and IP
Source Guard. Attacks on IPv6 NDP are similar in causes and damages
At minimum, deploy protection against rogue routers
Lack of operation experience may hinder security for a while: training is required
Security enforcement is possible
Control your IPv6 traffic as you do for IPv4
Experiment with IPv6 here at Cisco Live!
Recommended Reading
For reading material and further resources for this session, please
visit www.pearson-books.com/CLMilan2014
Complete Your Online Session Evaluation
Give us your feedback to be

entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.
Complete your session surveys

though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Dont forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
Demos in the Cisco campus
Walk-in Self-Paced Labs
Table Topics
Meet the Engineer 1:1 meetings
Related sessions
Thank you

CL Adv IPV6 Sec

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CL Adv IPV6 Sec

Uploaded by

Copyright:

Available Formats

Advanced IPv6 Security

Abstract summary and pre-requisite

This session focuses on IPv6 security within the layer-2 domain

With a multi-dimensional approach: operations, vulnerabilities, mitigations and

Requirements: Knowledge of IPv6 and IPv6 Neighbor Discovery

Making sense out of operations, vulnerabilities, tools

Making sense out of YOUR setup

IPv6 in the layer-2 domain: operations and protocols

IPv6 in the layer-2 domain: vulnerabilities

Use Case #1: Enterprise campus network

Use Case #2: Broadband Access network

Use Case #3: Datacenter

Some background on layer-2 & IPv6

Layer-2: what is it?

also broadcast domain, link, lan, vlan, segment

hosts, routers, switches, access points

operations between nodes on the shared link

draws a line between trusted and untrusted devices

first trusted device inside the security perimeter

First hop security:

Secures link-operations on First hop

Neighbor Discovery (ND)

Neighbor Discovery (Hosts)

Neighbor Discovery (MTU)

Neighbor Discovery (SLACC)

DUPLICATE ADDRESS DETECTION (DAD)

NEIGHBOR UNREACHABILITY DETECTION (NUD)

Fundamentals On Neighbor Discovery

Provide support for most operations on the link:

Operates above ICMPv6

Relies heavily on (link-local scope) multicast, combined with layer-2 Multicast

Works with few ICMP messages and message options

Router Discovery protocol: discover

ICMP Type = 134 (Router Advertisement)

The LINK-LOCAL address is the router identity

Router Discovery protocol: select

Select router based on preference & bild

Router Discovery protocol: redirect

Source = LLB, Destination = A

Address Resolution protocol: resolve

ICMP type = 135 (Neighbor Solicitation)

ICMP type = 136 (Neighbor Advertisement)

Address Resolution protocol: confirm

ICMP type = 135 (Neighbor Solicitation)

ICMP type = 136 (Neighbor Advertisement)

Address Resolution protocol: update

ICMP type = 136 (Neighbor Advertisement)

Stateless Address Auto configuration

DHCP (only global scope addresses)

ICMP Type = 134 (Router Advertisement)

Query = Does anybody use A already?

address A ready to use

ICMP Type = 134 (Router Advertisement)

ICMP type = 135 (Neighbor Solicitation)

Manual intervention required in most cases

Address assignment: DHCP

LINK-LOCAL addresses cannot be DHCP-assigned

Address assignment: DHCP

Prefix assignment: DHCP-Prefix-Delegation

Source = link-local address

REPLY-prefix: P1, lifetime

IPv6 in the layer-2 domain: operations and protocols

IPv6 in the layer-2 domain: vulnerabilities

Router Theft (and session hijacking!)