Sie sind auf Seite 1von 85

Advanced IPv6 Security

in the LAN
Eric Levy-Abegnoli, Technical Leader
BRKSEC-3003

Abstract summary and pre-requisite

This session focuses on IPv6 security within the layer-2 domain

With a multi-dimensional approach: operations, vulnerabilities, mitigations and


use-cases

It introduces security features at the First Hop, such RA Guard, Source Guard,
Destination guard, etc

Requirements: Knowledge of IPv6 and IPv6 Neighbor Discovery

Making sense out of operations, vulnerabilities, tools


& mitigations

frag6
syn6_flood

thcping6

scan6

fake_router6

Making sense out of YOUR setup

OPERATIONS

ATTACKS

MITIGATIONS

Enterprise
SP Access
Datacenter

Agenda

IPv6 in the layer-2 domain: operations and protocols

IPv6 in the layer-2 domain: vulnerabilities

Example, demo

Mitigating Vulnerabilities

Use Case #1: Enterprise campus network

Use Case #2: Broadband Access network

Use Case #3: Datacenter

Some background on layer-2 & IPv6

Layer-2: what is it?

Layer-2 domain:

also broadcast domain, link, lan, vlan, segment

Nodes:

hosts, routers, switches, access points

Link operations:

operations between nodes on the shared link

Security perimeter:

draws a line between trusted and untrusted devices

First hop:

first trusted device inside the security perimeter

First hop security:

Secures link-operations on First hop

For Your
Reference

Link operations
LINK OPERATIONS

PROTOCOLS

IPv6 RFC

(IPV4)

IPv6

ROUTER DISCOVERY

DHCP

Neighbor Discovery (ND)

RFC4861

PREFIX DISCOVERY

Neighbor Discovery (Hosts)


DHCP-PD (Routers)

RFC3633

PARAMETER DISCOVERY

DHCP

Neighbor Discovery (MTU)


DHCP (DNS server, NTP server, )

RFC4861

ADDRESS ASSIGNMENT

DHCP

Neighbor Discovery (SLACC)


DHCP (Global scope addresses only)

RFC4861, RFC4862
RFC3315

DUPLICATE ADDRESS DETECTION (DAD)

ARP

Neighbor Discovery

RFC4862

ADDRESS RESOLUTION

ARP

Neighbor Discovery

RFC4861

NEIGHBOR UNREACHABILITY DETECTION (NUD)

ARP

Neighbor Discovery

RFC4861

REDIRECTION

ICMP

Neighbor Discovery

RFC4861

Fundamentals On Neighbor Discovery

Provide support for most operations on the link:

Router Discovery
Address Resolution
Address Assignment

Operates above ICMPv6

Relies heavily on (link-local scope) multicast, combined with layer-2 Multicast

Works with few ICMP messages and message options

Router Discovery protocol: discover


Default router, online prefixes
A
ICMP Type = 133 (Router Solicitation)
Source = Host link-local address
Destination = ALL-ROUTERS multicast address (FF02::2)

R
RS
multicast

multicast

RA
RIB ::0/0

LLR

ICMP Type = 134 (Router Advertisement)


Source = Router link-local address LLR
Destination = All-nodes multicast address (FF02::1)
Data = router lifetime, preference=medium,
Option = Prefix X,Y,Z, lifetime
Use R as default gateway

The LINK-LOCAL address is the router identity

10

Router Discovery protocol: select


A

IF1

RA
RIB ::0/0
ADR-DB

IF1

RIB ::0/0
ADR-DB

IF1

LLB
X::A
Y::A

LLC
X::A
Y::A
Z::A

Source = LLB
Data = router lifetime, preference=M
Option = Prefix X,Y, lifetime

RA

Source = LLC
Data = router lifetime, preference=H
Option = Prefix Z, lifetime

Select router based on preference & bild


Addresses after each prefix received

11

Router Discovery protocol: redirect


A

X
C

IF1

RA
RIB

::0/0

ND
LLB
cache

LLB

Source = LLB
Data = router lifetime, preference=M
Option = Prefix X,Y, lifetime, SLLA (MACB)

MACB
Destination X, NH=LLB/MACB

REDIRECT

RIB
::0/0 LLB
X/128 LLC

Source = LLB, Destination = A


Data = Target: LLC, Destination: X
Option = TLLA (MACC)

Destination X, NH=LLC/MACC

12

Address Resolution protocol: resolve


A

B
MAC B

ICMP type = 135 (Neighbor Solicitation)


Source = A, SLLA=MACA
Dst = Solicited-node multicast address of B (SOLB)
target = B
Query = what is Bs Link-Layer Address?

Neighbor
cache

NS-lookup
A

MACA

STALE

Neighbor
cache

INCMPL

NA
B MAC B REACH

ICMP type = 136 (Neighbor Advertisement)


Src = one Bs I/F address , Dst=A
target = B
Option = Target link-layer address (MACB)

data
13

Address Resolution protocol: confirm


A

IF1

MAC B

data

Neighbor
cache

B MAC B STALE

ICMP type = 135 (Neighbor Solicitation)


Destination = B, target = B
Query = Are U still there?

NS-NUD
Traffic sent while entry is not yet confirmed
data

NA-NUD
B MAC B REACH

ICMP type = 136 (Neighbor Advertisement)


Source = B, Destination = A, target = B
Yes!

14

Address Resolution protocol: update


A

B
MAC B

Neighbor
cache

B MAC B REACH
MAC BB

NA-override unsolicited
B MAC BB REACH

ICMP type = 136 (Neighbor Advertisement)


Source = B
Destination = ALL-NODES
target = B
Option = Target link-layer address (MACBB)

15

Address assignment
Several assignment methods:

Static

Stateless Address Auto configuration

Modified EUI-64
Privacy extensions
Cryptographic Generated Address (CGA)

DHCP (only global scope addresses)


Whichever the method, an address MUST be verified for uniqueness with
Duplicate Address Detection (DAD) before it can be used

16

Address assignment
StateLess Address Auto Configuration (DAD success)
A

router

host

EUI-64
CGA
Privacy

RA

Computes HOSTID
Builds A =

HOSTID

DAD A

ICMP Type = 134 (Router Advertisement)


Destination = ALL-NODES
Options = Prefix X, lifetime

Query = Does anybody use A already?


ICMP type = 135 (Neighbor Solicitation)
Source = UNSPEC
Destination = SOL A
target = A

NS-DAD

address A ready to use

17

Address assignment
StateLess Address Auto Configuration (DAD failure)
A

host

EUI-64
CGA
Privacy

host

RA

Computes HOSTID
Builds A =

HOSTID

router

ICMP Type = 134 (Router Advertisement)


Destination = ALL-NODES
Options = Prefix X, lifetime

DAD A

ICMP type = 135 (Neighbor Solicitation)


Source = UNSPEC
Destination = SOL A ,target = A
Address cannot be used

NS-DAD
multicast

NA, target=A

Manual intervention required in most cases

18

Address assignment: DHCP


host

relay

router

server

SOLICIT (ALL_SERVERS_AND_RELAY)
ADVERTISE
REQUEST, option: can I use A
REPLY: Your address is A
ICMP type = 135 (Neighbor Solicitation)
Source = UNSPEC
Destination = SOLA, target = A
Query = Does anybody use A already?

NS-DAD

LINK-LOCAL addresses cannot be DHCP-assigned


address A ready to use

19

Address assignment: DHCP


host

host

relay

router

server

SOLICIT (ALL_SERVERS_AND_RELAY)
ADVERTISE
REQUEST
REPLY
ICMP type = 135 (Neighbor Solicitation)
Source = UNSPEC
Destination = SOLA, target = A
Query = Does anybody use A already?

NS-DAD
multicast

NA, target=A
DECLINE
Address cannot be used

20

Prefix assignment: DHCP-Prefix-Delegation


Home Network

router

relay

server

LLGW
SOLICIT
ADVERTISE
REQUEST-prefix, source-LLGW

RA

Source = link-local address


Destination = ALL-NODES
Option = Prefix P1, lifetime

REPLY-prefix: P1, lifetime

RIB
P1

LLGW

Computes HOSTID
Builds A =
HOSTID
P1
DAD A
Source=A

21

Agenda

IPv6 in the layer-2 domain: operations and protocols

IPv6 in the layer-2 domain: vulnerabilities

Router theft
Address (Identity) theft
DoS attacks
Misdirect attacks

Example, demo

22

Router Theft (and session hijacking!)

23

Router Theft: role (and session hijacking!)


R

RIB
RA
::0/0

Source = LLR, preference=medium

LLR

Session via R

RA
::0/0

Source = LLC, Destination=ALL-NODES,


preference=high

LLC
Session via C

Most frequent issue seen on the link

24

Address Theft

25

Address/Identity Theft (and session hijacking!)


B

ND cache
B

Address resolution flow

MAC B
Session established

(unsolicited) NA
B

MAC C

Source = B
Destination = ALL-NODES
Target = B
Option: SLLA= MACC

Session re-established

26

Router Theft The Return: identity


R

RIB
::0/0

LLR

RA

Source = LLR, SLLA = MACR

ND cache
LLR

MAC R
Session via R / MACR

(unsolicited) NA
LLR

MAC C

Source = R
Destination = ALL-NODES
Target = LLR
Option: SLLA= MACC

Session via R / MACC

27

DoS attacks

denial of Address initialization


denial of Address assignment
denial of Address configuration
denial of Address resolution (one packet)
denial of Address resolution (flood)
denial of link operations (flood)

28

DoS attack: denial of address initialization


host

attacker
RA

Computes A = {P,
HOSTID}

ICMP type = 135 (Neighbor Solicitation)


Source = UNSPEC, Destination = SOL A
target = A
Query = Does anybody use A already?

its mine !

router
ICMP Type = 134
Destination = ALL-NODES
Options = Prefix P

NS-DAD, target=A

NA, target=A

Address cannot be used

29

DoS attack: denial of Address assignment


host

attacker

relay

router

server

SOLICIT (ALL_SERVERS_AND_RELAY)
ADVERTISE
ADVERTISE, preference=255

REQUEST
REPLY, NoAddrsAvail

REPLY, IA=BOGUS

30

DoS
attack: denial of address configuration
Attacker spoofs Router Advertisement with false on-link prefix
Victim generates (topology-bogus) IP address with this prefix
Access router drops outgoing packets from victim (ingress filtering)
Or return path is broken

host

RA
Autoconf BAD::A
and DAD it

attacker

router

Src = Bs link-local address


Dst = All-nodes
Options = prefix BAD

Node A sourcing off-link traffic via B with BAD::A


B filters out BAD::A

OR NOT
31

DoS attack: denial of address resolution


(one packet)

Attacker responds to all Resolution Requests


A

MAC B

NS-lookup

ICMP type = 135 (Neighbor Solicitation)


Dst = Solicited-node multicast address of B
target = B
Query = what is Bs Link-Layer Address?

Neighbor
cache

INCMPL

NA

Src = B
Dst = A
Options = TLLA (MACFAKE)

Src = B
Dst = A
Options = TLLA (MACB)

B MAC FAKE REACH


MACFAKE

32

DoS attack: denial of address resolution (Flood)


router
X

PFX::/64
NS

Dst = Multicast SOL PFX::a


Query = Where is PFX::a ?

NS

Dst = Multicast SOL PFX::b


Query = Where is PFX::b ?

NS

Dst = Multicast SOL PFX::z


Query = Where is PFX::z ?

X scanning 2 64 addresses
(ping dest. PFX::a, PFX::b, PFX::z)
Session to A

Max
3
capacity
seconds
history
STOP! reached

Neighbor cache

33

DoS attack: denial of link operations (flood)


A

PFX::/64

Neighbor cache

X claims 2 64 addresses
NS, Src=PFX::1, Dst=SOLR, SLLA = MAC1
NS, Src=PFX::2, Dst=SOLR, SLLA = MAC2
NS, Src=PFX::2 64, Dst=SOLR, SLLA = MACZ

STOP!

PFX::1 MAC1

STALE

PFX::1 MAC1
PFX::2 MAC2

STALE
STALE

PFX::1
PFX::2

PFX::2 64

MAC1
MAC2

MACZ

STALE
STALE

STALE

Src=A, Dst=SOLR, SLLA = MACA

Victim can be any node on the link

34

Misdirecting attacks

35

Misdirecting responses

The attacker use a bogus source: topologically incorrect or unassigned


The destination of attackers traffic is both a victim and an accomplice
The source of attackers traffic is a victim when it exists
The network at large (local or remote) is another victim
Attack can be a flood based DoS, poisoning attack, single packet attack, etc.
36

Router theft

Router Theft Demo: topology


vlan 100
ROUTER

HOST

PEER

SWITCH
VILLAIN

CAT

38

Router theft

More demos on youtube


Demo

Title

link

Router theft & mitigations

Cisco IPv6 Router Advertisement (RA)


Guard Demo

http://www.youtube.com/watch?v=YbDg33vV-0E

Address theft & mitigations

Cisco IPv6 snooping Demo

http://www.youtube.com/watch?v=EjqimySPv7U

DoS attack on ND cache &


mitigation

Cisco IPv6 Destination Guard Demo

http://www.youtube.com/watch?v=QDyqV7u4HSY

Misdirect & mitigation

Cisco IPv6 Source Guard Demo

http://www.youtube.com/watch?v=-vOY0xXLoj0

40

Agenda

IPv6 in the layer-2 domain: operations and protocols

IPv6 in the layer-2 domain: vulnerabilities

Example, demo

Mitigating Vulnerabilities

Use Case #1: Enterprise campus network

Use Case #2: Broadband Access network

Use Case #3: DataCenter

41

The toolbox
Vulnerability

Attack tool

Mitigation

Where

Security level

Deployability

Increase legal router preference


Manual default gateway configuration
SeND Router Authorization
Host isolation (PVLAN)
Port Access Lists (PACL)
RA guard
Static ND cache entry
SeND CGA
Binding Guard (IPv6 snooping)
Binding Guard (IPv6 snooping)
SeND CGA
DHCP guard
DHCP authentication
RA guard
PACL
Binding Guard
Destination Guard
RACL
ND control
Binding Guard control
Source Guard, Prefix Guard
ACL
uRPF

Router
Host
Host
Switch
Switch
Switch
Host
Host
Switch
Switch

Weak
Very Strong
Very Strong
Very Strong
Medium
Medium-Strong
Very Strong
Very Strong
Strong
Strong
Very Strong
Strong
Strong
Medium-Strong
Medium
Medium-Strong
Strong
Medium
Weak
Very Strong
Very Strong
Very Strong
Weak

Low
Medium-Low
Low
Medium
Medium-High
Medium-High
Low
Low
High
High
Medium
High
Low
Medium-High
Medium
Medium-High
Medium
Medium-Low
Low
Very High
Very High
Low
Low

thc, si6,..
Router Role theft

fake_router6
flood_router6
redir6

Router Identity theft/ Address Theft

parasite6

DoS: denial of address initialization

dos-new-IPv6

DoS: denial of address assignment

denial6
fake_advertiser6

DoS: denial of address configuration

thcping6
dos-new-IPv6

DoS: denial of Address Resolution (1pkt)


DoS: denial of Address Resolution (flood)

frag6
scan6
dos-new-IPv6

DoS: denial of Link Operations (flood)

dos-new-IPv6
flood_advertise6
syn6_flood

Misdirecting responses

Switch
Host
Switch
Switch
Switch
Router
Router
Router
Switch
Switch
Router
Router

42

Router Theft mitigation


STOP

43

Router Theft mitigation: Router Authorization


Certificate Authority CA0

Router R

A
Back-end
Provisioning
My certificate is CA0

Your certificate: CERTR, Signed by CA0

ROUTER ADVERTISEMENT, source = LLR ,key = KEYR


Certificate Path Solicit (CPS): I trust CA0, what is your credential?
Certificate Path Advertise (CPA): It is CERTR

Verifies CERTR
against CA0
Insert R as default route

(SEcure Neighbor Discovery, RFC3971)

44

Router Theft mitigation: SeND Deployment


Challenges
ADMINISTRATIVE BOUNDARY

CA

CA

Host

CA

Router

Host

Router

To benefit fully from SeND, nodes must be provisioned with CA certificate


A chain of trust is easy to establish within the administrative boundaries, but very hard outside
It is a 2 player game! And very few IPv6 stacks can play the game today: Cisco IOS, Linux, some
H3C, third party for Windows (from Hasso-Plattner-Institut in Germany!)

45

Router Theft mitigation: Host Isolation

Prevent Node-Node Layer-2 communication by using:

Private VLANs (PVLAN) where nodes (isolated port) can only contact
the official router (promiscuous port)

Promiscuous
Port

RA

RA

WLAN in AP Isolation Mode


Isolated Port

one VLAN per host (SP access network with Broadband Network
Gateway)
RA

Link-local multicast (RA, DHCP request, etc) sent only to


the local official router: no harm

RA

But Duplicate Address Detection does not work anymore...


R
A

Breaks DAD, requires DAD-proxy

46

Router Theft Mitigation: RA Guard (RFC 6105)

Port ACL:

blocks all ICMPv6 RA from hosts

RA

interface FastEthernet0/2
ipv6 traffic-filter ACCESS_PORT in
access-group mode prefer port

RA-guard lite: pre-programmed ACL

Authorized Port

RA

RA-guard:

deep RA packet inspection

ipv6 nd raguard policy HOST


device-role host
ipv6 nd raguard policy ROUTER
device-role router
vlan configuration 100
ipv6 nd raguard attach-policy HOST vlan 100

hop-limit
M & O flag
Router preference
Source
Prefix list
CGA credentials

Port Not
Authorize
d

RA

interface FastEthernet0/2
ipv6 nd raguard
access-group mode prefer port

RA

RA

interface FastEthernet0/0
ipv6 nd raguard attach-policy ROUTER

47

Router Theft Here comes fragmentation

Problem

RA Guard works like a stateless ACL filtering ICMP type 134 (no reassembly)
Attackers can exploit that to evade RA guard by pushing ULP header (RA) into second fragment
They can even use overlapping fragments to disguise RA into some other valid message
RFC 3128 is not applicable to IPv6
THC fake_router6 FD implements this attack which bypasses RA Guard

IPv6 hdr HopByHop Routing Fragment1 Destination


IPv6 hdr HopByHop Routing Fragment2 ..Destination ICMP type=134

ICMP header is in 2nd fragment,


RA Guard has no clue where to find it!

Possible solutions

RFC 7112 (First fragment MUST contain entire header chain)


block all fragments sent to ff02::1
- Drop if 1st fragment does not have Upper Layer Protocol header : deny ipv6 any any undetermined-transport
-

How about overlapping fragments? Forbidden: RFC 5722- Use a compliant host stack!

48

General principles on FH command interface

Each FH feature provides a configuration mode to create and populate policies (+


one implicit default policy)
ipv6 nd raguard policy host
device-role host

Each FH feature provides commands to attach policies to targets: box, vlan, port
vlan configuration 100
ipv6 nd raguard attach-policy host

ipv6 snooping
interface e 0/0
ipv6 nd raguard attach-policy router

Packets are processed by the lowest-level matching policy for each feature

Packets received on e0/0 are processed by policy ra-guard router AND policy snooping
default

Packets received on any other port of vlan 100 are processed by policy ra-guard host AND
policy snooping default

For Your
Reference

Configuration examples
Step1: Configure
policies

Step2: Attach policies to target

ipv6 nd raguard policy HOST


device-role host

vlan configuration 100-200


ipv6 nd raguard attach-policy HOST

Vlan

ipv6 nd raguard policy ROUTER


device-role router
ipv6 snooping policy NODE
tracking enable
limit address-count 10
security-level guard
ipv6 snooping policy SERVER
trusted-port
tracking disable
security-level glean

Port

interface Ethernet0/0
ipv6 nd raguard attach-policy ROUTER
vlan configuration 100,101
ipv6 snooping attach-policy NODE

interface Ethernet1/0
ipv6 snooping attach-policy SERVER

50

Upcoming configuration changes


Configure policies

Attach policies to target


Box

IPv4 ip device tracking

ipv6 snooping policy NODE


limit address-count 10

IPv6

device-tracking policy NODE


limit address-count 10

Dual

Vlan

Port

ip device tracking maximum nnn


ipv6 snooping attach-policy NODE

device-tracking attach-policy NODE

Configure static entries


ip source binding

IPv4

ipv6 neighbor binding

IPv6

device-tracking binding

Dual

51

Upcoming configuration change - Upgrade


Upgrade command
device-tracking upgrade-cli

Configuration
Before

Configure policy

Attach policy

IPv4
IPv6 ipv6 snooping policy xxx

ip device tracking
ipv6 snooping attach-policy xxx
Configure static
ip source binding
ipv6 neighbor binding

IPv4
IPv6
After

Dual device-tracking policy xxx

device-tracking attach-policy xxx

device-tracking binding

Upgrade command

Exec commands

device-tracking upgrade-cli

Show commands

Clear commands

Before

IPv4 show ip device-tracking


IPv6 show ipv6 neighbor binding
show ipv6 snooping

clear ip device-tracking
clear ipv6 neighbor binding

After

Dual show device-tracking


Clear device tracking database
show ip device=tracking database

52

Address Theft mitigation

STOP

53

Address Theft Mitigation: SeND CGA

1.

Generates pair of RSA keys: Public (KEY) & Private (KEY)

2.

Computes Address: A = PREFIX || hash (KEY)

3.

Sources ND message with A , includes KEY, sign with KEY and include SIGNATURE
Source = A

ND-message

4.

SIGNATUR
E
Extracts A, KEY & SIGNATURE

5.

Verifies A = hash (KEY)

6.

Verifies SIGNATURE against the entire message

KEY

(SEcure Neighbor Discovery, RFC3971)


Has similar deployment issues as Router Authorisation

54

Address Theft mitigation: SeND contd


Extending the 62 bits crypto barrier
-

62 bits is not considered a good protection against brute force

Force delay in the computation to slow down attacker


Generate keys pub and priv

Generate keys pub and priv


hash= SHA-1(pub+pfx)

hash= SHA-1(pub+pfx)

262
attempts

Add tunable delay there!


hash = hash[0..61]

hash = hash[0..61]
hash
=
hash

done

NO

done
55

Address Theft Mitigation: : SeND contd


The real thing
Generate random 16 bytes : mod
Build message = mod || 0 || 0 || key
key: public key in DER format
sec: security level
col: collision count = {0}

Delay is
here!

hash = SHA-1 (message)


bits 016*sec
of hash
0

yes
Increment mod

no
message = mod || prefix || col || key
hash = SHA-1 (message)

no
Increment col

col<2

Compute address =
bytes 0 7 = prefix
bytes 8 15 = hash, bytes 0 7
bits 64 66 = sec
bits 70, 71 = 0 (u and g)
No response

duplicate
yes
Report error

Do
DAD
Start using address
56

Address Theft Mitigation


Binding Guard
Binding table
H1

H2

H3

ADR

MAC

VLAN

IF

Preference

A1

MACH1

100

P1

A21

MACH2

100

P2

A22

MACH2

100

P2

A3

MACH3

100

P3

DHCPserver

DAD NS [target=A1, SMAC=MACH1]


REQUEST [XID, SMAC = MACH2]

REPLY[XID, IPA21, IPA22]


data [IP source=A3, SMAC=MACH3]
DHCP LEASEQUERY
DHCP LEASEQUERY_REPLY

Preference is a function of: configuration, learning method, credential provided


57

Address Theft Mitigation


Binding Guard
host

Binding
table

host

Address glean
Control (NDP, DHCP, )
N

Valid
?
Y

Arbitrate collisions, check ownership


Check against max allowed per box/vlan/port
Record & report changes

Update binding table &


Switch packet
Data

Source
Guard

Upon collision, choose highest preference (for instance static, trusted, CGA, DHCP
preferred over dynamic, not-trusted, not-CGA, SLACC)
For collision with same preference, choose First Come, First Serve or poll old location
58

DoS attacks mitigation

STOP

59

DoS attack mitigation: DHCP Guard


Denial of address assignment
Port ACL:

blocks all DHCPv6 server messages on client-facing ports

ADVERTISE

interface FastEthernet0/2
ipv6 traffic-filter CLIENT_PORT in
access-group mode prefer port

DHCP guard: deep DHCP packet inspection


ipv6 nd raguard policy SERVER
device-role server
vlan configuration 100
ipv6 dhcp guard attach-policy CLIENT vlan 100
interface FastEthernet0/0
ipv6 dhcp guard attach-policy SERVER

ADVERTISE

ipv6 dhcp guard policy CLIENT


device-role client

- Source
- Prefix list
- CGA credentials
SOLICIT

DHCPserver

60

DoS attack mitigation: Binding Guard


Denial of address initialization
attacker

host

A
IFA
ICMP DAD-Neighbor Solicitation
Source = UNSPEC, Destination = SOL A
target = A
Query = Does anybody use A already?

IFC

NS-DAD, target=A
A

MACA IFA INCPL

its mine !
NA, target=A
address A ready to use

61

DoS attack mitigation: RA Guard


Denial of address configuration
host
A

attacker
C

RA

router
B

Src = Bs link-local address


Dst = All-nodes
Options = prefix BAD
Src = Bs link-local address
Dst = All-nodes
Options = prefix GOOD

Autoconf GOOD::A
and DAD it

Node A sourcing off-link traffic via B with GOOD::A


62

DoS attack mitigation: Destination Guard


Denial of Address Resolution (flood)
L3 switch

router

host

Internet

Binding table Neighbor cache

Address glean

Scanning {P/64}
Destination = D1 Dn

Lookup D1
NO

found

Forward packet

Mitigate prefix-scanning attacks and Protect ND cache


Useful at last-hop router and L3 distribution switch
Drops packets for destinations without a binding entry
63

DoS attack mitigation: Binding Guard


Denial of link operations
Router

IFA

A
X

PFX::/64

Src=PFX::1, Dst=SOLR, SLLA = MAC1

IFX
Binding table
PFX::1 MAC1 IFX

Neighbor cache
PFX::1 MAC1 STALE

Src=PFX::2, Dst=SOLR, SLLA = MAC2


PFX::1 MAC1 IFX
PFX::2 MAC2 IFX

Src=PFX::3, Dst=SOLR, SLLA = MAC3

PFX::1 MAC1 STALE


PFX::2 MAC2 STALE

STOP! Max: 2 entries


/port exhausted

Src=A, Dst=SOLR, SLLA = MACA


PFX::1 MAC1 IFX
PFX::2 MAC2 IFX
A
MACA IFA

PFX::1 MAC1 STALE


PFX::2 MAC2 STALE
A
MACA STALE

64

Misdirecting mitigation

65

Misdirecting Mitigation: Source Guard


Binding table

A1

A2

A3

IPv6

MAC

VLAN

IF

A1

MACA1

100

P1

A21

MACA21

100

P2

A22

MACA22

100

P2

Address glean
Allow traffic sourced with known IP/SMAC
Deny traffic sources with unknown IP/SMAC
Tries recovering unknown addresses

P1, data, src= A1, SMAC = MACA1


P2, data src= A21, SMAC = MACA21
P3, data src= A3, SMAC = MACA3

66

Misdirecting Mitigation: Source Guard


Binding table

A1

A2

A3

IPv6

MAC

VLAN

IF

A1

MACA1

100

P1

A21

MACA21

100

P2

A22

MACA22

100

P2

A3

MACA3

100

P3

Address glean
DHCP LEASEQUERY

DHCP LEASEQUERY_REPLY

Rate limiting
P3, data src= A3, SMAC = MACA3
P3, data src= A3

67

Misdirecting Mitigation: : Prefix Guard


Home
Network

Home
gateway

G1

P1

L2 switch:
- FH security
- DHCP tag

L3 switch:
- FH security
- DHCP relay
Shared
vlan

p1
p2
p3

G2
G3

DHCP server

Prefix MAC
P1

VLAN Port

MACG1 100

Binding table

p1

Prefix NH
P1

LLG1

FIB

DHCP-PD request
DHCP-PD reply: PREFIX=P1
RA [P1]
SLACC

src = P1::iid
src = BAD::iid

68

Agenda

IPv6 in the layer-2 domain: operations and protocols

IPv6 in the layer-2 domain: vulnerabilities

Example, demo

Mitigating Vulnerabilities

Use Case #1: Enterprise campus network

Use Case #2: Broadband Access network

Use Case #3: DataCenter

69

Use Case #1: Enterprise campus network


Building

DataCenter
WAN

Building

Campus core

Wireless
Building

70

Use Case #1: Enterprise campus network


Vulnerabilities
Building

DoS
Misdirect

DataCenter
WAN

Router theft
Address theft
Session hijack
DoS
Misdirect

Building

Campus core

Wireless
Building

Router theft
Address theft
Session hijack
DoS
Misdirect
71

Use Case #1: Enterprise campus network


Vulnerabilities mitigations
Building

Access List

DataCenter
WAN

Destination Guard
Building

RA guard/PACL
DHCP guard/PACL
Source guard
ipv6
snooping/Binding
guard
Campus core
IPv6 snooping/trusted

Bindings learnt from trusted


or untrusted access and
from untrusted trunk

Wireless
Building

RA guard/PACL
DHCP guard/PACL
Source guard
ipv6
snooping/Binding
guard

RA throlling
AR proxying
DAD filtering

72

Use Case #2: Broadband Access network

DSL router

ATM
DSLAM

SWITCHES

BRAS/BNG

Firewall

ISP

Internet
DSL router
Enterprise

Ethernet SWITCHES

Ethernet Bridge
CMTS

Provisioning services

DOCSIS 3.0

Cable router

73

Use Case #2: Broadband Access network


Vulnerabilities
Misdirect

Router theft
Address (Next-Hop) theft
Session hijack
DoS
Misdirect

ND Cache poisoning for


session hijacking
Rogue RA for session
hijacking

ATM

DSL router
DSLAM

SWITCHES

BRAS/BNG

Firewall

ISP

Internet

Enterprise

Ethernet SWITCHES

Ethernet Bridge
CMTS

Provisioning services

DOCSIS 3.0

Cable router

74

Use Case #2: Broadband Access network


Vulnerabilities mitigations
* DAD-proxy

Secure box
PVLAN*

DSL router

ATM
DSLAM

SWITCHES

BRAS/BNG

Ipv6 snooping/Binding guard


Prefix guard (prefix-delegation)
DHCP guard

Firewall

ISP

Internet
DSL router
Enterprise

Ethernet SWITCHES

Ethernet Bridge
CMTS

Provisioning services

DOCSIS 3.0

Cable router

75

Use Case #3: DataCenter


WAN

Core
Transitioning services

L3
L2

Firewall
Load balancing

Aggregation
Access

VEM

VEM

VM VM VM VM
1 2 3 4

VM VM VM VM
1 2 3 4

Servers
76

Use Case #3: DataCenter


Vulnerabilities

DoS
Misdirect

WAN

Core
Transitioning services

L3
L2

Firewall
Load balancing
Router theft
Address theft
Session hijack
DoS
Misdirect

Aggregation
Access

VEM

VEM

VM VM VM VM
3 4
1 2

VM VM VM VM
1 2 3 4

Servers
77

Use Case #3: DataCenter


Vulnerabilities mitigations

Core

WAN

Transitioning
services

Core

Load
balancin
g

Access List

PVLAN

L3
L2

RA guard/PACL
Aggregation

Access
Servers

DHCP guard/PACL
Source guard
ipv6 snooping/Binding guard

Aggregation
Access

VEM

VEM

VM VM VM VM
3 4
1 2

VM VM VM VM
1 2 3 4

Servers
78

For Your
Reference

IPv6 First Hop Security Platform Support


Catalyst
3850

15.2(4)S

15.0(1)EX

7.2

15.2(4)S

15.0(1)EX

7.2

15.2(4)S

15.0(1)EX

7.2

Catalyst 6500
Series

Catalyst
4500 Series

Catalyst
2K/3K Series

RA Guard

15.0(1)SY

15.1(2)SG

15.0.(2)SE

IPv6 Snooping

15.0(1)SY1

15.1(2)SG

15.0.(2)SE

DHCPv6 Guard

15.2(1)SY

15.1(2)SG

15.0.(2)SE

Source/Prefix
Guard

15.2(1)SY

15.2(1)E

15.0.(2)SE2

XE 3.9.0S

15.3(1)S

Destination Guard

15.2(1)SY

15.1(2)SG

15.2(1)E

XE 3.9.0S

15.2(4)S

RA Throttler

15.2(1)SY

15.2(1)E

15.2(1)E

ND Multicast
Suppress

15.2(1)SY

15.1(2)SG

15.2(1)E

Feature/Platform

ASR1000
Router

Wireless
LAN
Controller
(Flex 7500,

XE 3.9.0S

XE 3.9.0S

7600 Router

5508, 2500,
WISM-2)

7.2

Nexus
3k/5k/6k/7k/
9k

NX-OS 7.3
NX-OS 7.3
NX-OS 7.3

NX-OS 7.3

NX-OS 7.3

15.0(1)EX

7.2

15.0(1)EX

7.2

Note 1: IPv6 Snooping support in 15.0(1)SY does not extend to DHCP or data packets; only ND packets are snooped
Note 2: Only IPv6 Source Guard is supported in 15.0(2)SE; no support for Prefix Guard in that release

Available Now

Not Available

Roadmap
79

Key Take Away

At first glance, nothing really new in IPv6, but devil in the the details

Deploy FHS IF you have deployed dynamic ARP inspection, DHCP snooping and IP
Source Guard. Attacks on IPv6 NDP are similar in causes and damages
At minimum, deploy protection against rogue routers

Lack of operation experience may hinder security for a while: training is required

Security enforcement is possible

Control your IPv6 traffic as you do for IPv4

Experiment with IPv6 here at Cisco Live!

Recommended Reading

For reading material and further resources for this session, please
visit www.pearson-books.com/CLMilan2014

Complete Your Online Session Evaluation

Give us your feedback to be


entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.

Complete your session surveys


though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Dont forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online

Continue Your Education

Demos in the Cisco campus

Walk-in Self-Paced Labs

Table Topics

Meet the Engineer 1:1 meetings

Related sessions

Thank you