The document discusses IPv6 first hop security features like DHCP snooping and dynamic ARP inspection for IPv6. It provides an overview of the security issues with IPv6 neighbor discovery such as router advertisements being sent without authentication, allowing for man-in-the-middle attacks and denial of service. It then describes various IPv6 first hop security features that can help mitigate these issues, such as RA guard, DHCP guard, and IPv6 neighbor discovery inspection.

1. IPv6 First Hop Security:
the IPv6 version of
DHCP snooping and
dynamic ARP inspection
Eric Vyncke
Cisco, CTO/Consulting Engineering
Distinguished Engineer
evyncke@cisco.com
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

2. Layer-7 Data and Attacker
services
Layer-2
Firewall
Courtesy of Curt Smith
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 2

3. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3

4. RA w/o Any
Authentication
Router Advertisements contains: Gives Exactly Same
-Prefix to be used by hosts Level of Security as
-Data-link layer address of the router DHCPv4 (None)
-Miscellaneous options: MTU, DHCPv6 use, …
MITM
DoS
1. RS 2. RA 2. RA
1. RS: 2. RA:
Data = Query: please send RA Data= options, prefix, lifetime,
A+M+O flags
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5. • Devastating:
Denial of service: all traffic sent to a black hole
Man in the Middle attack: attacker can intercept, listen, modify unprotected
data
• Also affects legacy IPv4-only network with IPv6-enabled hosts
• Most of the time from non-malicious users
• Requires layer-2 adjacency (some relief…)
• The major blocking factor for enterprise IPv6 deployment
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6. Where What
Routers Increase “legal” router preference
Hosts Disabling Stateless Address Autoconfiguration
Routers & Hosts SeND “Router Authorization”
Switch (First Hop) Host isolation
Switch (First Hop) Port Access List (PACL)
Switch (First Hop) RA Guard
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7. • RFC 3972 Cryptographically Generated Addresses (CGA)
IPv6 addresses whose interface identifiers are cryptographically
generated from node public key
• SeND adds a signature option to Neighbor Discovery Protocol
Using node private key
Node public key is sent in the clear (and linked to CGA)
• Very powerful
If MAC spoofing is prevented
But, not a lot of implementations: Cisco IOS, Linux, some H3C, third
party for Windows
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8. • Each devices has a RSA key pair (no need for cert)
• Ultra light check for validity
• Prevent spoofing a valid CGA address
RSA Keys
Priv Pub
Modifier
Public
Key SHA-1
Subnet
Prefix
Signature CGA Params
Subnet Interface
Prefix Identifier
SeNDMessages Crypto. Generated Address
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9. • Adding a X.509 certificate to RA
• Subject Name contains the list of authorized IPv6 prefixes
Trust
Anchor X.509
cert
X.509 Router Advertisement
cert SourceAddr = CGA
CGAparam block (incl pub key)
Signed
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10. • Prevent Node-Node Layer-2 communication by using:
1 VLAN per host (SP access network with Broadband Network Gateway)
Private VLANs (PVLAN) where node can only contact the official router
• Link-local scope multicast (RA, DHCP request, etc) sent only to the local
official router: no harm
• Can also be used on Wireless in „AP Isolation Mode’
CPE
PC
(publicV6 )
PVLAN
RA BNG
CPE PVLAN
PC
(publicV6 )
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11. • Port ACL blocks all ICMPv6 Router
Advertisements from hosts
interface FastEthernet3/13
RA
switchport mode access
ipv6 traffic-filter ACCESS_PORT in RA
access-group mode prefer port
RA
RA
RA
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12. host ?
“I am the default gateway” Router Advertisement
Option: prefix(s)
• Configuration- based
• Learning-based
• Challenge-based
Verification
succeeded ?
Bridge RA
• Switch selectively accepts or rejects RAs based on various criteria‟s
• Can be ACL based, learning based or challenge (SeND) based.
• Hosts see only allowed RAs, and RAs with allowed content
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13. • Extension headers chain can be so large than it is fragmented!
• RFC 3128 is not applicable to IPv6
• Layer 4 information could be in 2nd fragment
IPv6 hdr HopByHop Routing Fragment1 Destination
IPv6 hdr HopByHop Routing Fragment2 TCP Data
Layer 4 header is
in 2nd fragment
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14. • RFC 3128 is not applicable to IPv6, extension header can be fragmented
• ICMP header could be in 2nd fragment after a fragmented extension header
• RA Guard works like a stateless ACL filtering ICMP type 134
• THC fake_router6 –FD implements this attack which bypasses RA Guard
• Partial work-around: block all fragments sent to ff02::1
‘undetermined-transport’ is even better
Does not work in a SeND environment (larger packets) but then no need for RA-guard 
IPv6 hdr HopByHop Routing Fragment1 Destination …
IPv6 hdr HopByHop Routing Fragment2 … Destination ICMP type=134
ICMP header is in 2ndfragment,
RA Guard has no clue where to
find it!
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15. For Your
Reference
• Each FH feature provides a configuration mode to create and populate
policies (+ one implicit “default” policy)
ipv6 ndraguard policy MYHOST
device-role host
• Each FH feature provides commands to attach policies to targets:
box, vlan, port
vlan configuration 100
ipv6 ndraguard attach-policy MYHOST
ipv6 snooping
interface e 0/0
ipv6 ndraguard attach-policy MYROUTER
• Packets are processed by the lowest-level matching policy for each
feature
− Packets received on e0/0 are processed by policy ra-guard
“MYROUTER” AND policy snooping “default”
− Packets received on any other port of vlan 100 are processed by policy
ra-guard “MYHOST” AND policy snooping “default”
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16. For Your
Reference
Step1: Step2:
Configures policies Attach policies to target
Vlan Port
ipv6 ndraguard policy HOST vlan configuration 100-200
device-role host ipv6 ndraguard attach-policy HOST
ipv6 ndraguard policy ROUTER interface Ethernet0/0
device-role router ipv6 ndraguard attach-policy
ROUTER
ipv6 snooping policy NODE vlan configuration 100,101
tracking enable ipv6 snooping attach-policy NODE
limit address-count 10
security-level guard
ipv6 snooping policy SERVER interface Ethernet1/0
trusted-port ipv6 snooping attach-policy
tracking disable SERVER
security-level glean
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17. vlan 100
HOST ROUTER
PEER
SWITCH
VILLAIN
CAT
DUMB
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18. Internet
2) Sending RA
1) I
with prefix for
want
auto-
IPv6, s
configuration
end
RA
3) 3) 3)
3)
Yah Yaho Yah
Yah
oo! o! oo!
oo!
IPv6 IPv6 IPv6
IPv6
  

IPv4 protection: IPv4 protection: IPv4 Protection:
iptables ipfw Security center
IPv6 Protection: IPv6 Protection: IPv6 Protection:
4) Default protection…
No ip6tables ✗ No ip6fw ✗ Security center ✔
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19. Internet
1) I 2) Sending RA
want with “no auto-
IPv6, s config”
end
RA
3)
Yahoo! 3) No 3) No 3) No
Static IPv6 IPv6 IPv6
IPv6 SLAA SLA SLA
addres C AC AC
s
IPv4 protection: IPv4 protection: IPv4 Protection:
iptables ipfw Security center
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21. • Pretty much like RA: no authentication
Any node can „steal‟ the IP address of any other node
Impersonation leading to denial of service or MITM
• Requires layer-2 adjacency
• IETF SAVI Source Address Validation Improvements (work in progress)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22. Where What
Routers & Hosts configure static neighbor cache entries
Routers & Hosts Use CryptoGraphic Addresses (SeND CGA)
Switch (First Hop) Host isolation
Switch (First Hop) Address watch
• Glean addresses in NDP and DHCP
• Establish and enforce rules for address ownership
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23. • Objectives for Address ownership:
Enable the ND message sender to provide proof of ownership of address and
for the receiver to validate the proof
Verify that the address is either the source of the ND message or the “target”
for DAD messages (when source is UNSPEC)
This is a SeND feature
• Protocol overview
Hosts (and routers) generate a pair of RSA keys
The public key is hashed to create a Cryptographic address (CGA)
The CGA address is signed by the private key
Both the public key and signature are provided in ND messages
Receivers must verify the signature and address/key consistency (address =
hash(key))
No key distribution required!
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24. • If a switch wants to enforce the mappings < IP address, MAC
address> how to learn them?
• Multiple source of information
SeND: verify signature in NDP messages, then add the mapping
DHCP: snoop all messages from DHCP server to learn mapping (same as in
IPv4)
NDP: more challenging, but „first come, first served‟
The first node claiming to have an address will have it
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25. Binding table
DHCP-
ADR MAC VLAN IF
server
H1 H2 H3 A1 MACH1 100 P1
A21 MACH2 100 P2
A22 MACH2 100 P2
NS [IP source=A1, LLA=MACH1] A3 MACH3 100 P3
REQUEST [XID, SMAC = MACH2]
REPLY[XID, IP=A21, IP=A22]
data [IP source=A3, SMAC=MACH3]
DAD NS [IP source=UNSPEC, target = A3] DHCP LEASEQUERY
NA [IP source=A3, LLA=MACH3] DHCP LEASEQUERY_REPLY
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26. Binding table
host
Address
glean
–Arbitrate collisions, check ownership
– Check against max allowed per box/vlan/port
– Record & report changes
Valid? bridge
• Preference is a function of: configuration, learning method, credential provided
• Upon collision, choose highest preference (for instance static, trusted, CGA, DHCP
preferred over dynamic, not_trusted, not_CGA, SLACC)
• For collision with same preference, choose First Come, First Serve
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27. • IPv6 VLAN ACL & RA Guard:
12.2(54)SG, 3.2.0SG, 15.0(2)SG, 12.2(33)SXI4
• NDP inspection: 12.2(50)SY and 15.0(1)SY
For more Information:
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-
roadmap.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/15-
2mt/ip6-first-hop-security.html
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28. • DHCP Guard • Destination
Guard
• Source Guard
• Prefix Guard
• Multi Switch
operation • DAD Proxy
• RA Throttler • Binding Table
Recovery
• NDP Multicast
Suppress • SVI support
Several of those features are already in WLC 7.2
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30. Remote
• Remote router CPU/memory DoS attack if aggressive scanning
Router will do Neighbor Discovery... And waste CPU and memory
• Local router DoS with NS/RS/… NS: 2001:db8::3
NS: 2001:db8::2
NS: 2001:db8::1
NS: 2001:db8::3
NS: 2001:db8::2
NS: 2001:db8::1
NS: 2001:db8::3
NS: 2001:db8::2
NS: 2001:db8::1
2001:db8::/64
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31. • Mainly an implementation issue
Rate limiter on a global and per interface
Prioritize renewal (PROBE) rather than new resolution
Maximum Neighbor cache entries per interface and per MAC address
• Internet edge/presence: a target of choice
Ingress ACL permitting traffic to specific statically configured (virtual)
IPv6 addresses only
Allocate and configure a /64 but uses addresses fitting in a /120 in
order to have a simple ingress ACL
• Using a /64 on point-to-point links => a lot of addresses to scan!
Using /127 could help (RFC 6164)
• Using infrastructure ACL prevents this scanning
iACL: edge ACL denying packets addressed to your routers
Easy with IPv6 because new addressing scheme can be done 
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32. • Built-in rate limiter but no option to tune it
Since 15.1(3)T: ipv6 nd cache interface-limit
Or IOS-XE 2.6: ipv6 nd resolution data limit
Destination-guard is coming with First Hop Security phase 3
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34. • Without a secure layer-2, there is no upper layer security
• Rogue Router Advisement is the most common threat
• Mitigation techniques
Host isolation
Secure Neighbor Discovery: but not a lot of implementations
SAVI-based techniques: discovery the „right‟ information and dropping RA/NA
with wrong information
Last remaining issue: (overlapped) fragments => drop all fragments…
• Neighbor cache exhaustion
Use good implementation
Expose only a small part of the addresses and block the rest via ACL
• Products are now available implementing the techniques ;-)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36. Thank you.