Tag Archives: ipv6

IPv6 First Hop Security

IPv6 RA Guard rejects fake RA messages coming from host (non-router) ports (not sure whether it handles all possible IPv6 header fragmentation attacks). Interestingly, it can also validate the contents of RA messages (configuration flags, list of prefixes) received through router-facing ports, potentially giving you a safeguard against an attack of fat fingers.

DHCPv6 Guard blocks DHCPv6 messages coming from unauthorized DHCPv6 servers and relays. Like IPv6 RA Guard it also validates the DHCPv6 replies coming from authorized DHCPv6 servers, potentially providing protection against DHCPv6 server misconfiguration.

IPv6 Snooping and device tracking builds a IPv6 First-Hop Security Binding Table (nicer name for ND table) by monitoring DHCPv6 and ND messages as well as regular IPv6 traffic. The binding table can be used to stop ND spoofing (in IPv4 world we’d call this feature DHCP Snooping and Dynamic ARP Inspection).

IPv6 Source Guard uses the IPv6 First-Hop Security Binding Table to drop traffic from unknown sources or bogus IPv6 addresses not in the binding table. The switch also tries to recover from lost address information, querying DHCPv6 server or using IPv6 neighbor discovery to verify the source IPv6 address after dropping the offending packet(s).

IPv6 Prefix Guard is denies illegal off-subnet traffic. It uses information gleaned from RA messages and IA_PD option of DHCPv6 replies (delegated prefixes) to build the table of valid prefixes.

Configuration:

Access-lists

CAT2(config)# ipv6 access-list ACCESS_PORT
CAT2(config-ipv6-acl)# remark Block all traffic DHCP server -> client
CAT2(config-ipv6-acl)# deny udp any eq 547 any eq 546
CAT2(config-ipv6-acl)# remark Block Router Advertisements
CAT2(config-ipv6-acl)# deny icmp any any router-advertisement
CAT2(config-ipv6-acl)# permit any any
CAT2(config-ipv6-acl)# !
CAT2(config-ipv6-acl)# interface gigabitethernet 1/0/1
CAT2(config-if)# switchport
CAT2(config-if)# ipv6 traffic-filter ACCESS_PORT in

RA Guard

Switch(config)# ipv6 nd raguard policy POLICY-NAME
! Defines the RA Guard policy name
Switch(config-ra-guard)# device-role {host | router}
Switch(config)# interface INTERFACE
Switch(config-if)# ipv6 nd raguard attach-policy POLICY-NAME

DHCPv6 Guard

CAT1(config)# ipv6 access-list acl1
CAT1(config-ipv6-acl)# permit host FE80::A8BB:CCFF:FE01:F700 any
CAT1(config-ipv6-acl)# ipv6 prefix-list abc permit 2001:0DB8::/64 le 128
CAT1(config-ipv6-acl)# ipv6 prefix-list abc permit 2001:0DB8::/64 le 128
CAT1(config)# ipv6 dhcp guard policy pol1
CAT1(config-dhcp-guard)# device-role server
CAT1(config-dhcp-guard)# match server access-list acl1
CAT1(config-dhcp-guard)# match reply prefix-list abc
CAT1(config-dhcp-guard)# preference min 0
CAT1(config-dhcp-guard)# preference max 255
CAT1(config-dhcp-guard)# trusted-port
CAT1(config-dhcp-guard)# interface GigabitEthernet 1/0/1
CAT1(config-if)# switchport
CAT1(config-if)# ipv6 dhcp guard attach-policy pol1 vlan add 1
CAT1# show ipv6 dhcp guard policy pol1

Tunneling

Tunnel Mode  Topology and Address Space  Applications 
Automatic 6to4 Point-to-multipoint; 2002::/16 addresses Connecting isolated IPv6 island networks.
Manually configured Point-to-point; any address space; requires dual-stack support at both ends Carries only IPv6 packets across IPv4 networks.
IPv6 over IPv4 GRE Point-to-point; unicast addresses; requires dual-stack support at both ends Carries IPv6, CLNS, and other traffic.
ISATAP Point-to-multipoint; any multicast addresses Intended for connecting IPv6 hosts within a single site.
Automatic IPv4- compatible Point-to-multipoint; ::/96 address space; requires dual-stack support at both ends Deprecated. Cisco recommends using ISATAP tunnels instead. Coverage in this book is limited.
Tunnel Type  Tunnel Mode  Destination 
Manual ipv6ip  An IPv4 address
GRE over IPv4 gre ip  An IPv4 address
Automatic 6to4 ipv6ip 6to4  Automatically determined
ISATAP ipv6ip isatap  Automatically determined
Automatic IPv4-compatible ipv6ip auto-tunnel  Automatically determined

Automatic IPv4-Compatible Tunnels

The first 96 bits of the tunnel interface addresses are all 0s, and the remaining 32 bits are derived from an IPv4 address. These addresses are written as 0:0:0:0:0:0:A.B.C.D, or ::A.B.C.D, where A.B.C.D represents the IPv4 address.

Automatic 6to4 Tunnels

Per-packet basis to encapsulate traffic to the correct destination—thus its point-to-multipoint nature.

2002:border-router-IPv4-address::/48

This prefix-generation method leaves another 16 bits in the 64-bit prefix for numbering networks within a given site.

interface Ethernet2/0
 description Ethernet link to the outside world
 ip address 10.1.100.1 255.255.255.0
 !
 interface Tunnel0
 no ip address
 ipv6 address 2002:0a01:6401::1/64
 tunnel source Ethernet 2/0
 tunnel mode ipv6ip 6to4
 !
 ipv6 route 2002::/16 tunnel

ISATAP Tunnels

Treat underlying network like NBMA cloud. Point-to-multipoint operations.

[64-bit link-local or global unicast prefix]:0000:5EFE:[IPv4 address of the ISATAP link]

For example, let’s say that the IPv6 prefix in use is 2001:0DB8:0ABC:0DEF::/64 and the IPv4 tunnel destination address is 172.20.20.1. The IPv4 address, converted to hex, is AC14:1401. Therefore the ISATAP address is

2001:0DB8:0ABC:0DEF:0000:5EFE:AC14:1401

Interface MUST be configured to derive the IPv6 address using the EUI-64 method. EUI-64 addressing in a tunnel interface differs from EUI-64 on a nontunnel interface in that it derives the last 32 bits of the interface ID from the tunnel source interface’s IPv4 address.

By default, tunnel interfaces disable router advertisements (RA). However, RAs must be enabled on ISATAP tunnels to support client autoconfiguration (no ipv6 nd supress-ra).

 

IPv6

Autoconfig

IPv6 hosts can use stateless or stateful autoconfiguration. Stateless address autoconfiguration (SLAAC) uses IPv6 prefixes from Router Advertisement (RA) messages; stateful autoconfiguration uses DHCPv6.

  • Managed-Config-Flag tells the end-host to use DHCPv6 exclusively;
  • Other-Config-Flag tells the end-host to use SLAAC to get IPv6 address and DHCPv6 to get other parameters (DNS server address, for example).
  • Absence of both flags tells the end-host to use only SLAAC.

One might assume that setting managed-config-flag in RA messages forces IPv6 hosts to use DHCPv6. Wrong, the two flags are just a polite suggestion.


 

Address types

Address Purpose
FF00::/8 Multicast
FF70::/12 Embedded RP
FE80::/10 Link Local Unicast
FF02::1:FF00:0000/104 Solicited node address
2000::/3 Global Unicast
2001::/32 Teredo
2001:DB8::/32 Documentation rezerved
2002::/16 Automatic 6to4
FC00::/7 Unique Local

Solicited node address

In addition, IPv6 multicast uses a solicited-node group that each router must join for all of its unicast and anycast addresses. The format for solicited-node multicast addresses is

FF02::1:FF00:0000/104

Solicited-node addresses are built from this prefix concatenated with the low-order 24 bits (128 – 104 = 24) of the corresponding unicast or anycast address. For example, a unicast address of

2001:1AB:2003:1::CBAC:DF01
has a corresponding solicited-node multicast address of

FF02::1:FFAC:DF01


Multicast address

General multicast address format
Bits 8 4 4 112
Field prefix flags scope group ID

 

Multicast addresses in IPv6 always begin with FF as the first octet in the address, or FF00::/8. The second octet specifies the lifetime and scope of the multicast group. Lifetime can be permanent (0000) or temporary (0001). Scope can be local to any of the following:

  • Node – 0001
  • Link – 0010
  • Site – 0101
  • Organization – 1000
  • Global – 1110

EUI-64 Address Format

Ethernet hosts and Cisco routers with Ethernet interfaces use their 48-bit MAC addresses as a seed for EUI-64 addressing. But because the MAC address is 48 bits long and the EUI-64 process makes up the last 64 bits of an IPv6 address, the host needs to derive the other 16 bits from another source. The IEEE EUI-64 standard places the hex value FFFE into the center of the MAC address for this purpose. Finally, EUI-64 sets the universal/local bit, which is the 7th bit in the Interface ID field of the address, to indicate global scope.

Here is an example. Given the IPv6 prefix 2001:128:1F:633 and a MAC address of 00:07:85:80:71:B8, the resulting EUI-64 address is

2001:128:1F:633:207:85FF:FE80:71B8/64


ND Functions in IPv6

Message Type  Information Sought or Sent Source Address Destination Address  ICMP Type, Code 
Router Advertisement (RA) Routers advertise their presence and link prefixes, MTU, and hop limits Router’s link-local address FF02::1 for periodic broadcasts; address of querying host for responses to an RS 134, 0
Router Solicitation (RS) Hosts query for the presence of routers on the link. Address assigned to querying interface, if assigned, or :: if not assigned FF02::2 133, 0
Neighbor Solicitation (NS) Hosts query for other nodes’ link-layer addresses. Used for duplicate address detection and to verify neighbor reachability. Address assigned to querying interface, if assigned, or :: if not assigned Solicited-node multicast address or the target node’s address, if known 135, 0
Neighbor Advertisement (NA) Sent in response to NS messages and periodically to provide information to neighbors. Configured or automatically assigned address of originating interface Address of node requesting the NA or FF02::1 for periodic advertisements 136, 0
Redirect Sent by routers to inform nodes of better next-hop routers. Link-local address of originating node Source address of requesting node 137, 0

ICMPv6

  • two groups: error reporting messages and informational messages
  • RFC mandates configurable rate limiting of ICMPv6 error messages (ipv6 icmp error-interval – default 100 ms + 10 token buckets)

DHCPv6

To use stateful autoconfiguration, a host sends a DHCP request to one of two well-known IPv6 multicast addresses on UDP port 547:

 

    • FF02::1:2, all DHCP relay agents and servers
    • FF05::1:3, all DHCP servers