IPv6 security

In previous posts I shown how to network on IPv4. IPv6 is a different world, IPv4 ACLs and approach will not work. IPv6 traffic runs in parallel to IPv4 and IPv4 ACLs/Firewall will not block IPv6 traffic. The main problem of IPv6 is that even when you don’t enable IPv6 on routers, some of customers have it enabled and become the target of attack. Many times PC with Windows Internet Connection Sharing is starting to advertise itself as a IPv6 router.

IPv6 ACL has 3 implicit entries on the end which are not shown
permit icmp any any nd-ns
permit icmp any any na-ns
deny ipv6 any any

example of the IPv6 ACL :
Router(config)# ipv6 access-list IPV6_ACL
Router(config-acl)# deny 2001:db8:1234:1000::/64 any
Router(config-acl)# permit any 2001:db8:1234:1000::1/64 eq 80

Router(config)# interface fa0/1
Router(config)# ipv6 traffic-filter IPV6_ACL

IPv6 Neighbor discovery weakness
In IPv4 world we can use DHCP with DHCP snooping technologies, unfortunately in IPv6 is used another technology, called Neighbor Discovery. With Neighbor discovery router (or attacker) can send a simple RA message and PC will change it’s configuration.
These attacks can be performed with Neighbor Discovery using simple attack tools:

1. The default route can be changed. Result – man in the middle.

2. PC is creating own IP address based on ND received prefix. So, attacker can configure PC and give him different IP prefix as it should receive. Also with ND is possible to change IPv6 route to particular site, for example google, so everything looks fine from “ipconfig”, but google website goes through attacker computer. Result – man in the middle.

3. ND can be used also for flood. Many windows versions will simply die under ND flood in few minutes. Result – dead machines in the LAN.

4. Instead of sending new default route, attacker can send routerlifetime=0 parametr, and PC will delete all IPv6 address configuration and IPv6 default gateway. Result – disable IPv6 service on PC.

* Even if we block ND traffic, DHCPv6 can be used instead, so we need to block ND and DHCPv6 too.
The question is how to fight against Neighbor Discovery/DHCPv6 ?

First approach is to put ACLs on all ports to PCs. This technique is good for preventing ND/DHCPv6 spoofing, but still things like IP and MAC spoofing are not covered.

Switch(config)# ipv6 access-list DENY-RA-DHCP
Switch(config-ipv6-acl)# deny icmp any any router-advertisement
Switch(config-ipv6-acl)# deny udp any eq 547 any
Switch(config-ipv6-acl)# permit ipv6 any any

Second option is RA-Guard.
It works exactly in same manner as previous example with ACL, just we don’t need to configure ACLs. Commands are :
Switch(config)# ipv6 nd raguard policy POLICY-RA-BLOCK
Switch(config-ra-guard)# device-role host
– this is policy for blocking ND RA

Switch(config)# ipv6 nd raguard policy POLICY-RA-PERMIT
Switch(config-ra-guard)# device-role router
– this is policy allowing ND RA

Switch(config)# interface fa0/0
Switch(config-if)# ipv6 nd raguard attach-policy POLICY-BLOCK
– here we are blocking ND RA messages on the port

ND snooping
Ok, but in both previous examples IP and MAC spoofing were not solved. ND snooping should help us with it.
Switch is listening to all Neighbor Solicitation and Neighbor Advertisement messages and creates a table of IP-MAC bindings (the problem still is that there is no authoritative DHCP which can verify that IP-MAC is of customer,not of attacker).

Switch(config)# ipv6 nd inspection policy BLOCK-ATTACK
Switch(config-nd-inspection)# device-role host
Switch(config)# interface fa0/0
Switch(config-if)# ipv6 nd inspection attach-policy BLOCK-ATTACK

show ipv6 neighbors binding will show us this output :


DHCPv6 guard
When ND is more less fixed, there can still be a DHCPv6 server in the network. DHCPv6 snooping(DHCP guard on cisco) works similar to DHCPv4 snooping.

Configuration of PC port :
Switch(config)#ipv6 dhcp guard policy DHCP_CLIENT
Switch(config-dhcp-guard)#device-role client
Switch(config)# interface fa0/0
Switch(config-int)# ipv6 dhcp guard attach-policy DHCP_CLIENT

Configuration of DHCP server port :
Switch(config)#ipv6 dhcp guard policy DHCP_SERVER
Switch(config-dhcp-guard)#device-role server
Switch(config)# interface fa0/1
Switch(config-int)# ipv6 dhcp guard attach-policy DHCP_SERVER

Verification is:
show ipv6 dhcp guard policy