IPv6 First-Hop Security: Ideal OpenFlow Use Case

Supposedly it’s a good idea to be able to identify which one of your users had a particular IP address at the time when that source IP address created significant havoc. We have a definitive solution for the IPv4 world: DHCP server logs combined with DHCP snooping, IP source guard and dynamic ARP inspection. IPv6 world is a mess: read this e-mail message from v6ops mailing list and watch Eric Vyncke’s RIPE65 presentation for excruciating details.

Short summary

  • Many layer-2 switches still lack the feature parity with IPv4;
  • IPv6 uses three address allocation algorithms (SLAAC, privacy extensions, DHCPv6) and it’s quite hard to enforce a specific one;
  • Host implementations are wildly different (aka: The nice thing about standards is that you have so many to choose from.).
  • IPv6 address tracking is a hodgepodge of kludges.

What if ... there would be an OpenFlow solution?

Now imagine a parallel universe in which the geniuses creating OpenFlow 1.0 actually considered IPv6. IPv6 address tracking would become an ideal job for an OpenFlow controller:

  • Whenever a new end-host appears on the network, it’s authenticated, and its MAC address is logged. Only that MAC address can be used on that port (many switches already implement this functionality).
  • Whenever an end-host starts using a new IPv6 source address, the packets are not matched by any existing OpenFlow entries and thus get forwarded to the OpenFlow controller.
  • The OpenFlow controller decides whether the new source IPv6 is legal (enforcing DHCPv6-only address allocation if needed), logs the new IPv6-to-MAC address mapping, and modifies the flow entries in the first-hop switch. The IPv6 end-host can use many IPv6 addresses – each one of them is logged immediately.
  • Ideally, if the first-hop switches support all the nuances introduced in OpenFlow 1.2, the controller can install neighbor advertisement (NA) filters, effectively blocking ND spoofing.

Will this nirvana appear anytime soon? Not likely. Most switch vendors support only OpenFlow 1.0, which is totally IPv6-ignorant (if you’re aware of OF1.2-compliant switches, please write a comment). Also, solving real-life operational issues is never as sexy as promoting the next unicorn-powered fountain of youth.

More information

Building large IPv6 service provider networks webinar describes the intricate details of various IPv6 address assignment mechanisms, the IPv6 security one the plethora of IPv6 security issues. You get access to both of them (and numerous others) with the yearly subscription.

2 comments:

  1. Sounds like you are looking for SAVI?

    i.e.
    http://www.ietf.org/proceedings/76/slides/savi-7.pdf
    http://tools.ietf.org/wg/savi/

    ReplyDelete
    Replies
    1. Interesting, too: http://www.apan.net/meetings/ChiangMai2012/Session/FIT/APAN33-junbi.pdf

      Delete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.