Don’t use IPv6 RA on server LANs

Enabling IPv6 on a server LAN with the ipv6 address interface configuration without taking additional precautions might be a bad idea. All modern operating systems have IPv6 enabled by default, and the moment someone starts sending Router Advertisement (RA) messages, they’ll auto-configure their LAN interfaces.

Autoconfigured servers might become exposed to the outside world if you’re using something like iptables to protect them (because IPv6 uses ip6tables) – one of the many IPv6 security gotchas Eric Vyncke and myself will describe in the upcoming IPv6 security webinar.

Interestingly, there’s a per-prefix flag in RA messages (the A flag described in details in my Building Large IPv6 Service Provider Networks webinar) telling the end-hosts whether they could use the prefix for stateless autoconfiguration. If you configure the routers not to advertise the A flag with something like the ipv6 nd prefix no-autoconfig interface configuration command, the hosts won’t get a valid IPv6 address and you’re safe ... or so one would think.

Unfortunately the reality is a bit more convoluted than that. I had a great chat with Sander Steffann during RIPE65 and he was kind enough to explain the intricacies:

  • The moment a Unix-like server gets an IPv6 default route through RA, it thinks it lives in a dual-stack world (even though it doesn’t have a routable IPv6 address);
  • Dual-stack-aware applications start establishing outgoing IPv6 sessions, and the server starts sending TCP SYN packets with the link-local source address, which any decent first-hop router immediately rejects with destination unreachable (beyond scope of source address) ICMP message.
  • Some Unix-like servers react to the ICMP message and close the half-baked TCP session, allowing the application to recover pretty quickly, others wait for TCP SYN timeouts (because a security-conscious operating system never listens to ICMP messages ... after all, they might have been spoofed).

The only safe way to configure IPv6 on a server LAN where you don’t control all the servers (and thus cannot be sure IPv6 is disabled on the servers that should be IPv4-only) is thus to disable RA, use static server IPv6 addresses, static IPv6 default route configured on the servers, and first-hop redundancy protocol (like HSRP) between the first-hop layer-3 switches.

3 comments:

  1. Some Windows 2008 systems don't even need RA enabled to think they are dual-stack:

    http://blog.zztopping.com/2012/08/02/ipv6-application-support-in-a-state-of-flux/
    Replies
    1. http://blog.zztopping.com/2012/08/ipv6-application-support-in-state-of.html
  2. For VRRP for IPv6, sending RA's is mandatory;

    From draft-ietf-vrrp-ipv6-spec-08 / RFC5798:

    6.4.3 Master: MUST send ND Router Advertisements for the virtual router.

    At least JUNOS seem to follow this requirement.

    Interested to hear what folks are doing to work around that, e.g. use egress port or vlan acl's on host facing ports to filter out those RA's ??
Add comment
Sidebar