First-Hop IPv6 Security Features in Cisco IOS

I wanted to figure out how to use IPv6 DAD proxy in PVLAN environments during my seaside vacations, and as I had no regular Internet access decided to download the whole set of IPv6 configuration guides while enjoying the morning cup of coffee in an Internet café. Opening the IPv6 First-Hop Security Configuration Guide was one of the most pleasant (professional) surprises I had recently.

One word summary: Awesome.

Cisco IOS has (at least) these IPv6 first-hop security features:

IPv6 RA Guard rejects fake RA messages coming from host (non-router) ports (not sure whether it handles all possible IPv6 header fragmentation attacks). Interestingly, it can also validate the contents of RA messages (configuration flags, list of prefixes) received through router-facing ports, potentially giving you a safeguard against an attack of fat fingers.

DHCPv6 Guard blocks DHCPv6 messages coming from unauthorized DHCPv6 servers and relays. Like IPv6 RA Guard it also validates the DHCPv6 replies coming from authorized DHCPv6 servers, potentially providing protection against DHCPv6 server misconfiguration.

IPv6 Snooping and device tracking builds a IPv6 First-Hop Security Binding Table (nicer name for ND table) by monitoring DHCPv6 and ND messages as well as regular IPv6 traffic. The binding table can be used to stop ND spoofing (in IPv4 world we’d call this feature DHCP Snooping and Dynamic ARP Inspection).

IPv6 Source Guard uses the IPv6 First-Hop Security Binding Table to drop traffic from unknown sources or bogus IPv6 addresses not in the binding table. The switch also tries to recover from lost address information, querying DHCPv6 server or using IPv6 neighbor discovery to verify the source IPv6 address after dropping the offending packet(s).

IPv6 Prefix Guard is denies illegal off-subnet traffic. It uses information gleaned from RA messages and IA_PD option of DHCPv6 replies (delegated prefixes) to build the table of valid prefixes.

IPv6 Prefix Guard is a layer-2 feature. You should use uRPF check on layer-3 interfaces.

IPv6 Destination Guard drops IPv6 traffic sent to directly connected destination addresses not in IPv6 First-Hop Security Binding Table, effectively stopping ND exhaustion attacks.

Summary: Cisco IOS seems to be the networking software with the most comprehensive set of IPv6 first-hop security features. As always, some features might not be available on some platforms – use feature navigator to figure out which features your IPv6-capable switches support.

You’ll find more about IPv6 first-hop security requirements and features in the IPv6 Security webinar (also available as part of the yearly subscription). In that webinar, Eric Vyncke described individual Cisco IOS security features. The videos of his presentation are freely available.

5 comments:

  1. Great post, thanks.
  2. Unfortunately it still doesn´t help against thc-ipv6, but it´s nice to see Cisco is working on this issue.
    Don´t ask HP about this one, they don´t have a working solution...
  3. Great post I am still waiting for these features to be implemented in Nexus 1000v.
  4. Why is that cisco describes "destination guard" as dropping traffic "from unknown sources", if it seems to be based only on destination ?
  5. For the benefit of everyone who is trying to research where certain features are supported...

    The Cisco feature navigator is very inconsistent when it comes to IPv6 features. And it gets very complicated when you start talking about supported features on platforms like the Cat3k switches where there's many different models supporting many different models. This is the best link I've found to use to determine what code levels features are supported in (and just to research what the features are):
    http://docwiki.cisco.com/wiki/Cisco_IOS_IPv6_Feature_Mapping#IPv6_Features

    This is a relatively good link to look up what features are supported in NX-OS code levels. (though its mostly pertinent to the 7k and mds)
    http://docwiki.cisco.com/wiki/Cisco_NX-OS_IPv6_Feature_Mapping

    Lastly, if the above two links don't cover it then the best place to look is software release notes. You can generally start with the latest code version (within your train) and look in the release notes to see when a specific feature was introduced into that train.
Add comment
Sidebar