After the excellent IPv6 security presentation Eric Vyncke had @ 9th Slovenian IPv6 summit someone asked me: “Why is IPv6 first-hop security so complex? It looks like the developers of IPv6 protocol stack tried to make users anonymous and made everyone’s life complex while doing that.”
Well, he was totally surprised by my answer: “The real reason IPv6 first-hop security is so complex is the total mess we made of L2/L3 boundary.”
In the ideal world…
Imagine a perfect world in which we use layer-2 connectivity only between the adjacent nodes (the way it was designed to be used) – the first switch your host is connected to is thus already a layer-3 switch. The security implications are staggering:
- A layer-3 switch (a device formerly known as a router) does not listen to Router Advertisements no RA spoofing;
- Neighbor discovery works across a layer-2 segment, not across layer-3 switches no ND spoofing;
- With every host being on a dedicate layer-2 segment, it’s impossible to reply to DHCPv6 requests (because a host doesn’t ever see requests from other hosts) no DHCPv6 spoofing;
- The layer-3 switch has authoritative forwarding information and can perform unicast Reverse Path Forwarding (uRPF) checks to verify source IPv6 addresses no IPv6 address spoofing.
Won’t that explode the routing tables?
Am I advocating using a /64 for every host? Do I look that stupid? It’s time to get creative and start using host routes:
- A single /64 prefix is advertised to all hosts in a “subnet”;
- The prefix is advertised as available for autoconfiguration (if you want to have autoconfiguration);
- If the layer-3 switch advertises the prefix as off-net, the hosts don’t even try to use Neighbor Discovery mechanism to find the MAC addresses of other hosts, but go straight to the layer-3 switch when they have to send a packet to someone else;
- The layer-3 switch creates a host route for every directly attached host. It can even reuse the exact same silicon used for ND entries these days (see also: that’s not the host route route you’re looking for).
- You could configure those host routes manually (in high-security environment), allow DHCPv6 proxy to do its job (interesting, this code is already available in Cisco IOS), or create a host route out of an DAD message if you decide to trust the hosts and the IPv6 autoconfiguration process.
- The switch may redistribute those host routes into whatever routing protocol it’s using (might be needed in multihomed environments) or advertise the /64 prefix into the rest of the network and let the more-specific-prefix forwarding take care of the rest.
Most of the above functionality is already available in layer-3 switches with reasonably good IPv6 support (read: not many of them), the only missing bit is the host route creation based on DAD messages (effectively reinventing Mobile ARP or Enterasys’ Host Routing).
Will we see a daring switch vendor who’ll break the ancient bad habits and start using the hardware they already have (most high-speed switches already have L3 hardware) in a slightly more creative way, or will Microsoft remain the only one with the guts to say “stop the layer-2 stupidities”? Being the pessimist that I am, I’d bet Microsoft will be very lonely in the IPv6 L3-only world for quite a while, but do prove me wrong in the comments!
Speaking of IPv6 security
I did an IPv6 security webinar with Eric Vyncke 18 months ago, and it’s as relevant as ever (particularly considering the dismal level of first-hop IPv6 security support in hardware- or virtual switches).