Notes:
NDP or ND as we used to call it create Neighbor Cache which is equivalent to an ARP cache or
Table in IPv4 (we can display it with show ipv6 neighbors).
Typing no ipv6 unicast routing will disable the router ability to be forward ipv6 unicast packets
& ipv6 routing protocols and also will disable the sending of ICMPv6 RA messages .
As IPv4 ARP we can create static entry to be stored in arp cache ( ipv6 neighbor Cache ) by
typing : Ipv6 neighbor ipv6-address interface-type interface-number hardware-address
The neighbor cache can be cleared by typing : clear ipv6 neighbors
If we type show ipv6 interface we can see many NP parameters
Remember for later configuration to make our router as DHCP relay agent we type:
Int f0/0
Ipv6 dhcp relay dest 2001:5:6:7::2 (where 2001:5:6:7::2 is DHCPv6 server address)
(Dhcp client ------ f0/0 router f0/1--------dhcp server)
RA interval is the amount of time in seconds between consecutive RA messages (default is 200 seconds)
We can change using ipv6 nd ra interval command.
RA Lifetime define how long host should consider this router as a valid default Gateway (default is 1800
seconds = 30 minutes). We can change using ipv6 nd ra lifetime command.
Changing M & O flags :
M Flag (managed address configuration flag) tell host that is configured to obtain its configuration
information automatically using SLACC or DHCPv6
0 = use SLACC (default )
1= use DHCPv6
To change to 1 ( use DHCPv6) we type
Ipv6 nd managed-config-flag
O Flag (Other configuration flag) inform host to get additional information such as DNS info from
DHCPv6 server or not
0 = no additional info available from DHCPv6
1= use DHCPv6 server to get additional info
To change to 1 ( use DHCPv6) we type
Ipv6 other-config-flag
Lets check the following topology to understand more about ipv6 behavior inside our LAN:
R3 act as PC , From R3 point of view R1 OR R2 will be his first Hop to reach external networks
R1 will act as mini DHCP and send ipv6 address to R3
R3
Int f0/1
ipv6 add autoconfig default
Above command will make this interface assigned ipv6 address from same prefix R1 will send using RA
And also R3 will consider R1 default gateway since we add the keyword default
Evil Foca is a tool designed for pen testers and security auditors to perform security testing in IPv4/ IPv6
data networks. The tool is capable to do different attacks such as: MITM on IPv4 networks using ARP
Spoofing and DHCP ACK injection, MITM on IPv6 networks using Neighbor Advertisement Spoofing,
SLAAC Attack, fake DHCPv6, DoS (Denial of Service) on IPv4 networks using ARP Spoofing, DoS (Denial of
Service) on IPv6 networks using SLAAC attack and DNS hijacking.
6
So its time to secure our Frist Hop Topology and this is what we call
First Hop Security FHS.
IPv6 First Hop Security ( IPv6 FHS)
IPv6 FHS First Hop Security are also called IPv6 Policies which can be applied to interface or VLAN level.
FHS come with Software policy Database where polices stored .
IPv6 snooping acts as a container policy that enables most of the features available with FHS in IPv6.
Most FHS features are configured in a two-step : firstly you define a policy which describes the behavior
of the feature, secondly you apply this policy to a VLAN or interface.
FHS Features:
IPv6 RA Guard
IPv6 DHCP Guard
IPV6 Snooping (Binding integrity Guard) & Device Tracking
IPv6 Source Guard
IPv6 Destination Guard
IPv6 Prefix Guard
IPv6 PACL
SeND Protocol
IPv6 RA Guard
Used to prevent Router and Prefix Spoofing
The IPv6 RA Guard feature does not offer protection in environments where IPv6 traffic is tunneled.
This feature is supported only in hardware when the ternary content addressable memory (TCAM) is
programmed.
This feature can be configured on a switch port interface in the ingress direction.
This feature supports host mode and router mode.
This feature is supported only in the ingress direction; it is not supported in the egress direction.
This feature is not supported on EtherChannel and EtherChannel port members.
This feature is not supported on trunk ports with merge mode.
This feature is supported on auxiliary VLANs and private VLANs (PVLANs).
Packets dropped by the IPv6 RA Guard feature can be spanned.
If the platform ipv6 acl icmp optimize neighbor-discovery command is configured, the IPv6 RA
Guard feature cannot be configured and an error message will be displayed. This command adds default
global Internet Control Message Protocol (ICMP) entries that will override the RA guard ICMP entries.
IPv6 RA Guard ( RA guard should be deployed on the first hop L2 switch):
RA messages they are the only way to get default gateway info to host in the network (beside static
configuration). DHCPv6 does not carry this information in his messages unlike DHCPv4. , it is wrong if
some host sends RA messages because he is then practically trying to take the role of default gateway
away from router. Configuring RA Guard on all switch ports except port that heads to router we
prevented rouge RA advertisements on that segment.
interface Ethernet0/1
ipv6 nd raguard
This configuration will drop any RAs received on this interface thus enforcing the policy that this port
only connects to the end hosts. We will applied to all interfaces connected to hosts.
But what about if we need a configuration that will permit RAs only if they have the M and O bits set,
and enforce that the subsequent DHCP advertised prefix is within the company's range of
2001:db8:cafe::/48 : , we will need to configure RA Guard with Policy style , check the following example
ipv6 nd raguard policy ONLY-DHCPv6-RAs
device-role router
role 'router' allows the RAs through but triggers deep inspection
managed-config-flag on
The RAs that we let through have to have Managed flag set.
other-config-flag on
he Other configuration flag also needs to be set.
match ra prefix-list IPv6-SPACE
Only allow the RAs that advertise the prefixes from our own address space
interface Ethernet0/0
switchport access vlan 100
switchport mode access
ipv6 nd raguard attach-policy ONLY-DHCPv6-RAs
Attach the policy to the port connecting to the router
!
ipv6 prefix-list IPv6-SPACE permit 2001:db8:cafe::/48 ge 64 le 64
RA Guard scenario:
SW1
ipv6 access-list R1linklocal
permit ipv6 host FE80::1 any
ipv6 prefix-list R1slaacprefix permit 2001::/64
Create policy for R1 , I will name it R1policy:
ipv6 nd raguard policy R1policy
device-role router
match ipv6 access-list R1linklocal
match ra prefix-list R1slaacprefix
exit
create policy for hosts , I will name it Hostspolicy::
ipv6 nd ragurad policy Hostspolicy
device-role host
exit
apply to interface or vlan (interface applying override vlan applying if both exists):
vlan configuration 911
ipv6 nd ragurad attach-policy Hostspolicy
int g1/1
ipv6 nd raguard attach-policy R1policy
DHCPv6 Guard
Lets Remember that DHCPv6 not assign default gateway address as DHCP in IPv4 , since default
routes learned through SLAAC from RA messages. So DHCPv6 Guard Used to Prevent DHCPv6 Server
Spoofing . The DHCPv6 guard feature is not supported on Ether channel ports
Is similar to RA Guard but it blocks DHCPv6 reply messages coming from DHCPv6 servers and relays that
are on wrong ports (which means that they are rouge). it works like an Access list that block UDP port
546 on all port on the switch except port on which the DHCP server is connected. Or VLAN interface for
the subnet if there is DHCP relay configured.
Why UDP Port 546 ?
DHCP uses UDP ports 546 and 547 to initiate communication between the IPv6 client and server. If
either of these ports is in use by another application, or the ports are otherwise reserved, DHCP will not
function.
Port 546 (DHCP Client port for IPv6)
If port 546 is in use by another process, DHCP server cannot perform rogue DHCP server detection in
IPv6.
Port 547 (DHCP server port for IPv6)
If port 547 is in use by another process, DHCP server cannot communicate with DHCPv6 clients.
Configuring DHCPv6 Guard
1) Create & Assign Policy for Hosts , I will name it dhcp-client:
For the Host facing ports you dont need to do this, but if you want to explicitly configure this, thats
how you do it.
SW1(config)#ipv6 dhcp guard policy dhcp-client
SW1(config-dhcp-guard)#device-role client
SW1(config)#Interface range fa0/2-3
SW1(config-if)# switchport mode access
SW1(config-if)# ipv6 dhcp guard attach-policy dhcp-client
2) Create & assign policy for DHCP server facing port , I will name it dhcp-server:
For the server facing ports, you need create DHCPv6 Guard policy.
SW1(config)#ipv6 dhcp guard policy dhcp-server
SW1(config-dhcp-guard)#device-role server
SW1(config-dhcp-guard)#match server access-list ACL1
SW1(config-dhcp-guard)#match reply prefix-list PREF1
Notice You can also provide some extra functionality over access lists; you could block server messages
for particular addresses using an access list and you could also block some advertisements from the
DHCPv6 server blocking certain prefixes using a prefix list as shown below:
SW1(config)#ipv6 access-list ACL1
SW1(config-ipv6-acl)#permit ipv6 host FE80::1 any
10
By turning on IPv6 Snooping, you automatically drop the switch into Guard Mode which will turn on
DHCPv6 Guard as well as RA Guard; so none of the redirect advertisements or any DHCPv6 server
messages will get through. (You will understand this point once we explain ipv6 snooping feature)
each devive must have one of two modes :
1) Client: Sets the role of the device to client.
2) Server: Sets the role of the device to server.
Since the default mode of the switch is to guard, by default all ports configured with dhcpv6 guard will
be in client mode. Thus all ports will be dropping any dhcpv6 server messages by default.
SW1
SW1(config)#ipv6 dhcp guard policy dhcp-server
SW1(config-dhcp-guard)#device-role server
SW1(config)#int g1/1
SW1(config-if)#sw
SW1(config-if)#sw mo access
SW1(config-if)#ipv6 dhcp guard attach-policy dhcp-server
SW1(config)#ipv6 dhcp guard policy dhcp-client
SW1(config-dhcp-guard)#device-role client
11
IPv6 Snooping
IPv6 snooping, "binding integrity guard" is actually a "bundled" feature that combines:
Since IPv6 snooping included the guard functions, if you enable IPv6 snooping, you do not need
to explicitly configure RA guard / DHCP guard on the same port.
The below configuration shows a default configuration for IPv6 snooping.
ipv6 snooping policy HOST
!
interface GigabitEthernet1/0/2
switchport access vlan 201
switchport mode access
ipv6 snooping attach-policy HOST
!
To verify the snooping policy you can use the show ipv6 snooping policy [policy name]
command as shown below.
FirstHopSwitch#show ipv6 snooping policy HOST
Policy HOST configuration:
security-level guard <- RA and DHCP messages are dropped
device-role node
<- Only end points are expected on this port
protocol ndp
<- Gleaning addresses from ND process
protocol dhcp
<- Gleaning addresses from DHCP
Policy host is applied on the following targets:
Target
Type Policy
Feature
Target range
Gi1/0/2
PORT HOST
Snooping
vlan all
12
Note that when IPv6 snooping is configured the default security is set to "guard". This setting
can cause problems when the snooping policy is attached to a port that has a DHCPv6 server
connected to it. This policy setting will drop the DHCPv6 messages. To allow the DHCPv6
messages through, the port must be configured as a trusted port or a specific DHCPv6 guard
policy must be configured.
IPv6 Snooping is doing the same thing as in IPv4 , uses binding table known as ND table and tries to (
remember )bind all IPv6 addresses on the segment to particular MAC address. It does that by monitoring
DHCPv6, ND and other regular data flows. After a while ND table is having all the bindings (MAC-IPv6)
and when an intruder sends rouge NA message his MAC address does not correspond to right MAC
address from that receiver IPv6 address and he will be prevented from sending.
These categories of traffic carry information that the binding table snoops for:
ND traffic
DHCP traffic
Data traffic
NDP Address Gleaning
The NDP address gleaning feature is enabled by default when you configure the ipv6 snooping policy
global configuration command.
IPv6 DHCP Address Gleaning
The IPv6 DHCP address gleaning feature provides the ability to extract addresses from DHCP messages
and populate the binding table. The switch extracts address binding information from all messages types
of DHCPv6 exchanges (using User Datagram Protocol (UDP), ports 546 and 547)
IPv6 Data Address Gleaning
The IPv6 data address gleaning feature provides the ability to extract addresses from redirected data
traffic, to discover neighbors and to populate binding tables.
The IPv6 device tracking
feature provides IPv6 host liveness tracking so that a neighbor table can be updated when an IPv6 host
disappears. The feature tracks the liveness of the neighbors connected through the L2 switch on regular
basis in order to revoke network access privileges as they become inactive.
13
14
sets the enforcement level of teh policy where alyways enforced or when system stressed only
Device(config-destguard)# enforcement stressed
Device(config-destguard)#exit
enter dhcp gurad mode
Device(config)# ipv6 dhcp guard policy server_side
sets teh role of teh device attached to the server
Device(config-dhcp-guard)# device-role server
Device(config-dhcp-guard)#exit
enter vlan configuration mode
Device(config)#vlan configuration 100
attach ipv6 snooping policy to vlan
Device(config-vlan-config)#ipv6 snooping attach-policy xyz
atatch teh destination guard policy
Device(config-vlan-config)#ipv6 destination-guard attach-policy xyz
Configuring Address Gleaning and Associating Recovery Protocols with Prefix Lists
Device(config)#ipv6 snooping policy 200
specifies that address should be gleaned with DHCP & associates a recovery protocol with the prefix list
Device(config-ipv6-snooping)#protocol dhcp prefix-list myprefix
Configuring IPv6 Prefix Glean
Device(config)#ipv6 snooping polciy yasserpolicy
Device(config-ipv6-snooping)#prefix-glean
16
17
IPv6 Destination Guard If a packet comes on the router destined for directly connected subnet
but for address that is not in the ND table that packet will be dropped to prevent ND exhaustion
type of attacks. To explain this, ND exhaustion is made by sending packets to all addresses in
the subnet. Subnets in IPv6 are bigger that IPv4 and /64 subnet will have
18446744073709551614 possible addresses. If you send packets to all those addresses you will
exhaust the memory of ND cache which will basically disable ND process and all the traffic will
become broadcast.
We need to be carefull will this as if our network device reboots it will possibly prevent devices
to communicate before they are registered in the ND table and they need to communicate to be
registered in the ND table. maybe let dramatic solution to this problem is with Cisco
implemented ND resolution rate limiter.
Configuring IPv6 Destination Guard
Defines the destination guard policy name and enters destination-guard configuration mode.
Device(config)# ipv6 destination-guard policy pol1
Sets the enforcement level for the target address.
Device(config-destguard)# enforcement always
Device(config-destguard)# exit
Enters VLAN configuration mode.
Device(config)# vlan configuration 911
Attaches a destination guard policy to a VLAN.
Device(config-vlan-config)# ipv6 destination-guard attach-policy pol1
18
ND resolution rate limiter is limiting number of ND resolution per second per router and cache
size limiter limits the size of cache per device interface so that there cannot get to the point
where all the memory is consumed and device breaks into reboot. ND resolution rate is 100
resolutions per second per router and cache size is limited to 250 IPv6 address per interface. You
can change those values using this interface level commands:
L3SW(config-if)#ipv6 nd cache interface-limit 4
SW(config-if)#ipv6 nd resolution data limit 50
IPv6 PACL
Configuring PACL Mode and Applying IPv6 PACL on an Interface
Once you have configured the IPv6 access list you want to use, you must configure the PACL
mode on the specified IPv6 L2 interface.
IPv6 Port-Based Access List Support
The IPv6 PACL feature provides the ability to provide access control (permit or deny) on L2
switch ports for IPv6 traffic. IPv6 PACLs are similar to IPv4 PACLs, which provide access
control on L2 switch ports for IPV4 traffic. They are supported only in ingress direction and in
hardware.
PACL can filter ingress traffic on L2 interfaces based on L3 and L4 header information or nonIP L2 information.
Device(config)# ipv6 access-list list1
Device(config-ipv6-acl)# exit
Device(config)# interface fastethernet 0/0
Device(config-if)# access-group mode prefer port
Device(config-if)# ipv6 traffic-filter list1 in
19
are issued by a trusted certification authority (CA), the IPv6 nodes can trust the information in the
certificate. The certificates are exchanged by using two new messages that could be repeated if there is
a long certificate chain when using subordinate CA:
Certification Path Solicitation (CPS):Used by a host to get the router certificate if the latter is not in its
cache
Certification Path Advertisement (CPA):The router reply that contains the complete certificate
Note: To prevent replay attacks with SeND, routers include a signed timestamp in their RA messages
SeND configuration Steps
SeND is available in host mode , To implement SeND, configure the host with the following parameters:
An RSA key pair used to generate CGA addresses on the interface.
A SeND modifier that is computed using the RSA key pair.
A key on the SeND interface.
CGAs on the SeND interface.
A Public Key Infrastructure (PKI) trustpoint, with minimum content; for example, the URL of the
certificate server. A trust anchor certificate must be provisioned on the host.
SeND is also available in router mode. You can use the ipv6 unicast-routing command to configure a
node to a router. To implement SeND, configure routers with the same elements as that of the host. The
routers will need to retrieve certificates of their own from a certificate server.
The following operations need to be completed before SeND is configured on the host or router:
Hosts are configured with one or more trust anchors.
Hosts are configured with an RSA key pair or configured with the capability to locally generate it. Note
that for hosts not establishing their own authority via a trust anchor, these keys are not certified by any
CA.
Routers are configured with RSA keys and corresponding certificate chains, or the capability to obtain
these certificate chains that match the host trust anchor at some level of the chain.
Configuring CGA address
To configure a CGA address on interface Ethernet 0/0. This example first generates a RSA key pair
named SEND, Computes the SEND modifier, and finally assigns a CGA link-local and global unicast CGA
to the interface Ethernet 0/0.
crypto key generate rsa label SEND modulus 1024
ipv6 cga generate modifier rsakeypair SEND
interface Ethernet0/0
ipv6 cga rsakeypair SEND
ipv6 address FE80::/64 cga
ipv6 address 2001:db8::/64 cga
For more about Configuring SeND for IPv6 including: