IPv6 RA Guard

Expand all



Contents
Last updated: January 15, 2015

Diagram

Task

  • Configure IPv6 RA Guard on SW3 for all current and future hosts in VLAN 11.
    • Allow R4's FE80::4 link-local address to send RA messages but only for 2001::/64 prefix.
    • R6 should not be affected by the above configurations.
  • Configure R5 for SLAAC.

About Initial Configuration Files: For this task, you must load the initial configuration files for the section, which can be found in the Section 2 Introduction task or by clicking the Resources button.

If you have completed previous tasks in this section, the simplest way to revert back to initial configurations is by using the command configure replace nvram:startup-config instead of reloading the devices. This command, however, is not supported by the ASA.

Overview

IPv6 Neighbor Discovery Protocol (NDP) can be seen as a nonauthenticated application running on top of ICMPv6; it uses link-local addresses for source (required to accomplish its role), and it is multicast based for efficiency. It is a replacement for ARP protocol from IPv4, but it has additional functionalities:

  • IPv6 router discovery
  • IPv6 address autoconfiguration, also known as stateless address autoconfiguration (SLAAC)
  • IPv6 address resolution, which replaces Address Resolution Protocol (ARP)
  • IPv6 neighbor reachability, also known as neighbor unreachability detection (NUD)
  • IPv6 duplicate address detection (DAD), which works for both link-local and global assigned through SLAAC
  • IPv6 redirection, which is the ICMP redirect from IPv4

In IPv6 hosts can receive IP addresses by way of four methods:

  • Manual/static configuration.
  • Dynamic stateless autoconfiguration (through SLACC); this is similar to APIPA from IPv4, except that subnet is not fixed—it is routable and dynamically learned through RA (router advertisement) messages from available routers on the segment.
  • Dynamic stateful DHCPv6 configuration; DHCPv6 is used for most IPv6 client configuration, except for default gateway.
  • Dynamic stateless DHCPv6 configuration; SLAAC is used for IPv6 address configuration and DHCPv6 for other parameters, such as domain-name and DNS servers.

Several pieces of information can be found within RA messages, but the most important and relevant are:

  • IPv6 global unicast prefixes (there can be one or more, required to be /64 for SLAAC).
  • IPv6 global unicast address of the router (one for each advertised prefix).
  • IPV6 SLAAC (autoconfiguration) flag, signaling hosts if the received information can be used for SLAAC.

For IPv6 /64 prefixes advertised with the SLAAC flag, hosts will autoconfigure with a unique IPv6 address (/64 host portion will be based on the MAC address and the FFFE string inserted in the middle) and set the default gateway to be the respective router. Based on this behavior, the segment is vulnerable to some attacks:

  • Spoofed RA messages with false /64 prefixes for SLAAC; basically the prefix is spoofed.
  • Spoofed RA messages with false advertiser information (router); basically the router is spoofed.

To protect the infrastructure from spoofed RA messages, a feature named IPv6 RA Guard can be configured on the layer2/layer3 switch where hosts and routers are attached. Basically you would want to restrict/drop receiving router type NDP messages (like router advertisement and redirects) on ports where hosts are connected. You can configure three types of RA Guard policies:

  • host, where all inbound NDP messages are inspected and router type messages are dropped; this is the default state of a policy.
  • router, where all inbound NDP messages are inspected but router type messages are allowed; optionally, you can restrict for which prefixes are RA messages allowed (achieved via prefix-list filtering) and which sources are allowed to send ICMPv6 Type 133, 134, and 137 (achieved via access-lists matching on link-local addresses).
  • trust, where all inbound NDP messages are allowed and not inspected.

The RA Guard policies can be applied at the VLAN level or port level; if both are enabled, the port-level policy will take precedence over the VLAN-wide-level policy. In most real-life cases, it is faster to deploy a host policy at VLAN level and router/trust policy at port level, because there will be few router/trusted ports. To enable a Cisco router for SLAAC, the interface-level command ipv6 address autoconfig is used. The interface-level command ipv6 enable is used when you want the router to autoconfigure itself with just a link-local address on the interface (which does not require SLAAC).

Configuration

SW3:
ipv6 prefix-list RA_PREFIX permit 2001::/64
!
ipv6 access-list RA_SOURCE
 permit ipv6 host FE80::4 any
!
ipv6 nd raguard policy HOST_INSPECT
 device-role host
!
ipv6 nd raguard policy HOST_NON_INSPECT
 trusted-port
!
ipv6 nd raguard policy ROUTER
 device-role router
 match ra prefix-list RA_PREFIX
 match ipv6 access-list RA_SOURCE
!
vlan configuration 11
 ipv6 nd raguard attach-policy HOST_INSPECT
!
interface GigabitEthernet1/0/1
 ipv6 nd raguard attach-policy ROUTER
!
interface GigabitEthernet1/0/3
 ipv6 nd raguard attach-policy HOST_NON_INSPECT



R5:
interface FastEthernet0/0
 ipv6 address autoconfig default

Verification

Verify that R4 sends RA messages:

R4#show ipv6 interface fastEthernet0/0
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::4 
  No Virtual link-local address(es):
  Global unicast address(es):
    2001::4, subnet is 2001::/64 
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:2
    FF02::1:FF00:4
    FF05::1:3
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  ND advertised reachable time is 0 (unspecified)
  ND advertised retransmit interval is 0 (unspecified)
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  ND advertised default router preference is Medium
  Hosts use stateless autoconfig for addresses.
!
!
R4#show ipv6 interface fastEthernet0/0 prefix
IPv6 Prefix Advertisements FastEthernet0/0
Codes: A - Address, P - Prefix-Advertisement, O - Pool
       U - Per-user prefix, D - Default
       N - Not advertised, C - Calendar

PD default [LA] Valid lifetime 2592000, preferred lifetime 604800
AD 2001::/64 [LA] Valid lifetime 2592000, preferred lifetime 604800

Verify that IPv6 RA Guard is enabled globally and policies are attached to both port and VLAN level:

SW3#show ipv6 snooping features
Feature name   priority state
RA guard          192   READY
!
!
SW3#show ipv6 snooping policies
Target               Type  Policy               Feature        Target range
Gi1/0/1              PORT  ROUTER               RA guard       vlan all
Gi1/0/3              PORT  HOST_NON_INSPECT     RA guard       vlan all
vlan 11              VLAN  HOST_INSPECT         RA guard       vlan all

Further verify that IPv6 RA Guard is enabled; note that ICMPv6 Type 133 (router solicitation), 134 (router advertisement), and 137 (neighbor redirect) are punted for inspection:

SW3#show ipv6 snooping capture-policy
HW Policy DB:
        HW Policy 0000001C #targets:3
                Target Gi1/0/1 type 0 handle 1
                Target Gi1/0/3 type 0 handle 3
                Target vlan 11   type 1 handle B0000
Target DB:
        HW Target Gi1/0/1 HW policy signature 0000001C policies#:1 rules#:3 sig 0000001C
                SW policy ROUTER feature RA guard

                Rule RS Protocol ICMPV6 mask 00000004 action PUNT match 133 #feat:1
                        feature RA guard
                Rule RA Protocol ICMPV6 mask 00000008 action PUNT match 134 #feat:1
                        feature RA guard
                Rule REDIR Protocol ICMPV6 mask 00000010 action PUNT match 137 #feat:1
                        feature RA guard
        HW Target Gi1/0/3 HW policy signature 0000001C policies#:1 rules#:3 sig 0000001C
                SW policy HOST_NON_INSPECT feature RA guard

                Rule RS Protocol ICMPV6 mask 00000004 action PUNT match 133 #feat:1
                        feature RA guard
                Rule RA Protocol ICMPV6 mask 00000008 action PUNT match 134 #feat:1
                        feature RA guard
                Rule REDIR Protocol ICMPV6 mask 00000010 action PUNT match 137 #feat:1
                        feature RA guard
        HW Target vlan 11   HW policy signature 0000001C policies#:1 rules#:3 sig 0000001C
                SW policy HOST_INSPECT feature RA guard

                Rule RS Protocol ICMPV6 mask 00000004 action PUNT match 133 #feat:1
                        feature RA guard
                Rule RA Protocol ICMPV6 mask 00000008 action PUNT match 134 #feat:1
                        feature RA guard
                Rule REDIR Protocol ICMPV6 mask 00000010 action PUNT match 137 #feat:1
                        feature RA guard

Verify that R5 received RA messages from both R4 and R6 (because R6's port is configured as trusted so no RA Guard inspections are performed):

R5#show ipv6 routers
Router FE80::6 on FastEthernet0/0, last update 0 min
  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
  HomeAgentFlag=0, Preference=Medium
  Reachable time 0 (unspecified), Retransmit time 0 (unspecified)
  Prefix 2001::/64 onlink autoconfig
    Valid lifetime 2592000, preferred lifetime 604800
Router FE80::4 on FastEthernet0/0, last update 0 min
  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
  HomeAgentFlag=0, Preference=Medium
  Reachable time 0 (unspecified), Retransmit time 0 (unspecified)
  Prefix 2001::/64 onlink autoconfig
    Valid lifetime 2592000, preferred lifetime 604800
!
!
R5#show ipv6 neighbors
IPv6 Address                              Age Link-layer Addr State Interface
FE80::4                                    11 0019.0653.2a18  STALE Fa0/0
FE80::6                                    11 0017.5aed.28b0  STALE Fa0/0

Verify that R5 has been automatically assigned an IPv6 global address through SLAAC; the default route has also been installed through SLAAC:

R5#show ipv6 interface brief fastEthernet0/0
FastEthernet0/0            [up/up]
    FE80::217:E0FF:FE4A:9678
    2001::217:E0FF:FE4A:9678
!
!
R5#show ipv6 route static
IPv6 Routing Table - default - 4 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       D - EIGRP, EX - EIGRP external, NM - NEMO, ND - Neighbor Discovery
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
S   ::/0 [2/0]
     via FE80::6, FastEthernet0/0

For testing, enable logging for packet drops and configure the port toward R6 in host mode, so that RA messages will be dropped:

SW3:
ipv6 snooping logging packet drop
!
interface GigabitEthernet1/0/3
 ipv6 nd raguard attach-policy HOST_INSPECT

On SW3's console, messages similar to the following will be logged (each 200 seconds), signaling the problem that R6's RA messages are now dropped:

%SISF-4-PAK_DROP: Message dropped A=FE80::6 G=- V=11 I=Gi1/0/3 P=NDP::RA Reason=Message unauthorized on port
%SISF-4-PAK_DROP: Message dropped A=FE80::6 G=- V=11 I=Gi1/0/3 P=NDP::RA Reason=Message unauthorized on port
%SISF-4-PAK_DROP: Message dropped A=FE80::6 G=- V=11 I=Gi1/0/3 P=NDP::RA Reason=Message unauthorized on port
^ back to top