Advanced IPv6 Security: Securing Link- Operations at...

© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public

Advanced IPv6 Security: Securing Link-

Operations at the First Hop ERIC LEVY-ABEGNOLI

BRKSEC-3003


Quick overview on the Layer 2 domain & IPv6

• Some definitions

‒ Layer 2 domain: same “broadcast domain = link = vlan”

‒ Nodes: hosts, routers, switches, access points

‒ Link operations: operations between nodes on the shared link

‒ Security perimeter: draw a line between trusted and untrusted devices

‒ First hop: first trusted device inside the security perimeter

• What is specific to IPv6 on a link? More addresses!

‒ More hosts allowed on the link (up to 264 !). Results in much bigger links

‒ More states (neighbor cache, etc) on hosts, routers and switches: creates new opportunities for DoS attacks

• And protocols… IPv6 link operations protocol is Neighbor Discovery

‒ More distributed and more autonomous operations

‒ Nodes discover their default router automatically

‒ Nodes auto-configure their addresses

‒ Nodes defend themselves (SeND)

3


Abstract summary and pre-requisite

• This session focuses on IPv6 security within the Layer 2 domain

• It focuses on 4 cases: Router theft, Address theft, Address spoofing and Remote

address resolution cache exhaustion

• It discuss the role of the First Hop, more often than not a Layer 2/3 switch

• It introduces security features at the First Hop, such RA Guard, Source Guard,

Destination guard, etc

• Requirements: Knowledge of the IPv6 and IPv6 Neighbor Discovery

• Related recommended sessions:

‒ BRKSEC-2003 - IPv6 Security Threats and Mitigations

‒ TECSEC-2680 - IPv6 Security

‒ BRKRST-2301 - Enterprise IPv6 Deployment

4


Agenda

• IPv6 in the Layer 2 domain: high level considerations

• Use Case #1: Router theft

• Use Case #2: Address theft

• Use Case #3: Address spoofing

• Use Case #4: Remote address resolution cache exhaustion

5


Quick overview on the Layer 2 domain & IPv6

• Some definitions

‒ Layer 2 domain: same “broadcast domain = link = vlan”

‒ Nodes: hosts, routers, switches, access points

‒ Link operations: operations between nodes on the shared link

‒ Security perimeter: draw a line between trusted and untrusted devices

‒ First hop: first trusted device inside the security perimeter

• What is specific to IPv6 on a link? More addresses!

‒ More hosts allowed on the link (up to 264 !). Results in much bigger links

‒ More states (neighbor cache, etc) on hosts, routers and switches: creates new opportunities for DoS attacks

• And protocols… IPv6 link operations protocol is Neighbor Discovery

‒ More distributed and more autonomous operations

‒ Nodes discover their default router automatically

‒ Nodes auto-configure their addresses

‒ Nodes defend themselves (SeND)

6


Is Bigger better? More secure?

7


How about newer?

Sometimes, newer means better and more secure

Sometimes, experience IS better and safer!

8


Fundamentals On Neighbor Discovery

• Defined in:

‒ RFC 4861 Neighbor Discovery for IP Version 6 (IPv6)

‒ RFC 4862 IPv6 Stateless Address Auto-configuration

‒ RFC 3971 Secure Neighbor Discovery etc.

• Used for:

‒ Router discovery

‒ IPv6 Stateless Address Auto Configuration (SLAAC)

‒ IPv6 address resolution (replaces ARP)

‒ Neighbor Unreachability Detection (NUD)

‒ Duplicate Address Detection (DAD)

‒ Redirection

• Operates above ICMPv6

‒ Relies heavily on (link-local scope) multicast, combined with Layer 2 Multicast

• Works with ICMP messages and message “options”

9


Agenda



‒ Target deployment model

‒ Vulnerability scope

‒ Protocols: operations and vulnerabilities

‒ Mitigation solutions

‒ Remaining vulnerabilities

• Use Case #2: Address ownership



10


Router Theft - Target deployment model

• Attacker goal is to become the primary link’s default router

• Hosts, Routers and attacker reside on a shared “Layer 2

domain“

• Hosts discover their IPv6 “default router” with IPv6 ND

• Attacker can be a plain PC, running simple (publically

available) attack tools. Or it can be a careless user

11


Router Theft – Vulnerability scope

12


ICMP Type = 133 (Router Solicitation)

Src = Host link-local address Dst = All-routers multicast address (FF02::2) Query = please send RA

RS

Use B as default gateway

• Discover default/first hop routers

• Discover on-link prefixes

B A

Router Theft – Router Discovery protocol

ICMP Type = 134 (Router Advertisement)

Src = Router link-local address

Dst = All-nodes multicast address (FF02::1)

Data = router lifetime, preference=medium,…

Option = Prefix X,Y,Z, lifetime

RA

13


Stateless Address Auto-Configuration, based on prefix information delivered in Router

Advertisement

ICMP Type = 133 (Router Solicitation)

Src = Host link-local address Dst = All-routers multicast address (FF02::2) Query = please send RA

RS

ICMP Type = 134 (Router Advertisement)

Src = Router link-local address Dst = All-nodes multicast address (FF02::1) Data = router lifetime, oreference=medium Options = Prefix X,Y,Z, lifetime

RA

Source traffic with X::x, Y::y, Z::z

Router Theft – Router Discovery protocol cont’d

14

Computes X::x, Y::y, Z::z and DAD them

NS


• Attacker tricks victim into accepting itself as default router

• Based on rogue Router Advertisements

• The most frequent threat by non-malicious user

• Many variants: preference, timing, final RA, etc.

Src = C’s link-local address

Dst = All-nodes

Data = preference=high

Options = subnet prefix, slla

RA

Node A sending off-link traffic to C

B C A

Router Theft – Vulnerability #1

15


C

• Attacker spoofs Router Advertisement with false on-link prefix

• Victim generates (topology-bogus) IP address with this prefix

• Access router drops outgoing packets from victim (ingress filtering)

• Or return path is broken

Node A sourcing off-link traffic via B with BAD::A

B

B filters out BAD::A

Autoconf BAD::A and DAD it

Src = B’s link-local address

Dst = All-nodes

Options = prefix BAD

RA

A

Router Theft – Vulnerability #2

OR NOT … 16


Router Theft - Mitigations

Where What Routers Increase “legal” router preference

Hosts Disable Stateless Address Autoconfiguration

Routers & Hosts SeND “Router Authorization”

Switch (First Hop) Host isolation

Switch (First Hop) Port Access Lists (PACL)

Switch (First Hop) RA Guard

17


• Objectives for (SeND) Router authorization:

‒ Secure default router election on hosts

‒ Authorize routers to advertise certain prefixes

• Protocol overview

‒ SeND is “just” an extension to Neighbor Discovery Protocol, NOT a new protocol

‒ SeND secures ND operations, not the “end-to-end” communication

‒ It provides Router Authorization and proof of Address Ownership

‒ SeND is specified in RFC3971 & RFC3972

‒ Router identity is the IPv6 source (cryptographic) address of RAs

‒ This address is certified in a certificate delivered by a Certificate Authority (CA)

Router Theft – Mitigation: Router Authorization overview

18


Router Theft – Mitigation: Router Authorization overview cont’d

Router R host

Certificate Authority CA0 Certificate Authority

Certificate C0

Router

certificate

request

Router certificate CR

Certificate Path Solicit (CPS): I trust CA0, who are you R?

Certificate Path Advertise (CPA): I am R, this is my certificate CR

signed by CA0

1

2

3

4

5

6 Verify CR against CA0

7 Insert R as default route

ROUTER ADVERTISEMENT (SRC = R)

provision provision

19


To benefit fully from SeND, nodes must be provisioned with CA certificate(s)

A chain of trust is “easy” to establish within the administrative boundaries, but very hard

outside

It is a 2 player game! And very few IPv6 stacks can play the game today: Cisco IOS, Linux,

some H3C, third party for Windows (from Hasso-Plattner-Institut in Germany!)

ADMINISTRATIVE BOUNDARY

CA

Router Host

CA

Router Host

CA

Router Theft – Mitigation: SeND Deployment Challenges

20


Router Theft Mitigation: Host Isolation

• Prevent Node-Node Layer-2 communication by using:

‒ Private VLANs (PVLAN) where nodes (isolated port) can

only contact the official router (promiscuous port)

‒ WLAN in ‘AP Isolation Mode’

‒ one VLAN per host (SP access network with Broadband

Network Gateway)

• Link-local multicast (RA, DHCP request, etc) sent

only to the local official router: no harm

‒ But Duplicate Address Detection does not work anymore...

Isolated Port

RA

RA

RA

RA

RA

Promiscuous

Port

21


Router Theft Mitigation: RA Guard (RFC 6105)

RA

RA

RA

RA

RA

• Port ACL: blocks all ICMPv6 RA from hosts interface FastEthernet0/2

ipv6 traffic-filter ACCESS_PORT in

access-group mode prefer port

• RA-guard lite: pre-programmed ACL interface FastEthernet0/2

ipv6 nd raguard

access-group mode prefer port

• RA-guard: deep RA packet inspection

ipv6 nd raguard policy HOST

device-role host

ipv6 nd raguard policy ROUTER

device-role router

vlan configuration 100

ipv6 nd raguard attach-policy HOST vlan 100

interface FastEthernet0/0

ipv6 nd raguard attach-policy ROUTER

22

Device-role

router

Device-role

host


HOST HOST

RA

RA RA

RA

device-role=router

device-role=host device-role=router

device-role=trusted switch

RA deep inspection - hop-limit - M & O flag - Router preference - Source - Prefix list - CGA credentials

RA

trusted-port

Router Theft – Mitigation: Security Perimeter & Device Role

23


General principles on FH command interface

• Each FH feature provides a configuration mode to create and populate policies (+

one implicit “default” policy) ipv6 nd raguard policy host

device-role host

• Each FH feature provides commands to attach policies to targets: box, vlan, port vlan configuration 100

ipv6 nd raguard attach-policy host

ipv6 snooping

interface e 0/0

ipv6 nd raguard attach-policy router

• Packets are processed by the lowest-level matching policy for each feature

− Packets received on e0/0 are processed by policy ra-guard “router” AND policy snooping

“default”

− Packets received on any other port of vlan 100 are processed by policy ra-guard “host”

AND policy snooping “default”

For Your Reference

24


Configuration examples For Your Reference

Step1: Configures policies Step2: Attach policies to target

Vlan Port

ipv6 nd raguard policy HOST

device-role host

vlan configuration 100-200

ipv6 nd raguard attach-policy HOST

ipv6 nd raguard policy ROUTER

device-role router

interface Ethernet0/0

ipv6 nd raguard attach-policy ROUTER

ipv6 snooping policy NODE

tracking enable

limit address-count 10

security-level guard

vlan configuration 100,101

ipv6 snooping attach-policy NODE

ipv6 snooping policy SERVER

trusted-port

tracking disable

security-level glean

interface Ethernet1/0

ipv6 snooping attach-policy SERVER

25


VILLAIN

vlan 100

SWITCH

DUMB

HOST

CAT

PEER ROUTER

Router Theft – Demo: topology

26


Regular operations ROUTER sends RAs

HOST picks up ROUTER as default router and installs default route

HOST goes via default route to reach PEER

Attack VILLAIN sends RA with higher preference. With prefix BAD::

HOST (and DUMB) picks VILLAIN as default router

HOST installs default route to VILLAIN and assigns addresses on BAD::

HOST connects to CAT

Mitigation Increase preference on ROUTER: works but …

Enable SeND on ROUTER. HOST safe, not DUMB

(FH) RA-guard

Router Theft – Demo: Router Discovery, Theft & Mitigation

27


• Problem - RA Guard works like a stateless ACL filtering ICMP type 134 (no reassembly)

- Attackers can exploit that to evade RA guard by “pushing” ULP header (RA) into second fragment

- They can even use overlapping fragments to “disguise” RA into some other valid message

- RFC 3128 is not applicable to IPv6

- THC fake_router6 –FD implements this attack which bypasses RA Guard

• Possible solutions

- block all fragments sent to ff02::1

- deny ipv6 any any undetermined-transport

- How about overlapping fragments? Forbidden: RFC 5722- Use a compliant host stack!

Router Theft – Here comes fragmentation …

IPv6 hdr HopByHop Routing Destination … Fragment1

ICMP type=134 IPv6 hdr HopByHop Routing ..Destination … Fragment2

ICMP header is in 2nd fragment, RA Guard has no clue where to find it!

28


Agenda


• Use Case #1: Router discovery



‒ Vulnerability scope

‒ Protocols: operations and vulnerabilities


‒ Demo

‒ Remaining vulnerabilities



29


• Hosts reside on a shared “Layer 2 domain “ (same link)

• Hosts address assignment performed using SLAAC, DHCP or

statically assigned

• Attacker is also on the link. Can be a plain desktop/laptop,

running simple attack tools. Or it can be a careless user

• Attacker goal is to take over (steal) someone else’s address to

either source (bogus) traffic or hijack sessions

• Attacker can also perform a DoS attack by pretending to own

the entire address space

• Vulnerability scope: the link (same as for Router

discovery)

Address Theft - Target deployment model

30


ICMP type = 136 (Neighbor Advertisement) Src = one B’s I/F address , Dst=A target = B

Option = Target link-layer address (MACB)

NA

B A C

When needed, it resolves the IP address into a MAC address

Creates neighbor cache entry

Maintains entry with NUD or upon receipt of any updated LLA

Last Come, First Serve (LCFS): good for mobility, bad for security!

Address Theft – Address Resolution protocol

B MAC B Neighbor cache

ICMP type = 135 (Neighbor Solicitation)

Dst = Solicited-node multicast address of B target = B Query = what is B’s Link-Layer Address?

NS

31


Node A can start using address A

B A C

Verify address uniqueness before using it

Required (MUST) by SLAAC, recommended (SHOULD) by DHCP

Probe neighbors to verify nobody claims the address

Address Theft – Duplicate Address Resolution

NS

ICMP type = 135 (Neighbor Solicitation)

Src = UNSPEC = 0::0 Dst = Solicited-node multicast address of A target= A Query = Does anybody use A already?

32


Attacker can claim victim's IP address

B A C

B MAC B

Address resolution flow

Address Theft – Vulnerability #1

Src = B

Target = B

Dst = all-nodes Option = MACC

(unsolicited) NA B MAC C MAC C

Attack Tool: Parasite6 Answer to all NS, Claiming to Be All Systems in the LAN...

33


Attacker hacks any victim's DAD attempts

Victim can't configure IP address and can't communicate

Src = UNSPEC Dst = Solicited-node multicast address of A target= A Query = Does anybody use A already?

NS

Src = any C’s I/F address Dst = A

target= A Option = link-layer address of C

NA “it’s mine !”

C A

Address Theft – Vulnerability #2

From RFC 4862 5.4: « If a duplicate @ is discovered… the address cannot be assigned to the interface» What If: Use MAC@ of the Node You Want to DoS and Claim Its IPv6 @

Attack Tool: Dos-new-IPv6 Mitigation in IOS: Configuring the IPv6 address as anycast disables DAD on the interface

34


Address theft mitigations

Where What Routers & Hosts configure static neighbor cache entries

Routers & Hosts Use CryptoGraphic Addresses (SeND CGA)

Switch (First Hop) Host isolation

Switch (First Hop) Address watch • Glean addresses in NDP and DHCP

• Log bindings <address, port, MAC, vlan> for traceability

• Establish and enforce rules for address ownership

• Prevent address thefts

• Limit number of bindings accepted per user (define “user”)

35


• Objectives for Address ownership:

‒ Enable the ND message sender to provide proof of ownership of address and for the receiver

to validate the proof

‒ Verify that the address is either the source of the ND message or the “target” for DAD

messages (when source is UNSPEC)

‒ This is a SeND feature

• Protocol overview

‒ Hosts (and routers) generate a pair of RSA keys

‒ The public key is hashed to create a Cryptographic address (CGA)

‒ The CGA address is signed by the private key

‒ Both the public key and signature are provided in ND messages

‒ Receivers must verify the signature and address/key consistency (address = hash(key))

‒ No key distribution required!

Address Theft – Mitigation: Address ownership proof

36


Address Theft – Mitigation: Address ownership overview

37

ND-message

Address Src =

SIGN

Prefix Interface-id = hash ( )

Computes Address

My address!

VERIFY


• 62 bits is not considered a good protection against brute force

• Need to inject “delay” in the computation

• Need to make the computation able to evolve

Generate keys pub and priv

hash’ = hash

hash’=SHA-1(pub+pfx)

done

hash’’=hash’[0..61]

262 attempts

NO

Generate keys pub and priv

hash’=SHA-1(pub+pfx)

done

hash’’=hash’[0..61]

Add tunable delay there!

Address Theft – Mitigation: SeND cont’d SeND: Extending the 62 bits crypto barrier

38


key: public key in DER format sec: security level col: collision count = {0}

Generate random 16 bytes : mod

Build message = mod || 0 || 0 || key

hash = SHA-1 (message)

bits 016*sec of hash

≠ 0

Increment mod

message = mod || prefix || col || key

hash = SHA-1 (message)

Compute address = • bytes 0 7 = prefix • bytes 8 15 = hash, bytes 0 7 • bits 64 66 = sec • bits 70, 71 = 0 (“u” and “g”)

yes

no

Do DAD

col<2

yes

Report error

no

Increment col duplicate

Start using address

No response

Delay is

here!

For Your Reference

Address Theft – Mitigation: : SeND cont’d The “real” thing

39


DHCP-

server H1 H2 H3

Address Theft – Mitigation: Address Glean at the First Hop

DAD NS [IP source=UNSPEC, target=A1, SMAC=MACH1]

REPLY[XID, IPA21, IPA22]

REQUEST [XID, SMAC = MACH2]

data [IP source=A3, SMAC=MACH3]

NA [IP source=A3, LLA=MACH3]

DAD NS [IP source=UNSPEC, target = A3] DHCP LEASEQUERY

DHCP LEASEQUERY_REPLY

Binding table

ADR MAC VLAN IF

A1 MACH1 100 P1

A21 MACH2 100 P2

A22 MACH2 100 P2

A3 MACH3 100 P3

Preference

X

Y

Y

Z

40


host

Binding table

Address glean

– Arbitrate collisions, check ownership

– Check against max allowed per box/vlan/port

– Record & report changes

Valid? bridge

• Preference is a function of: configuration, learning method, credential provided

• Upon collision, choose highest preference (for instance static, trusted, CGA, DHCP preferred

over dynamic, not_trusted, not_CGA, SLAAC)

• For collision with same preference, choose First Come, First Serve

Address Theft – Mitigation: Address Watch at the First Hop

41


H11

Binding table

Address glean

Binding table

Address glean

H21 ADR MAC IF

A11 MACH1 P1

A21 MACH2 P2

ADR MAC IF

A21 MACH1 P1

A22 MACH2 P2

Binding table

ADR MAC IF

A11 MACH1 P1

A21 MACH2 P2

A21 MACH1 P1

A22 MACH2 P2

Address Theft – Mitigation: Security Perimeter & State Distribution

42


VILLAIN

vlan 100

SWITCH

DUMB

HOST ROUTER+DHCP server

Provisioning system

Address Theft – Demo: the topology

43


Regular operations − Show ipv6 address: SLAAC, DHCP, static

− HOST connects to ROUTER

− Show neighbor cache

Attack − HOST connects to ROUTER

− VILLAIN steals 2001:100::1 and connection breaks

− HOST re-connects and ends up at VILLAIN

Mitigation

− Configures static cache entry on HOST

− Configure CGA address on ROUTER. Helps HOST, not DUMB

− Enable “ipv6 snooping” on SWITCH

• Show binding table, preference values, etc.

• Helps for non-CGA, CGA, HOST and DUMB

• Show logging

Address Theft – Demo: Address theft & Mitigation

44


• Problems

‒ address ownership ≠ address authorization! Attacker can forge any address of its own and prove ownership

‒ CGA is not widely available

‒ First-come first-serve is NOT very secure for SLAAC

‒ First-come first-serve is hardly compatible with mobility

• Solutions

‒ Use FH address glean & watch (combine with CGA when available)

‒ Use non-default preferences whenever you can.

‒ Use authoritative address assignment method (DHCP) when you can.

‒ When FCFS must be used, use long lifetime to keep entries in the binding table as long as you can

‒ Use logging to trace problems after the fact

‒ To reduce issues with mobility, use 802.1X whenever possible

‒ For address authorization, see next use case …

Address Theft – Remaining Vulnerabilities

45


Agenda




• Use Case #3: Source Address spoofing



‒ Demo

‒ The standard


46


• Hosts (victims) are anywhere (on/off link)

• Attacker is on the link

• Attacker can be a plain PC, running simple attack tools

• Attacker goal is to launch single packet attacks or Flood-Based

DoS attack without being identified or traceable

Address Spoofing - Target deployment model

47


• Blind attacks →Single packet attacks

→Flood-Based DoS

→Poisoning attack

→Spoof-based Worm/Malware Propagation

→Reflective Attacks

→Accounting Subversion

• Non-blind attacks →Man in the Middle attacks

→Third Party Recon

Address Spoofing – Vulnerability scope

48


Address Spoofing - Mitigations

Where What Routers Ingress filtering

Unicast Reverse Path Forwarding (uRPF)

Nodes Address Provisioning Mechanisms

Layer 2 Switch Port-based Address Binding (FH Source Guard) − draft-ietf-savi-fcfs − draft-ietf-savi-dhcp − draft-ietf-savi-send − draft-ietf-savi-mix

Layer 2/3 Switch Prefix Guard

49


H1

Binding table

IPv6 MAC VLAN IF

A1 MACA1 100 P1

A21 MACA21 100 P2

A22 MACA22 100 P2

A3 MACA3 100 P3

H2 H3

Address glean

– Allow traffic sourced with known IP/SMAC

– Deny traffic sources with unknown IP/SMAC and

triggers address glean process

P1:: data, src= A1, SMAC = MACA1

P2:: data src= A21, SMAC = MACA21

P3:: data src= A3, SMAC = MACA3

P3 ::A3, MACA3

DAD NS [IP source=UNSPEC, target = A3]

NA [target = A1LLA=MACA3]

DHCP LEASEQUERY

DHCP LEASEQUERY_REPLY

Address Spoofing – Mitigation: Source Guard

50


Home

gateway

L2 switch: - FH security - DHCP tag

L3 switch: - FH security - DHCP relay

DHCP server Home

Network

Shared vlan G1 p1

DHCP-PD reply: PREFIX=P1

RA [P1]

SLAAC

src = P1::iid

src = BAD::iid

p2 p3 G2

G3

P1

Address Spoofing – Mitigation: Prefix Guard

IPv6 MAC VLAN Port

P1 MACG1 100 p1

51


vlan 100

SWITCH

VILLAIN

HOST ROUTER+ DHCP server

PEER

Address Spoofing – Demo For Your Reference

52


Agenda


• Use Case #1: Router discovery

• Use Case #2: Address ownership

• Use Case #3: Source Address Validation


‒ The target deployment model

‒ Protocol and vulnerabilities


‒ Demo

53


• Attacker is off link

• Attacker can be a PC, running simple attack tools

• Attacker goal is to launch Flood-Based DoS attack targeting the

last-hop router, the link behind it, and all nodes on the link

• Attacker method is to “scan” the link prefix to force high

resolution attempts rate, exhaust the router resources, slow or

deny valid resolutions, load the link with useless multicast

packets

Remote address resolution cache Exhaustion Target deployment model

54


Remote address resolution cache exhaustion Vulnerability scope

Internet

• Attacker is anywhere on the internet • His primary victim is the last-hop Layer 3 device (router) • He can also harm the link and nodes behind it

55


Gateway

PFX::/64

NS

Dst = Solicited-node multicast address of PFX::a

Query = what is PFX::a ’s link-layer address?

NS

Dst = Solicited-node multicast address of PFX::b

Query = what is PFX::b ’s link-layer address?

NS

Dst = Solicited-node multicast address of PFX::z

Query = what is PFX::z’s link-layer address?

3 seconds history

X

Remote address resolution cache exhaustion Protocol

X scanning 2 64 addresses

(ping PFX::a, PFX::b, …PFX::z)

Neighbor cache

56


Remote address resolution cache exhaustion Mitigation

Where What Routers − Address Provisioning Mechanisms

− Allocate addresses by blocks and filter at the edge

− ND resolution algorithm - Rate limiting of new resolutions

- Separate cache for confirmed reachable entries

- Circular buffer for new resolution

- Cache boundaries

Layer 3 Switch Destination Guard

57


• Mitigate prefix-scanning attacks and Protect ND cache • Useful at last-hop router and L3 distribution switch • Drops packets for destinations without a binding entry

DoS Attack on Address Resolution – Mitigation Destination Guard

host

Forward packet

Lookup D1

found

B

NO

L3 switch

SRC=D1

Internet

Address glean Scanning {P/64}

SRC=Dn

Binding table Neighbor cache

58


vlan 100 L2/L3 SWITCH

VILLAIN

HOST

DHCP server

PEER

DoS Attack on Address Resolution – Demo

59


IPv6 First Hop Security Platform Support

Available Now Not Available Roadmap

Feature/Platform Catalyst 6500

Series Catalyst 4500

Series Catalyst 2K/3K

Series ASR1000 Router

7600 Router Catalyst 3850

Wireless LAN

Controller

(Flex 7500, 5508,

2500, WISM-2)

RA Guard 15.0(1)SY 15.1(2)SG 15.0.(2)SE 15.2(4)S 15.0(1)EX 7.2

IPv6 Snooping 15.0(1)SY1 15.1(2)SG 15.0.(2)SE XE 3.9.0S 15.2(4)S 15.0(1)EX 7.2

DHCPv6 Guard 15.2(1)SY 15.1(2)SG 15.0.(2)SE 15.2(4)S 15.0(1)EX 7.2

Source/Prefix Guard 15.2(1)SY 15.2(1)E 15.0.(2)SE2 XE 3.9.0S 15.3(1)S 7.2

Destination Guard 15.2(1)SY 15.1(2)SG 15.2(1)E XE 3.9.0S 15.2(4)S

RA Throttler 15.2(1)SY 15.2(1)E 15.2(1)E 15.0(1)EX 7.2

ND Multicast

Suppress 15.2(1)SY 15.1(2)SG 15.2(1)E XE 3.9.0S 15.0(1)EX 7.2

Note 1: IPv6 Snooping support in 15.0(1)SY does not extend to DHCP or data packets; only ND packets are snooped Note 2: Only IPv6 Source Guard is supported in 15.0(2)SE; no support for Prefix Guard in that release

60


Recommended Reading for BRKSEC-3003

61


Call to Action

• Visit the Cisco Campus at the World of Solutions to experience Cisco innovations in action

• Get hands-on experience attending one of the Walk-in Labs

• Schedule face to face meeting with one of Cisco’s engineers

at the Meet the Engineer center

• Discuss your project’s challenges at the Technical Solutions Clinics

62

Advanced IPv6 Security: Securing Link- Operations at...

Documents

Transcript of Advanced IPv6 Security: Securing Link- Operations at...