CCIEv5 IPv6 FHS Quick Guide By CCSI: Yasser Auda

1

IPV6 NDP introduction before understanding First Hop Security Frist we need to fully understand what protocol IPv6 use to get mac address and other information from neighbors and routers? IPv6 use NDP for that, so what is NDP ? IPv6 NDP neighbor discovery protocol replaces ARP in IPv6 networks NDP help in many things lets overview it in the following examples: Example 1: 1-Host assign to itself Link Local address using FE80::/10 with eui-64 2-Host send NS Neighbor Solicitation ( like arp request) saying : anyone using my link local address? If no reply so address is unique. This process called DAD Duplicate Address Detection Example 2: 1-when Host want to know mac address for ipv6 address will send NS saying: what is mac address for this ipv6 address? 2-another Host will send NA Neighbor Advertisement (like arp reply) saying: I have this ipv6 address and this my mac address. Example 3: Host can use NDP to detect all routers on the subnet that could be used as Default Gateway. 1-Host sends RS Router Solicitation to FF02::2 saying: any router around to use as default gateway? 2-Router send RA Router Advertisement saying: yes I am and here is my link local address Also router will send periodically RA to FF02::1 Also if router had global unicast address ex: 2002:1:1:1::1 then he will send to hosts Prefix 2001:1:1:1::/64 and this good for SLAAC Example 4: NDP is useful too with SLAAC stateless address auto configuration (Auto configuration = mini DHCP) When host knew prefix (network address) from router, host will create host address (eui-64) and use this prefix address to have complete ipv6 address Remember DHCPv6 is no longer responsible to provide default gateway address, its default gateway itself responsibility to announce his self as default gateway to hosts

CCIEv5 IPv6 FHS Quick Guide By CCSI: Yasser Auda

2

Notes:

NDP or ND as we used to call it create Neighbor Cache which is equivalent to an ARP cache or Table in IPv4 (we can display it with show ipv6 neighbors).

Typing no ipv6 unicast routing will disable the router ability to be forward ipv6 unicast packets & ipv6 routing protocols and also will disable the sending of ICMPv6 RA messages .

As IPv4 ARP we can create static entry to be stored in arp cache ( ipv6 neighbor Cache ) by typing : Ipv6 neighbor ipv6-address interface-type interface-number hardware-address

The neighbor cache can be cleared by typing : clear ipv6 neighbors

If we type show ipv6 interface we can see many NP parameters

Remember for later configuration to make our router as DHCP relay agent we type: Int f0/0 Ipv6 dhcp relay dest 2001:5:6:7::2 (where 2001:5:6:7::2 is DHCPv6 server address) (Dhcp client ------ f0/0 router f0/1--------dhcp server)

We can change many of these parameters under interfaces

CCIEv5 IPv6 FHS Quick Guide By CCSI: Yasser Auda

3

RA interval is the amount of time in seconds between consecutive RA messages (default is 200 seconds) We can change using ipv6 nd ra interval command. RA Lifetime define how long host should consider this router as a valid default Gateway (default is 1800 seconds = 30 minutes). We can change using ipv6 nd ra lifetime command. Changing M & O flags : M Flag (managed address configuration flag) tell host that is configured to obtain its configuration information automatically using SLACC or DHCPv6 0 = use SLACC (default ) 1= use DHCPv6 To change to 1 ( use DHCPv6) we type Ipv6 nd managed-config-flag O Flag (Other configuration flag) inform host to get additional information such as DNS info from DHCPv6 server or not 0 = no additional info available from DHCPv6 1= use DHCPv6 server to get additional info To change to 1 ( use DHCPv6) we type Ipv6 other-config-flag

CCIEv5 IPv6 FHS Quick Guide By CCSI: Yasser Auda

4

Let’s check the following topology to understand more about ipv6 behavior inside our LAN:

R3 act as PC , From R3 point of view R1 OR R2 will be his first Hop to reach external networks R1 will act as mini DHCP and send ipv6 address to R3 R3 Int f0/1 ipv6 add autoconfig default Above command will make this interface assigned ipv6 address from same prefix R1 will send using RA And also R3 will consider R1 default gateway since we add the keyword “default”

CCIEv5 IPv6 FHS Quick Guide By CCSI: Yasser Auda

5

You can always use Debug ipv6 nd to see all nd messages

To prevent R2 from sending RA to R3 and maybe act as Default gateway we type : R2 Int f0/1 Ipv6 nd ra suppress Before we finish this introduction to NDP let’s check the following example about General Prefix Concept in IPv6 and how its work . R1 Connected to R2 using f0/0 interface FastEthernet0/0 no ip address duplex auto speed auto ipv6 address 2001:10:1:12::1/64 R2 ipv6 general-prefix MyGlobal 2001:10:1::/48 interface FastEthernet0/0 no ip address duplex auto speed auto ipv6 address MyGlobal ::12:0:0:0:2/64

CCIEv5 IPv6 FHS Quick Guide By CCSI: Yasser Auda

6

Threats regarding all what we learned so far about IPv6 NDP: -spoof router, receive two RA one from fake router and give wrong default gateway -spoof DHCP server and send bogus offers -poison router ND Cache -overload router ND cache (send packets to entire /64 range) Tools used to attack your IPv6 Network including your First Hop: • THC IPv6 Attack Toolkit • SI6 Networks IPv6 Toolkit • Evil FOCA • halfscan6, Scan6, CHScanner • Scapy, SendIP, ISIC6, Packit, Spak6 • 6tunneldos, 4to6ddos, imps6-tools Credits for knowing these tools goes to Scott Hogg CCIE #5133 author of Cisco Press, 2009. IPv6 Security, By Scott Hogg and Eric Vyncke.

Evil Foca is a tool designed for pen testers and security auditors to perform security testing in IPv4/ IPv6 data networks. The tool is capable to do different attacks such as: MITM on IPv4 networks using ARP Spoofing and DHCP ACK injection, MITM on IPv6 networks using Neighbor Advertisement Spoofing, SLAAC Attack, fake DHCPv6, DoS (Denial of Service) on IPv4 networks using ARP Spoofing, DoS (Denial of Service) on IPv6 networks using SLAAC attack and DNS hijacking.

CCIEv5 IPv6 FHS Quick Guide By CCSI: Yasser Auda

7

So it’s time to secure our Frist Hop Topology and this is what we call First Hop Security FHS.

IPv6 First Hop Security ( IPv6 FHS) IPv6 FHS First Hop Security are also called IPv6 Policies which can be applied to interface or VLAN level. FHS come with Software policy Database where polices stored . IPv6 snooping acts as a container policy that enables most of the features available with FHS in IPv6. Most FHS features are configured in a two-step : firstly you define a policy which describes the behavior of the feature, secondly you apply this policy to a VLAN or interface. FHS Features:

IPv6 RA Guard

IPv6 DHCP Guard

IPV6 Snooping (Binding integrity Guard) & Device Tracking

IPv6 Source Guard

IPv6 Destination Guard

IPv6 Prefix Guard

IPv6 PACL

SeND Protocol IPv6 RA Guard Used to prevent Router and Prefix Spoofing • The IPv6 RA Guard feature does not offer protection in environments where IPv6 traffic is tunneled. • This feature is supported only in hardware when the ternary content addressable memory (TCAM) is programmed. • This feature can be configured on a switch port interface in the ingress direction. • This feature supports host mode and router mode. • This feature is supported only in the ingress direction; it is not supported in the egress direction. • This feature is not supported on EtherChannel and EtherChannel port members. • This feature is not supported on trunk ports with merge mode. • This feature is supported on auxiliary VLANs and private VLANs (PVLANs). • Packets dropped by the IPv6 RA Guard feature can be spanned. • If the platform ipv6 acl icmp optimize neighbor-discovery command is configured, the IPv6 RA Guard feature cannot be configured and an error message will be displayed. This command adds default global Internet Control Message Protocol (ICMP) entries that will override the RA guard ICMP entries. IPv6 RA Guard ( RA guard should be deployed on the first hop L2 switch): RA messages they are the only way to get default gateway info to host in the network (beside static configuration). DHCPv6 does not carry this information in his messages unlike DHCPv4. , it is wrong if some host sends RA messages because he is then practically trying to take the role of default gateway away from router. Configuring RA Guard on all switch ports except port that heads to router we prevented rouge RA advertisements on that segment. interface Ethernet0/1

ipv6 nd raguard

CCIEv5 IPv6 FHS Quick Guide By CCSI: Yasser Auda

8

This configuration will drop any RAs received on this interface thus enforcing the policy that this port only connects to the end hosts. We will applied to all interfaces connected to hosts. But what about if we need a configuration that will permit RAs only if they have the M and O bits set, and enforce that the subsequent DHCP advertised prefix is within the company's range of 2001:db8:cafe::/48 : , we will need to configure RA Guard with Policy style , check the following example ipv6 nd raguard policy ONLY-DHCPv6-RAs

device-role router

role 'router' allows the RAs through but triggers deep inspection

managed-config-flag on

The RAs that we let through have to have Managed flag set.

other-config-flag on

he Other configuration flag also needs to be set.

match ra prefix-list IPv6-SPACE

Only allow the RAs that advertise the prefixes from our own address space

interface Ethernet0/0

switchport access vlan 100

switchport mode access

ipv6 nd raguard attach-policy ONLY-DHCPv6-RAs

Attach the policy to the port connecting to the router

!

ipv6 prefix-list IPv6-SPACE permit 2001:db8:cafe::/48 ge 64 le 64

Logging dropped packets It is useful to be able to see which packets are being dropped by FHS. by default packets are dropped silently. In order to see the packets are being dropped use this command: ipv6 snooping logging packet drop For example here is a syslog message indicating that RA Guard has dropped an RA on a particular port: *Jul 27 17:34:54.953: %SISF-4-PAK_DROP: Message dropped A=FE80::A8BB:CCFF:FE00:6900 G=- V=100 I=Et2/0 P=NDP::RA Reason=Message unauthorized on port

CCIEv5 IPv6 FHS Quick Guide By CCSI: Yasser Auda

9

RA Guard scenario:

SW1 ipv6 access-list R1linklocal permit ipv6 host FE80::1 any ipv6 prefix-list R1slaacprefix permit 2001::/64 Create policy for R1 , I will name it “R1policy”: ipv6 nd raguard policy R1policy device-role router match ipv6 access-list R1linklocal match ra prefix-list R1slaacprefix exit create policy for hosts , I will name it “Hostspolicy”:: ipv6 nd ragurad policy Hostspolicy device-role host exit apply to interface or vlan (interface applying override vlan applying if both exists): vlan configuration 911 ipv6 nd ragurad attach-policy Hostspolicy int g1/1 ipv6 nd raguard attach-policy R1policy

All SW1 Interfaces assigned to VLAN 911

CCIEv5 IPv6 FHS Quick Guide By CCSI: Yasser Auda

10

DHCPv6 Guard Let’s Remember that DHCPv6 not assign default gateway address as DHCP in IPv4 , since default routes learned through SLAAC from RA messages. So DHCPv6 Guard Used to Prevent DHCPv6 Server Spoofing . The DHCPv6 guard feature is not supported on Ether channel ports Is similar to RA Guard but it blocks DHCPv6 reply messages coming from DHCPv6 servers and relays that are on wrong ports (which means that they are rouge). it works like an Access list that block UDP port 546 on all port on the switch except port on which the DHCP server is connected. Or VLAN interface for the subnet if there is DHCP relay configured. Why UDP Port 546 ? DHCP uses UDP ports 546 and 547 to initiate communication between the IPv6 client and server. If either of these ports is in use by another application, or the ports are otherwise reserved, DHCP will not function. Port 546 (DHCP Client port for IPv6) If port 546 is in use by another process, DHCP server cannot perform rogue DHCP server detection in IPv6. Port 547 (DHCP server port for IPv6) If port 547 is in use by another process, DHCP server cannot communicate with DHCPv6 clients. Configuring DHCPv6 Guard 1) Create & Assign Policy for Hosts , I will name it “dhcp-client”: For the Host facing ports you don’t need to do this, but if you want to explicitly configure this, that’s how you do it. SW1(config)#ipv6 dhcp guard policy dhcp-client SW1(config-dhcp-guard)#device-role client SW1(config)#Interface range fa0/2-3 SW1(config-if)# switchport mode access SW1(config-if)# ipv6 dhcp guard attach-policy dhcp-client 2) Create & assign policy for DHCP server facing port , I will name it “dhcp-server”: For the server facing ports, you need create DHCPv6 Guard policy. SW1(config)#ipv6 dhcp guard policy dhcp-server SW1(config-dhcp-guard)#device-role server SW1(config-dhcp-guard)#match server access-list ACL1 SW1(config-dhcp-guard)#match reply prefix-list PREF1 Notice You can also provide some extra functionality over access lists; you could block server messages for particular addresses using an access list and you could also block some advertisements from the DHCPv6 server blocking certain prefixes using a prefix list as shown below: SW1(config)#ipv6 access-list ACL1 SW1(config-ipv6-acl)#permit ipv6 host FE80::1 any

CCIEv5 IPv6 FHS Quick Guide By CCSI: Yasser Auda

11

SW1(config)#ipv6 prefix-list PREF1 seq 5 permit 2001::/64 le 128 SW1(config)# Interface fa0/1 SW1(config-if)#switchport mode access SW1(config-if)# ipv6 dhcp guard attach-policy dhcp-server DHCP Guard scenario:

By turning on IPv6 Snooping, you automatically drop the switch into “Guard Mode” which will turn on DHCPv6 Guard as well as RA Guard; so none of the redirect advertisements or any DHCPv6 server messages will get through. (You will understand this point once we explain ipv6 snooping feature) each devive must have one of two modes : 1) Client: Sets the role of the device to client. 2) Server: Sets the role of the device to server. Since the default mode of the switch is to “guard”, by default all ports configured with dhcpv6 guard will be in client mode. Thus all ports will be dropping any dhcpv6 server messages by default. SW1 SW1(config)#ipv6 dhcp guard policy dhcp-server SW1(config-dhcp-guard)#device-role server SW1(config)#int g1/1 SW1(config-if)#sw SW1(config-if)#sw mo access SW1(config-if)#ipv6 dhcp guard attach-policy dhcp-server SW1(config)#ipv6 dhcp guard policy dhcp-client SW1(config-dhcp-guard)#device-role client

CCIEv5 IPv6 FHS Quick Guide By CCSI: Yasser Auda

12

SW1(config)#int range g1/2 - 3 SW1(config-if)#sw SW1(config-if)#sw mo acc SW1(config-if)#ipv6 dhcp guard attach-policy dhcp-client Additional security can be achieved by assigning an access list to only permit dhcpv6 server messages from a specific source address and Assigning a prefix-list to allow address allocation only from a known prefix SW1(config)#ipv6 access-list MYACL SW1(config-ipv6-acl)#permit ipv6 host FE80::1 any SW1(config)#ipv6 prefix-list MYPREFIX seq 5 permit 2001::/64 le 128 SW1(config)#ipv6 dhcp guard policy dhcp-server SW1(config-dhcp-guard)#match server access-list MYACL SW1(config-dhcp-guard)#match reply prefix-list MYPREFIX SW1(config-dhcp-guard)#exit

IPv6 Snooping

IPv6 snooping, "binding integrity guard" is actually a "bundled" feature that combines:

RA guard / DHCP guard

IPv6 address gleaning

IPv6 ND inspection

Device Tracking

Since IPv6 snooping included the guard functions, if you enable IPv6 snooping, you do not need

to explicitly configure RA guard / DHCP guard on the same port.

The below configuration shows a default configuration for IPv6 snooping.

ipv6 snooping policy HOST

!

interface GigabitEthernet1/0/2

switchport access vlan 201

switchport mode access

ipv6 snooping attach-policy HOST

!

To verify the snooping policy you can use the “show ipv6 snooping policy [policy name]”

command as shown below. FirstHopSwitch#show ipv6 snooping policy HOST

Policy HOST configuration:

security-level guard <- RA and DHCP messages are dropped

device-role node <- Only end points are expected on this port

protocol ndp <- Gleaning addresses from ND process

protocol dhcp <- Gleaning addresses from DHCP

Policy host is applied on the following targets:

Target Type Policy Feature Target range

Gi1/0/2 PORT HOST Snooping vlan all

CCIEv5 IPv6 FHS Quick Guide By CCSI: Yasser Auda

13

Note that when IPv6 snooping is configured the default security is set to "guard". This setting

can cause problems when the snooping policy is attached to a port that has a DHCPv6 server

connected to it. This policy setting will drop the DHCPv6 messages. To allow the DHCPv6

messages through, the port must be configured as a trusted port or a specific DHCPv6 guard

policy must be configured.

IPv6 Snooping is doing the same thing as in IPv4 , uses binding table known as ND table and tries to ( remember )bind all IPv6 addresses on the segment to particular MAC address. It does that by monitoring DHCPv6, ND and other regular data flows. After a while ND table is having all the bindings (MAC-IPv6) and when an intruder sends rouge NA message his MAC address does not correspond to right MAC address from that receiver IPv6 address and he will be prevented from sending. These categories of traffic carry information that the binding table snoops for: • ND traffic • DHCP traffic • Data traffic NDP Address Gleaning The NDP address gleaning feature is enabled by default when you configure the ipv6 snooping policy global configuration command. IPv6 DHCP Address Gleaning The IPv6 DHCP address gleaning feature provides the ability to extract addresses from DHCP messages and populate the binding table. The switch extracts address binding information from all messages types of DHCPv6 exchanges (using User Datagram Protocol (UDP), ports 546 and 547) IPv6 Data Address Gleaning The IPv6 data address gleaning feature provides the ability to extract addresses from redirected data traffic, to discover neighbors and to populate binding tables. The IPv6 device tracking feature provides IPv6 host liveness tracking so that a neighbor table can be updated when an IPv6 host disappears. The feature tracks the liveness of the neighbors connected through the L2 switch on regular basis in order to revoke network access privileges as they become inactive.

CCIEv5 IPv6 FHS Quick Guide By CCSI: Yasser Auda

14

How to Configure IPv6 Snooping Configuring IPv6 ND Inspection Configures an IPv6 snooping policy and enters IPv6 snooping configuration mode. Device(config)# ipv6 snooping policy yasserpolicy Attaches the IPv6 snooping policy to a target. Device(config-ipv6-snooping)# ipv6 snooping attach-policy yasserpolicy Configuring IPv6 ND Inspection Globally Defines the ND inspection policy name and enters ND inspection policy configuration mode. Device(config)# ipv6 nd inspection policy yasserpolicy Drops messages with no options, invalid options, or an invalid signature. Device(config-nd-inspection)# drop-unsecure Specifies the minimum security level parameter value when cryptographically generated address (CGA) options are used. Device(config-nd-inspection)# sec-level minimum 2 Specifies the role of the device attached to the port. device-role {host | monitor | router} Device(config-nd-inspection)# device-role monitor Overrides the default tracking policy on a port. tracking {enable [reachable-lifetime {value | infinite}] | disable [stale-lifetime {value | infinite}]} Device(config-nd-inspection)# tracking disable stale-lifetime infinite Configures a port to become a trusted port. trusted-port Device(config-nd-inspection)# trusted-port Applying IPv6 ND Inspection on an Interface ipv6 nd inspection [attach-policy [policy policy-name] | vlan {add | except | none | remove | all} vlan [vlan1, vlan2, vlan3...]] Device(config)# interface fastethernet 0/0 Device(config-if)# ipv6 nd inspection

CCIEv5 IPv6 FHS Quick Guide By CCSI: Yasser Auda

15

Configuring IPv6 Device Tracking in Two Steps : 1-configure IPv6 Binding Table contents Adds a static entry to the binding table database. ipv6 neighbor binding vlan vlan-id {interface type number |ipv6-addr ess | mac-address} [tracking [disable | enable |retry-interval value] | reachable-lifetime value] Device(config)# ipv6 neighbor binding vlan 100 interface Ethernet 0/0 reachable-lifetime 100 Specifies the maximum number of entries that are allowed to be inserted in the binding table cache. ipv6 neighbor binding max-entries entries [vlan-limit number| interface-limit number | mac-limit number] Device(config)# ipv6 neighbor binding max-entries 100 Enables the logging of binding table main events. ipv6 neighbor binding logging Device(config)# ipv6 neighbor binding logging 2-configure IPv6 Device Tracking Track entries in the binding table Device(config)#ipv6 neighbor tracking Show ipv6 device Tracking Configuring the IPv6 First-Hop Security Binding Table Recovery Mechanism adds a static entry to the binding table database Device(config)#ipv6 neighbor binding vlan 100 2001:db8::1 interface ethernet 3/0 create an entry in ipv6 prefix list Device(config)#ipv6 prefix-list abc permit 2001:db8::/64 ge 128 enter ipv6 snooping mode Device(config)#ipv6 snooping policy xyz specify that destination address should be recovered from DHCP Device(config-ipv6-snooping)#destination-glean recovery dhcp (if looging without recovery required use destination-glean log-only) optionally specifies that address shoudl be gleaned with dhcp and associates teh protocol with specific ipv6 prefix list. Device(config-ipv6-snooping)# protocol dhcp prefix-list abc Device(config-ipv6-snooping)#exit optionally enter destination gurad configuration mode Device(config)# ipv6 destination-gurad policy xyz

CCIEv5 IPv6 FHS Quick Guide By CCSI: Yasser Auda

16

sets the enforcement level of teh policy where alyways enforced or when system stressed only Device(config-destguard)# enforcement stressed Device(config-destguard)#exit enter dhcp gurad mode Device(config)# ipv6 dhcp guard policy server_side sets teh role of teh device attached to the server Device(config-dhcp-guard)# device-role server Device(config-dhcp-guard)#exit enter vlan configuration mode Device(config)#vlan configuration 100 attach ipv6 snooping policy to vlan Device(config-vlan-config)#ipv6 snooping attach-policy xyz atatch teh destination guard policy Device(config-vlan-config)#ipv6 destination-guard attach-policy xyz Configuring Address Gleaning and Associating Recovery Protocols with Prefix Lists Device(config)#ipv6 snooping policy 200 specifies that address should be gleaned with DHCP & associates a recovery protocol with the prefix list Device(config-ipv6-snooping)#protocol dhcp prefix-list myprefix Configuring IPv6 Prefix Glean Device(config)#ipv6 snooping polciy yasserpolicy Device(config-ipv6-snooping)#prefix-glean

CCIEv5 IPv6 FHS Quick Guide By CCSI: Yasser Auda

17

IPv6 Source Guard

uses ND table to drop traffic from rogue sources or IPv6 addresses that are not in the binding

table.

Configuring IPv6 Source Guard Defines an IPv6 source-guard policy name and enters switch integrated security features source-guard policy configuration mode. Device(config)# ipv6 source-guard policy my_sourceguard_policy Allows hardware bridging for all data traffic sourced by a link-local address. Device(config-sisf-sourceguard)# permit link-local Denies data traffic from auto-configured global addresses. Device(config-sisf-sourceguard)# deny global-autoconf Allows hardware bridging for all data traffic on the target where the policy is applied. Device(config-sisf-sourceguard)# trusted Device(config)# int g1/3 Device(config-if)# ipv6 source-guard attach-policy my_source_guard_policy

CCIEv5 IPv6 FHS Quick Guide By CCSI: Yasser Auda

18

IPv6 Prefix Guard

Will use information from DHCPv6 and RA messages to fill the table with valid prefixes that are

in use and it will block all other prefixes. IPv6 Prefix Guard feature works within the IPv6

Source Guard feature, enabling the device to deny traffic originated from no topologically

correct addresses. IPv6 prefix guard is often used when IPv6 prefixes are delegated to devices

(for example, home gateways) using DHCP prefix delegation. The feature discovers ranges of

addresses assigned to the link and blocks any traffic sourced with an address outside this range.

Configuring IPv6 Prefix Guard Defines an IPv6 source-guard policy name and enters source-guard policy configuration mode. ipv6 source-guard policy snooping-policy Device(config)# ipv6 source-guard policy Mypolicy Disables the validate address feature and enables the IPv6 prefix guard feature to be configured. Device(config-source-guard)# no validate address Enables IPv6 source guard to perform the IPv6 prefix-guard operation. Device(config-source-guard)# validate prefix

IPv6 Destination Guard If a packet comes on the router destined for directly connected subnet

but for address that is not in the ND table that packet will be dropped to prevent ND exhaustion

type of attacks. To explain this, ND exhaustion is made by sending packets to all addresses in

the subnet. Subnets in IPv6 are bigger that IPv4 and /64 subnet will have

18446744073709551614 possible addresses. If you send packets to all those addresses you will

exhaust the memory of ND cache which will basically disable ND process and all the traffic will

become broadcast.

We need to be carefull will this as if our network device reboots it will possibly prevent devices

to communicate before they are registered in the ND table and they need to communicate to be

registered in the ND table. maybe let dramatic solution to this problem is with Cisco

implemented ND resolution rate limiter.

Configuring IPv6 Destination Guard Defines the destination guard policy name and enters destination-guard configuration mode. Device(config)# ipv6 destination-guard policy pol1 Sets the enforcement level for the target address. Device(config-destguard)# enforcement always Device(config-destguard)# exit Enters VLAN configuration mode. Device(config)# vlan configuration 911 Attaches a destination guard policy to a VLAN. Device(config-vlan-config)# ipv6 destination-guard attach-policy pol1

CCIEv5 IPv6 FHS Quick Guide By CCSI: Yasser Auda

19

ND resolution rate limiter is limiting number of ND resolution per second per router and cache

size limiter limits the size of cache per device interface so that there cannot get to the point

where all the memory is consumed and device breaks into reboot. ND resolution rate is 100

resolutions per second per router and cache size is limited to 250 IPv6 address per interface. You

can change those values using this interface level commands:

L3SW(config-if)#ipv6 nd cache interface-limit 4

SW(config-if)#ipv6 nd resolution data limit 50

IPv6 PACL

Configuring PACL Mode and Applying IPv6 PACL on an Interface

Once you have configured the IPv6 access list you want to use, you must configure the PACL

mode on the specified IPv6 L2 interface.

IPv6 Port-Based Access List Support

The IPv6 PACL feature provides the ability to provide access control (permit or deny) on L2

switch ports for IPv6 traffic. IPv6 PACLs are similar to IPv4 PACLs, which provide access

control on L2 switch ports for IPV4 traffic. They are supported only in ingress direction and in

hardware.

PACL can filter ingress traffic on L2 interfaces based on L3 and L4 header information or non-

IP L2 information.

Device(config)# ipv6 access-list list1

Device(config-ipv6-acl)# exit

Device(config)# interface fastethernet 0/0

Device(config-if)# access-group mode prefer port

Device(config-if)# ipv6 traffic-filter list1 in

CCIEv5 IPv6 FHS Quick Guide By CCSI: Yasser Auda

20

Secure ND Protocol (SeND) To understand SeND you will need to have good knowledge about PKI public key infrastructure and how certificates obtained .you can read these topics in CompTIA Security+ or CCNA Security books. Also if you have worked before with Microsoft AD CS Active Directory Certificate Service Role you will have the required knowledge to understand SeND. Before continue reading you need to know the meaning of Public Key , Private Key , Hashing Algorithms , Certificate , Certificate Authority , Digital Signature ,PKI , CRL certificate revocation list.....etc What is SeND? SeND protocol counters ND threats. It defines a set of new ND options, and two new ND messages (Certification Path Solicitation [CPS] and Certification Path Answer [CPA]). It also defines a new auto configuration mechanism to be used in conjunction with the new ND options to establish address ownership. SEND works by having a pair of public and private keys per IPv6 node in a network and by extending ND with more options. With SEND, nodes cannot choose their own interface identifier (the lower 64 bits of their IPv6 address); the interface identifier is cryptographically generated based on the current IPv6 network prefix and the public key and we call it CGA address . Different components used to compute a CGA. It is based on the following CGA parameters: • A modifier, which is a random number • The public key of the host • The collision count, which is used to prevent a brute-force attack • The subnet prefix, which is the prefix of the desired address, typically received through router advertisement All above CGA components will be hashed with SHA-1 and take the least 64 bit in order to create the interface identifier ( ipv6 host address) At a minimum, link-local addresses on a SeND interface should be CGAs. Additionally, global addresses can be CGAs. So SeND mechanisms in used are: 1-Cryptographically Generated Addresses Cryptographically generated addresses (CGAs) are IPv6 addresses generated from the cryptographic hash of a public key . The node generating a CGA address must first obtain RSA key pair (SeND uses an RSA public/private key pair). The node then computes the interface identifier part (which is the rightmost 64 bits) and appends the result to the prefix to form the CGA address. 2-Authorization Delegation Discovery Authorization delegation discovery is used to certify the authority of routers by using a trust anchor. A trust anchor is a third party that the host trusts and to which the router has a certification path. Notice , In most operating systems, the trust anchor is a collection of X.509 certificates of certification authorities that come preinstalled with the operating system, or is built into an application (such as web browser).

CCIEv5 IPv6 FHS Quick Guide By CCSI: Yasser Auda

21

SeND Deployment Models • Host-to-Host Deployment Without a Trust Anchor • Neighbor Solicitation Flow • Host-Router Deployment Model • Router Advertisement and Certificate Path Flows • Single CA Model Host-to-Host Deployment Without a Trust Anchor Deployment for SeND between hosts is straightforward. The hosts can generate a pair of RSA keys locally, autoconfigure their CGA addresses, and use them to validate their sender authority, rather than using a trust anchor to establish sender authority Neighbor Solicitation Flow In a neighbor solicitation scenario, hosts and routers in host mode exchange neighbor solicitations and neighbor advertisements. These neighbor solicitations and neighbor advertisements are secured with CGA addresses and CGA options, and have nonce, time stamp, and RSA neighbor discovery options Host-Router Deployment Model In many cases, hosts will not have access to the infrastructure that will enable them to obtain and announce their certificates. In these situations, hosts will secure their relationship using CGA, and secure their relationship with routers using a trusted anchor. When using RAs, SeND mandates that routers are authenticated through a trust anchor. Router Advertisement and Certificate Path Flows the certificate exchange performed using certification path solicitation CPS/CPA SeND messages. Single CA Model The deployment model can be simplified in an environment where both hosts and routers trust a single CA such as the Cisco certification server (CS). SeND Fields added to NDP Using CGA is not enough to ensure that the CGA is used by the right node. SEND extends the NDP by adding further fields to the exchange: • CGA parameters:Sent so that the partners can execute the same algorithm and check whether they compute the same CGA. • Nonce:A random number used once in all NS messages, the solicited node must include the same nonce in its reply (this prevents replay attacks). • Signature:The CGA parameters and the nonce are also signed by using the private key of the node Notice that Having a CGA does not mean that the node has the privilege to be on that network. CGA is simply a way to ensure the binding of a MAC to an IPv6 address and should facilitate the deployment of SEND. SeND & Securing RA Messages RA messages can be secured by using a similar mechanism where all RA messages are signed by the routers. Because the hosts need to trust the routers, the routers must have an X.509 certificate associated with their key pair. This certificate and the signature are transmitted in all RA messages. The certificate Subject field must include the prefixes that the router might announce. Because certificates

CCIEv5 IPv6 FHS Quick Guide By CCSI: Yasser Auda

22

are issued by a trusted certification authority (CA), the IPv6 nodes can trust the information in the certificate. The certificates are exchanged by using two new messages that could be repeated if there is a long certificate chain when using subordinate CA: • Certification Path Solicitation (CPS):Used by a host to get the router certificate if the latter is not in its cache • Certification Path Advertisement (CPA):The router reply that contains the complete certificate Note: To prevent replay attacks with SeND, routers include a signed timestamp in their RA messages SeND configuration Steps SeND is available in host mode , To implement SeND, configure the host with the following parameters: • An RSA key pair used to generate CGA addresses on the interface. • A SeND modifier that is computed using the RSA key pair. • A key on the SeND interface. • CGAs on the SeND interface. • A Public Key Infrastructure (PKI) trustpoint, with minimum content; for example, the URL of the certificate server. A trust anchor certificate must be provisioned on the host. SeND is also available in router mode. You can use the ipv6 unicast-routing command to configure a node to a router. To implement SeND, configure routers with the same elements as that of the host. The routers will need to retrieve certificates of their own from a certificate server. The following operations need to be completed before SeND is configured on the host or router: • Hosts are configured with one or more trust anchors. • Hosts are configured with an RSA key pair or configured with the capability to locally generate it. Note that for hosts not establishing their own authority via a trust anchor, these keys are not certified by any CA. • Routers are configured with RSA keys and corresponding certificate chains, or the capability to obtain these certificate chains that match the host trust anchor at some level of the chain. Configuring CGA address To configure a CGA address on interface Ethernet 0/0. This example first generates a RSA key pair named SEND, Computes the SEND modifier, and finally assigns a CGA link-local and global unicast CGA to the interface Ethernet 0/0. crypto key generate rsa label SEND modulus 1024 ipv6 cga generate modifier rsakeypair SEND interface Ethernet0/0 ipv6 cga rsakeypair SEND ipv6 address FE80::/64 cga ipv6 address 2001:db8::/64 cga For more about Configuring SeND for IPv6 including:

Configuring Certificate Servers to Enable SeND

Configuring a Host to Enable SeND

Configuring a Router to Enable SeND

Implementing IPv6 SeND

CCIEv5 IPv6 FHS Quick Guide By CCSI: Yasser Auda

23

Configuring SeND Parameters Read the following link: http://www.cisco.com/c/en/us/td/docs/ios/ipv6/configuration/guide/12_4t/ipv6_12_4t_book/ip6-

first_hop_security.html#wp1114080

Resources I used to collect info for this guide : IPV6 FHS http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/whitepaper_c11-602135.html http://blog.ipspace.net/2013/07/first-hop-ipv6-security-features-in.html http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-2s/ipv6-15-2s-book/ip6-first-hop-security.html http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/15-s/ip6f-15-s-book.pdf http://www.cisco.com/web/about/security/intelligence/ipv6_first_hop.html Videos from INE: http://www.youtube.com/watch?v=Zv-stl5kRnI http://www.youtube.com/watch?v=UtsHZmb1CYc http://www.youtube.com/watch?v=goHublIvV-8 IPv6 Security https://supportforums.cisco.com/video/12192486/ipv6-security-video-live-webcast https://supportforums.cisco.com/document/12188991/ipv6-security-slides-live-webcast http://www.hackerhalted.com/2013/us/wp-content/uploads/2013/10/HH-Atlanta-2013-IPv6-Security-Scott-Hogg.pdf Videos from Cisco Get Your Build On YT Channel. http://www.youtube.com/watch?v=hf5QGxRtG4o http://www.youtube.com/watch?v=YbDg33vV-0E http://www.youtube.com/watch?v=QDyqV7u4HSY http://www.youtube.com/watch?v=-vOY0xXLoj0 http://www.youtube.com/watch?v=EjqimySPv7U Cisco IPv6 Guides per Feature & IOS Version. http://docwiki.cisco.com/wiki/Cisco_IOS_IPv6_Feature_Mapping#IPv6_Features Info about DHCPv6 https://supportforums.cisco.com/blog/153426/implementing-dhcpv6-introduction https://supportforums.cisco.com/document/116221/part-1-implementing-dhcpv6-stateful-dhcpv6 https://supportforums.cisco.com/document/116236/part-2-implementing-dhcpv6-stateless-dhcpv6 Good Luck CCSI: Yasser Auda https://www.facebook.com/YasserRamzyAuda https://learningnetwork.cisco.com/people/yasser.r.a?view=documents https://www.youtube.com/user/yasserramzyauda