IPv6 First Hop Security IPv6 Security im Access Layer. Stefan Portmann Netcloud AG

IPv6 First Hop Security IPv6 Security im Access Layer Stefan Portmann Netcloud AG

Agenda Introduction The Layer 2 domain & IPv6 Neighbor Discovery (ND) / Secure Neighbor Discovery (SeND) IPv6 First-Hop Security (FHS) RA Guard IPv6 Snooping DHCP Guard Source/Prefix Guard Destination Guard FHS Config Example FHS Platform Support 30.05.2013 3

Introduction In many modern networks, the Layer 2 domain is playing an increasingly important role, with large campuses, very large data centers, server virtualization, Layer 2 mobility, etc., all resulting in larger Layer 2 domains. This change also brings with it an increasing number of challenges, such as security and scalability. In parallel with this change, IPv6 has been gaining momentum as the next generation IP, while the IPv4 address space continues to run out. Layer 2 (and to some extent Layer 2/3) switches constitute the core of this Layer 2 domain, and their strategic position in the network provides a number of opportunities to secure this domain, and to optimize link operations. These devices are referred to as "first hops". 30.05.2013 4

Introduction For many years, Cisco has been providing a suite of Catalyst Integrated Security Features (CISF) running on Catalyst switches, to secure and optimize Layer 2 (L2) operations for IPv4 networks. Catalyst Integrated Security Features IP Source Guard Dynamic ARP Inspection DHCP Snooping Port Security In order to provide the same level of end node protection on IPv6 or dual-stack networks, these L2 switches need to add a similar set of capabilities to address IPv6 link operations. Innocent User I m Your DHCP Server No Your Not! I m The User Email Server 30.05.2013 5

Quick overview on the Layer 2 domain & IPv6 What is specific to IPv6 on a subnet? More addresses! More hosts allowed on the subnet (up to 2 64!). Results in much bigger subnets. More states (neighbor cache, etc) on hosts, routers and switches: creates new opportunities for DoS attacks And protocols - IPv6 link operations protocol is Neighbor Discovery More distributed and more autonomous operations Nodes discover their default router automatically Nodes auto-configure their addresses Nodes defend themselves (SeND) 30.05.2013 7

Fundamentals On Neighbor Discovery Defined in: RFC 4861 Neighbor Discovery for IP Version 6 (IPv6) RFC 4862 IPv6 Stateless Address Auto-configuration RFC 3971 Secure Neighbor Discovery etc. Used for: Router discovery IPv6 Stateless Address Auto Configuration (SLAAC) IPv6 address resolution (replaces ARP) Neighbor Unreachability Detection (NUD) / Duplicate Address Detection (DAD) Redirection Operates above ICMPv6 Relies heavily on (link-local scope) multicast, combined with Layer 2 Multicast Works with ICMP messages and message "options" 30.05.2013 8

Fundamentals On Neighbor Discovery 30.05.2013 9

Secure Neighbor Discovery (SeND) Enhances NDP with additional capabilities Cryptographically Generated Addresses (CGA) IPv6 addresses whose interface identifiers are cryptographically generated RSA signature option Protect all messages relating to neighbor and router discovery Timestamp and nonce options Prevent replay attacks Certification paths for authorized Routers Anchored on trusted parties, expected to certify the authority of the routers on some prefixes 30.05.2013 10

Secure Neighbor Discovery (SeND) To benefit fully from SeND, nodes must be provisioned with CA certificate(s) A chain of trust is "easy" to establish within the administrative boundaries, but very hard outside It is a 2 player game! And very few IPv6 stacks can play the game today: Cisco IOS, Linux and a few others 30.05.2013 11

IPv6 RA Guard Router Theft Router Discovery Protocol Discover default/first hop routers Discover on-link prefixes 30.05.2013 13

IPv6 RA Guard Rogue or malicious routers - Vulnerability #1 Attacker tricks victim into accepting itself as default router Based on rogue Router Advertisements The most frequent threat by non-malicious user Many variants: preference, timing, final RA, etc. 30.05.2013 14

IPv6 RA Guard Rogue or malicious routers - Vulnerability #2 Attacker spoofs Router Advertisement with false on-link prefix Victim generates (topology-bogus) IP address with this prefix Access router drops outgoing packets from victim (ingress filtering) Or return path is broken 30.05.2013 15

IPv6 RA Guard RAs are used by routers to announce themselves on the link. The RA Guard blocks or rejects unwanted or rogue RA messages that arrive at the network switch platform. The RA Guard feature analyzes the RAs and filters out bogus RAs sent by unauthorized routers. 30.05.2013 16

IPv6 Snooping Address Theft - Address Resolution protocol Hosts reside on a shared "Layer 2 domain" (same link) When needed, it resolves the IP address into a MAC address Creates neighbor cache entry Maintains entry with NUD or upon receipt of any updated LLA Last Come, First Serve: good for mobility, bad for security! 30.05.2013 17

IPv6 Snooping Address Theft - Duplicate Address Resolution Verify address uniqueness before using it Required (MUST) by SLAAC, recommended (SHOULD) by DHCP Probe neighbors to verify nobody claims the address 30.05.2013 18

IPv6 Snooping Address Theft Vulnerability #1 Attacker can claim victim's IP address 30.05.2013 19

IPv6 Snooping Address Theft Vulnerability #2 Attacker hacks any victim's DAD attempts Victim can't configure IP address and can't communicate 30.05.2013 20

IPv6 Snooping A database table of IPv6 neighbors connected to the switch is created from multiple sources of information. For example, ND traffic, DHCP traffic and Data traffic. This binding table is used by ND Inspection (to validate the link-layer address (LLA)), perport address limit Device tracking (to prefix binding of the neighbors to prevent spoofing and redirect attacks). 30.05.2013 21

IPv6 DHCP Guard The DHCP Guard can be used to prevent forged messages from being entered in the binding table. The DHCP Guard blocks DHCP server messages when they are received on ports that are not explicitly configured as facing a DHCP server or DHCP relay. 30.05.2013 22

IPv6 Source/Prefix Guard The IPv6 Source Guard provides the ability to use the IPv6 binding table to install Port-ACLs to prevent a host from sending packets with an invalid IPv6 source address. Source addresses listed in the binding table are permitted on the switch port, other traffic will be blocked. 30.05.2013 23

IPv6 Destination Guard The Destination Guard helps in minimizing denial-of-service (DoS) attacks. It performs address resolutions, based on the binding table, only for those addresses that are active on the link. This feature enables the filtering of IPv6 traffic based on the destination address, and blocks the NDP resolution for destination addresses that are not found in the binding table. 30.05.2013 24

FHS Config Example ipv6 snooping policy POLICY-SNOOPING ipv6 nd raguard policy POLICY-RAGUARD-HOST device-role host ipv6 nd raguard policy POLICY-RAGUARD-ROUTER device-role router ipv6 dhcp guard policy POLICY-DHCPGUARD-CLIENT device-role client ipv6 dhcp guard policy POLICY-DHCPGUARD-SERVER device-role server match reply prefix-list PREFIX-LIST-DHCP-SERVER-RANGE ipv6 prefix-list PREFIX-LIST-DHCP-SERVER-RANGE seq 5 permit 2001:DB8:1234::/48 30.05.2013 26

FHS Config Example vlan configuration 100 ipv6 nd raguard attach-policy POLICY-RAGUARD-HOST ipv6 dhcp guard attach-policy POLICY-DHCPGUARD-CLIENT ipv6 snooping attach-policy POLICY-SNOOPING interface GigabitEthernet0/1 description *** Uplink Port *** ipv6 nd raguard attach-policy POLICY-RAGUARD-ROUTER ipv6 dhcp guard attach-policy POLICY-DHCPGUARD-SERVER end interface GigabitEthernet0/2 description *** Access Port *** switchport access vlan 100 30.05.2013 27

IPv6 First Hop Security Platform Support 30.05.2013 28

Konnten wir Ihre Fragen beantworten?! Herzlichen Dank!