IPv6 infrastructure security features

4.2.c i RA Guard

General information on “IPv6 IS RA Guard”:

• On a shared L2 segment everyone can send out RAs
• Since there’s no protection by default, attackers can send out malicious RA
• RA are used by end devices to determine the IPv6 prefix and default router (gateway)
• RA guard can be implemented to filter out bogus/malicious RA
• This is done by setting ports as trusted (can send RAs) and untrusted (cannot send RAs)
• RA guard is only supported in the ingress direction
• RA guard has several devices roles:
  • Host: Can only receive RA from valid routers
  • Router: Can send/receive RA
  • Monitor: Can receive valid and rogue RA
  • Switch: RA are trusted and flooded to synchronize states

RA guard configuration steps:

1. Define RA guard policy
2. Apply RA guard policy to an interface

“IPv6 IS RA Guard” CLI configuration commands:

## Defining a RA guard policy
Switch(config)# ipv6 nd raguard policy [NAME]
Switch(config-nd-raguard)# device-role <role>

## Applying a RA guard policy to an interface
Switch(config)# interface <if>
Switch(config-if)# ipv6 nd raguard attach-policy [NAME]

“IPv6 IS RA Guard” CLI show commands:

## Showing interfaces configured with RA guard
Switch# show ipv6 nd raguard policy [NAME]

4.2.c ii DHCP Guard

General information on “IPv6 IS DHCP Guard”:

• Functionally equal to the IPv4 DHCP snooping feature
• Prevents ports from responding to DHCPv6 requests and blocks DHCPv6 Advertise/Reply messages
• DHCP guard has two devices roles:
  • Clients: Allows DHCP Solicitation and Request packets, blocks DHCP Advertise and Reply packets
  • Server: Allows all DHCP packets
• When setting the device role to server, additional configuration parameters appear:
  • match: Used in conjunction with access-lists to specify allowed advertised prefixes and/or source address of DHCP messages
  • preference: DHCPv6 preference option min/max values can be defined so that DHCP messages will be filtered out if they exceed the min/max value

DHCP guard configuration steps:

1. Define DHCP guard policy
2. Apply DHCP guard policy to an interface

“IPv6 IS DHCP Guard” CLI configuration commands:

## Defining a DHCP guard policy
Switch(config)# ipv6 dhcp guard policy [NAME]
Switch(config-nd-raguard)# device-role <role>

## Applying a DHCP guard policy to an interface
Switch(config)# interface <if>
Switch(config-if)# ipv6 dhcp guard attach-policy [NAME]

“IPv6 IS DHCP Guard” CLI show commands:

## Showing interfaces configured with DHCP guard
Switch# show ipv6 dhcp guard policy

4.2.c iii Binding table

General information on “IPv6 IS Binding table”:

• Comparable to the IPv4 DHCP snooping table
• Contains IPv6 neighbors connected to the switch
• Used by various IPv6 FHS guard features (eg. Source guard)
• Validates the link-layer address, the IPv6 address and prefix binding of neighbors
• The binding table is populated automatically but static entries can be created
• Automatic population can be done with DHCPv6, ND inspection/snooping

“IPv6 IS Binding table” CLI configuration commands:

## Configuring a static IPv6 binding table entry
Switch(config)# ipv6 neighbor binding vlan <vlan-id> <ipv6-addr> interface <if> <mac-addr>

“IPv6 IS Binding table” CLI show commands:

## Showing the IPv6 binding table
Switch# show ipv6 neighbors binding

4.2.c iv Device tracking

General information on “IPv6 IS Device tracking”:

• Provides IPv6 host liveness tracking
• The neighbor table can be immediately updated when an IPv6 host disappears
• Binding table needs to be populated for device tracking to work

“IPv6 IS Device tracking” CLI configuration commands:

## Enabling Device tracking globally
Switch(config)# ipv6 neighbor tracking

4.2.c v ND inspection/snooping

General information on “IPv6 IS ND inspection/snooping”:

• Learns and secures bindings for SLAAC addresses in Layer 2 neighbor tables
• Analyzes ND messages (NS and NA) in order to build a trusted binding table database
• Any ND message is considered trustworthy if its IPv6-MAC mapping is verifiable

“IPv6 IS ND inspection/snooping” CLI configuration commands:

## Defining a ND inspection/snooping policy
Switch(config)# ipv6 nd inspection policy [NAME]

## Applying a ND inspection/snooping policy to an interface
Switch(config)# interface <if>
Switch(config-if)# ipv6 nd inspection attach-policy [NAME]

“IPv6 IS ND inspection/snooping” CLI show commands:

## Showing interfaces configured with NS inspection/snooping
Switch# show ipv6 nd inspection policy [NAME]

4.2.c vi Source Guard

General information on “IPv6 IS Source Guard”:

• Comparable to the IPv4 Source Guard feature
• Needs ND Inspection/Snooping and/or DHCP Guard enabled because it relies on the IPv6 binding table

“IPv6 IS Source Guard” CLI configuration commands:

## Defining a Source Guard policy
Switch(config)# ipv6 source-guard policy [NAME]
Switch(config-nd-raguard)# deny global-autoconf
Switch(config-nd-raguard)# permit link-local

## Applying a Source Guard policy to an interface
Switch(config)# interface <if>
Switch(config-if)# ipv6 source-guard attach-policy [NAME]

“IPv6 IS Source Guard” CLI show commands:

## Showing interfaces configured with Source Guard
Switch# show ipv6 source-guard policy [NAME]