regional cisco networking academy conference 2014

1© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada

Regional Cisco Networking Academy Conference 2014

Giving you the knowledge and confidence to teach IPv6Getting and using IPv6

ICMPv6: A Closer LookSecuring IPv6

Rick GrazianiCS/CIS Instructor Cabrillo College


Who am I?• Rick Graziani - [email protected]

• CS/CIS instructor at Cabrillo College, Santa Cruz, California

• Cisco Networking Academy instructor since 1997

• Run native IPv6 at Cabrillo College and home

• Curriculum Development Team for Cisco Networking Academy

• When not working, hopefully I’m surfing.

mailto:[email protected]


“I understand IPv4, but how does it work for IPv6?”

CCNAIPv6 Basics Routing IPv6 ICMPv6 ND

CCNP ROUTE SWITCH TSHOOTAddress allocation (DHCP) Address resolution (ARP) Solicited Node MulticastMitigating attacks


Topics• Getting and Using IPv6:

• Getting IPv6: PA versus PI Address Space

• Using IPv6: Happy Eyeballs

• ICMPv6• Dynamic Address Allocation

• RS and RA Message details• Ethernet Multicast Addresses for IPv6

• Address Resolution • Comparison with ARP• Solicited Node Multicast• NS and NA Message details• Neighbor Cache details

• Securing IPv6• RA Guard• DHCPv6 Guard• Neighbor Cache Exhaustion Mitigation• /127 for point-to-point addresses• Other stuff for IPv6 security

• Tomorrow: Flavors of DHCPv6• SLAAC – IPv6 Addressing without DHCPv6• Stateless DHCPv6 – I have my address

but need some other stuff• Stateful DHCPv6 – Just like DHCPv4 (only

different) • DHCPv6-PD (Prefix Delegation) – IPv6

Prefix for the “home”


PI and PA


Interface IDSubnet IDGlobal Routing Prefix

/48 /64/32/23

*RIR*ISP Prefix*Site Prefix

Subnet Prefix

* This is a minimum allocation. The prefix-length may be less if it can be justified.

/56

Possible Home Site Prefix

Global Routing Prefixes Comcast is giving me a /64 at home


PA versus PI Address Space

• Provider Aggregatable (PA) Address Space - Address space that is typically assigned by an ISP to a customer. • Change provider, must get new address space• Customer must do prefix renumbering (Helpful IETF RFCs)

• Provider Independent (PI) Address Space – Address space that is assigned by the RIR. • Remains assigned to the customer regardless of provider• No prefix renumbering needed if change providers

Subnets Interface ID

/48/32Global Routing Prefix

https://www.arin.net/fees/fee_schedule.html


PA versus PI Address Space• Provider Aggregatable (PA)

Address Space (/48)• PA if you are single homed

• Provider Independent (PI) Address Space (/32)• Great for organizations who want to multihome to different ISPs

• Check with the upstream ISP whether they will route it or not

• Especially when the PI prefix is not local in the region (ARIN, APNIC, …) – can have asymmetric routing issues

• ftp://ftp.ripe.net/ripe/docs/ripe-127.txt• http://blog.ipspace.net/2014/01/pa-pi-or-ula-ipv6-address-space-it.html

ISP-B

CPE

ISP-A US

Europe

StaticIGPBGP

BGPStatic

ftp://ftp.ripe.net/ripe/docs/ripe-127.txt

ftp://ftp.ripe.net/ripe/docs/ripe-127.txt

http://blog.ipspace.net/2014/01/pa-pi-or-ula-ipv6-address-space-it.html




Happy Eyeballs


RFC6555 Happy Eyeballs: Success with Dual-Stack Hosts



• The dual-stack code may get two addresses back from DNS…

• Which one does it use? • In order to use applications over

IPv6, it is necessary that users enjoy nearly identical performance as compared to IPv4.

IPv4

IPv6



www.facebook.com

Query A record?www.facebook.com

Query AAAA record?www.facebook.com

Connect to:31.13.77.65

Connect to:2a03:2880:f016:401:face:b00c:0

1:1

GET HTTP/1.1www.facebook.com


Happy Eyeballs in a nutshell

• In reality it depends on how the OS and application wants to handle it.

TIME

User: “www.example.com”

Attempt IPv6 lookup and connect

Attempt IPv4 lookup and connect

Retrieve and display

300ms

First come, first served


ICMPv6


Internet Control Message Protocol (ICMPv6)

• Described in RFC 4443

• Much more robust than ICMP for IPv4

• Contains new functionality and improvements.

• More than just “messaging” but “how IPv6 conducts business”.

• General message similar to ICMP for IPv4

• Also uses Type and Code fields like in ICMPv4.

IPv6 Next Header Value: 58 decimal or 3A hexadecimal

IPv6 Header

Next Header58

ICMPv6 Header

ICMPv6 Message Body

IPv6 Data


Neighbor Discovery Protocol Uses ICMPv6• ICMPv6 informational messages used by Neighbor

Discovery (RFC 4861):

• Router Solicitation Message• Router Advertisement Message

• Used with dynamic configuration of IPv6 addresses• Uses assigned multicast addresses

• Neighbor Solicitation Message• Neighbor Advertisement Message

• Used with neighbor discovery (IPv4 ARP)• Uses solicited node multicast address and assigned multicast

• Redirect Message (Similar to ICMPv4)

Router-Device Messaging

Device-Device Messaging


IPv6 Multicast and Neighbor DiscoveryIPv6 Addressing

MulticastUnicast Anycast

Assigned Solicited NodeFF00::/8 FF02::1:FF00:0000/104

ICMPv6 Neighbor DiscoveryNeighbor Solicitation

ICMPv6 Neighbor DiscoveryRouter SolicitationRouter Advertisement

Dynamically obtaining an IPv6 address

Address resolution: IPv6 equivalent of ARP


ICMPv6: Neighbor Discovery and Address Allocation


IPv4 Dynamic AddressesDHCP Server


• The Router Advertisement (RA) tells hosts how it will receive IPv6 Address Information.

• Sent periodically by an IPv6 router or…

• … when the router receives a Router Solicitation message from a host.

With IPv6 it begins with the Router Advertisement

DHCPv6 Server

ICMPv6 Router Advertisement

ICMPv6 Router Solicitation

To all IPv6 routers: I need

IPv6 address information

To all IPv6 devices:

Let me tell you how to do this …



A Router Must Be Enabled as an “IPv6 Router”

Router Advertisement/Solicitation Messages• Part of ICMPv6 (Internet Control Message Protocol for IPv6)

• Router Advertisements are sent by an “IPv6 router” – ipv6 unicast-routing command• Forwards IPv6 Packets• Can be enabled for IPv6 static and dynamic routing• Sends ICMPv6 Router Advertisements

• Note: Routers can be configured with IPv6 addresses without being an IPv6 router

DHCPv6 Server

R1(config)# ipv6 unicast-routing

ICMPv6 Router Advertisement


SLAAC (Stateless Address Autoconfiguration)

DHCPv6 Server


Option 1: SLAAC (Default on Cisco routers)“I’m everything you need (Prefix, Prefix-length, Default Gateway)”

Option 2: SLAAC + Stateless DHCPv6 for DNS address“Here is my information but you need to get other information such as DNS addresses from a DHCPv6 server.”

Option 3: All addressing except default gateway – DHCPv6“I can’t help you. Ask a DHCPv6 server for all your information.”

RA

DHCPv6

• Option 1 and 2: Stateless Address Autconfiguration – DHCPv6 Server does not maintain state of addresses

• Option 3: Stateful Address Configuration – Address received from DHCPv6 Server


Router Advertisement – Option 1 SLAAC

To: FF02::1 (All IPv6 devices)From: FE80::1 (Link-local address)ICMPv6 RA MessagePrefix: 2001:DB8:CAFE:1:: Prefix-length: /64

RA

2 To: FF02::2 (All IPv6 Routers)From: FE80::50A5:8A35:A5BB:66E1 (Link-local address)ICMPv6 RS Message

2001:DB8:CAFE:1::/64

1

RS

R1


Router Solicitation (RS) from PC1Ethernet II, Src: 00:21:9b:d9:c6:44, Dst: 33:33:00:00:00:02

Internet Protocol Version 6 0110 .... = Version: 6 [Traffic class and Flowlabel not shown] Payload length: 16 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::50a5:8a35:a5bb:66e1 Destination: ff02::2

Internet Control Message Protocol v6 Type: 133 (Router solicitation) Code: 0 Checksum: 0x3277 [correct] ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: 00:21:9b:d9:c6:44

Link-local address of PC1All-IPv6-routers multicast address

Router Solicitation message

MAC address of PC1 but RAis sent as all-IPv6-host multicast

Next header is an ICMPv6 header

Ethernet multicast MAC address – Maps to “all IPv6 routers”



R1# show ipv6 interface fastethernet 0/0FastEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::1 Global unicast address(es): 2001:DB8:CAFE:1::1, subnet is 2001:DB8:CAFE:1::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 MTU is 1500 bytes <output omitted for brevity> ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses.R1#

All-routers multicast group


Router Advertisement (RA) from Router R1

Ethernet II, Src: 00:03:6b:e9:d4:80, Dst: 33:33:00:00:00:01

Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 64 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::1 Destination: ff02::1

Link-local address of R1. Added to the Default Router List and is the address hosts will use as their default gateway

All-IPv6 devices multicast

Next Header is an ICMPv6 header

Ethernet multicast MAC address – Maps to “All-IPv6 devices”


Router Advertisement from Router R1 – some fields omitted

Internet Control Message Protocol v6 Type: 134 (Router advertisement) Code: 0 Cur hop limit: 64 Flags: 0x00 ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: 00:03:6b:e9:d4:80 ICMPv6 Option (MTU) Type: MTU (5) Length: 8 MTU: 1500 ICMPv6 Option (Prefix information) Type: Prefix information (3) Length: 32 Prefix Length: 64 Prefix: 2001:db8:cafe:1::

Recommended Hop Limit value for hosts M and O flags indicate that no information is available

via DHCPv6

Router R1’s MAC address

MTU of the link.

Prefix-length (/64) to be used for autoconfiguration.Prefix of this network to be used for

autoconfiguration


M and O Flags

• M Flag: Managed Address Configuration flag• Tells the host whether to use the configuration information in this Router Advertisement (SLAAC by

default) or to get all of its information from a stateful DHCPv6 server.

• O Flag: Other Configuration flag• When SLAAC is being used (using the RA), it tells the host whether more information (like DNS) is

available from a stateless DHCPv6 server.

Internet Control Message Protocol v6 Type: 134 (Router advertisement) Code: 0 Cur hop limit: 64 Flags: 0x00 <output omitted for brevity?

M and O flags: Both 0, no additional information from DHCPv6 server

Router Advertisement message


Mapping IPv6 Multicast Address to an Ethernet MAC Address

FF02:0000:0000:0000:0000:0000:0000:0002

33:33:00:00:00:02

• 48-bit MAC addresses in the range from 33-33-00-00-00-00 to 33-33-FF-FF-FF-FF are used for IPv6 multicast.

• Low-order 32 bits of IPv6 multicast address mapped to low-order 32 bits of MAC address.

• Remember, source addresses are always a unicast.

• RFC 7042 Historical note: It was the custom during IPv6 design to use "3” for unknown or example values, and 3333 Coyote Hill Road, Palo Alto, California, is the address of PARC (Palo Alto Research Center, formerly "Xerox PARC”). Ethernet was initially developed at Xerox PARC

Destination IPv6 address: All IPv6 Routers Multicast Address (RS)

D-MACIPv6 Header

Data FCS

Corresponding Destination MAC Address (RS)

D-IPv6Ethernet Header


Ethernet MAC Addresses in RS and RA Messages

2

2001:DB8:CAFE:1::/64

1

R1

Dst: 33:33:00:00:00:02Src: 00:21:9b:d9:c6:44 RS

Dst: 33:33:00:00:00:01Src: 00:03:6b:e9:d4:80

RA

To: FF02::1 (All IPv6 devices)From: FE80::1 (Link-local address)ICMPv6 RA Message

To: FF02::2 (All IPv6 Routers)From: FE80::50A5:8A35:A5BB:66E1 (Link-local address)ICMPv6 RS Message

Ethernet

Ethernet

But how does this

help anything?

Because I will filter on

multicast MAC addresses!


• Besides its own MAC address, the Ethernet NIC will accept multicast addresses created from:

• Any assigned multicast address such as All-IPv6-Devices.• Any solicited node multicasts… what?

• A host NIC would not accept frames looking for an IPv6 router using the Destination MAC address 33:33:00:00:00:02

Unicast Addresses Ethernet MACEthernet NIC N/A 00-21-9b-d9-c6-44Multicast(All-IPv6-Devices)

FF02::1 33-33-00-00-00-01

PC Processes the following IPv6 and Ethernet MAC Addresses

* Ethernet MAC addresses such as broadcasts and those associated with other protocols are not shown.


ICMPv6: Neighbor Discovery and Address Resolution (ARP in IPv4)


IPv6 Multicast and Neighbor DiscoveryIPv6 Addressing

MulticastUnicast Anycast

Assigned Solicited NodeFF00::/8 FF02::1:FF00:0000/104

ICMPv6 Neighbor DiscoveryNeighbor Solicitation


Dynamically obtaining an IPv6 address

Address resolution: IPv6 equivalent of ARP


Address Resolution: IP to MAC Mapping

IP to data link(MAC) address mapping:

• IPv4 addresses use ARP

• IPv6 addressing use ICMPv6 Neighbor Discovery messages• Neighbor Solicitation• Neighbor Advertisement

• Devices store this mapping in their Neighbor Cache

PC1PC2ARP Request

Neighbor Advertisement

1

2Neighbor

Solicitation

1

ARP Reply2

Know IPv4, what is

the MAC?My IPv4! Here is the

MAC?

Know IPv6, what is

the MAC?

My IPv6! Here is the

MAC?

ICMPv6 Neighbor DiscoveryNeighbor SolicitationNeighbor Advertisement

ARP Cache

NeighborCache

3

3


Address Resolution: IP to MAC Mapping

ARP Request/ReplyEthernet

ICMPv6: Neighbor Solicitation/Advertisement IPv6 HeaderEthernet

IPv4: ARP over Ethernet

IPv6: ICMPv6 over IPv6 over Ethernet

PC1PC2ARP Request


1

2Neighbor

Solicitation

1

ARP Reply2

Know IPv4, what is

the MAC?My IPv4!

Here is the MAC?

Know IPv6, what is

the MAC?

My IPv6! Here is the

MAC?

ARP Request: Broadcast

NS: Multicast NS: Solicited Node Multicast


What is a solicited node multicast address?• A layer 3 multicast address with link-local scope “FF02” (within the

subnet/VLAN).• There is a solicited node multicast address for every IPv6 unicast (or anycast)

address including:• Global Unicast Address (GUA)• Link-local Address

• Used in Neighbor Solicitation messages during:• Address Resolution (ARP for IPv4)• Duplicate Address Detection (DAD)

Unicast Addresses Solicited Node Multicast

Global Unicast 2001:DB8:CAFE:1::20 FF02::1:FF00:20Link-local unicast FE80::1111:2222:3333

:4444FF02::1:FF33:4444

Solicited Node Multicast

PC2


PC2

How is created?• There is a direct relationship between the unicast/anycast address its

solicited node multicast address.• The solicited node multicast address formed by:

• Prefix FF02:0:0:0:0:1:FF00::/104 (FF02::1:FFxx:xxxx)• Append the low-order 24 bits of the address (unicast or anycast• Like other multicast addresses, solicited node multicast addresses are also

mapped to an Ethernet MAC address. (next)


Global Unicast 2001:DB8:CAFE:1::20 FF02::1:FF00:20Link-local unicast FE80::1111:2222:3333

:4444FF02::1:FF33:4444

Solicited Node Multicast


Interface ID

FF02 0000 0000 0000 0000 0001 FF

Global Routing Prefix104 bits

24 bits

PC2’s Global Unicast Address

PC2’s IPv6 Solicited-Node Multicast Address

Copy

PC2’s IPv6 global unicast address: 2001:DB8:CAFE:1::200PC2’s IPv6 solicited-node multicast address: FF02::1:FF00:200PC2’s mapped Ethernet multicast address : 33-33-FF-00-02-00

Subnet ID

2001:0DB8:CAFE 0001 0000:0000:00 00:0200

00:0200

FF-00-02-00

Copy

33-33

Solicited-node Multicast address mapped to Ethernet destination MAC address

Ability to filter at the NIC

IPv6 Multicast

Solicited Node Multicast Example

Low-order 32 bits of IPv6 multicast address mapped to low-order 32 bits of MAC address.


• Although rare, solicited node multicast addresses may not be unique.• Possible to have multiple devices with the same solicited node multicast address

(and same Ethernet multicast) if the low-order 24 bits match• High-order 40 bits of Interface ID may differ.

• But that is ok... Upper layer protocols like ICMPv6 contain target address (coming)

Unicast Addresses Solicited Node MulticastPCA Global Unicast 2001:DB8:CAFE:1:AAAA::200 FF02::1:FF00:200PCB Global Unicast 2001:DB8:CAFE:1:BBBB::200 FF02::1:FF00:200

Interface IDGlobal Routing Prefix104 bits

24 bitsSubnet ID

2001:0DB8:CAFE 0001 AAAA:0000:00 00:0200

2001:0DB8:CAFE 0001 BBBB:0000:00 00:0200

Same for both


• So, why are solicited node multicasts better than broadcasts?• Multicasts can be mapped to MAC addresses and Ethernet NICs (hardware or

drivers) can filter these frames.• Why is that a good thing?


Ethernet MAC

Global Unicast 2001:DB8:CAFE:1::200 FF02::1:FF00:200 33-33-FF-00-02-00Link-local FE80::1111:2222:3333:4

444FF02::1:FF33:4444 33-33-FF-33-44-44

PC2


Advantages of Multicast

Ethernet Broadcast

IPv4/IPv6 MulticastIGMP/MLD Snooping

Ethernet Broadcast

• Destination MAC Address: Broadcast

• Data must be passed to upper layer for processing.

IPv4 or IPv6 Multicast

• IP multicast packets can be filtered by the switch, only sending packets to members of that group • IPv4 - IGMP (Internet Group Management

Protocol) • IPv6 - MLD (Multicast Listener Discovery)

• However, Solicited Node Multicasts are forwarded out all ports because of the potentially huge forwarding tables needed to to store these addresses. (For now.) But wait….


Solicited Node Multicasts are mapped to Ethernet!ARP Requests: Layer 2 broadcasts:• Ethernet broadcasts are sent to all devices.• Flood the entire broadcast domain (subnet/VLAN).• Ethernet NIC must process the frame.• Any filtering is done by a higher layer protocol such as ARP.

Solicited Node Multicasts: Layer 2 and Layer 3 multicasts:• Although solicited node multicasts are forwarded out all ports by the switch, ….• Layer 2 multicast allows frames to be filtered by the NIC and not have send data to an

upper layer protocol for inspection.

Target IPv4Address


• Besides its own MAC address, the Ethernet NIC will accept multicast addresses created from the:

• Solicited node multicast (global unicast address)• Solicited node multicast (link-local address)• Any assigned multicast address such as All-IPv6-Devices.


Ethernet MAC

Ethernet NIC N/A N/A 00-1B-24-04-A2-1EGlobal Unicast 2001:DB8:CAFE:1::200 FF02::1:FF00:200 33-33-FF-00-02-00Link-local FE80::1111:2222:3333:

4444FF02::1:FF33:4444 33-33-FF-33-44-44

Multicast(All-IPv6-Devices)

FF02::1 N/A 33-33-00-00-00-01

PC2 Processes the following IPv6 and Ethernet MAC Addresses

* Ethernet MAC addresses such as broadcasts and those associated with other protocols are not shown.


ipv6 unicast-routing

2001:DB8:CAFE:1::100/64

PC1

R1

PC2

2001:0DB8:CAFE:0001::/64

2001:DB8:CAFE:1::200/64FF02::1:FF00:200 (Solicited Node Multicast)

MAC Address00-21-9B-D9-C6-44

MAC Address00-1B-24-04-A2-1E

PC1> ping 2001:DB8:CAFE:1::200

Neighbor Cache<empty until step 5>

Neighbor Solicitation

3


4

12 5

ICMPv6: Neighbor Solicitation/Advertisement IPv6 HeaderEthernet

Back to Address Resolution (ARP in IPv4)


Neighbor Solicitation from PC1 (ARP Request)Ethernet II, Src: 00:21:9b:d9:c6:44, Dst: 33:33:ff:00:02:00

Internet Protocol Version 6 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: 2001:db8:cafe:1::100 Destination: ff02::1:ff00:200

Internet Control Message Protocol v6 Type: 135 (Neighbor solicitation) Code: 0 Checksum: 0xbbab [correct] Reserved: 0 (Should always be zero) Target: 2001:db8:cafe:1::200 ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: 00:21:9b:d9:c6:44

Global unicast address of PC1Solicited-node multicast address of PC2

Neighbor Solicitation message

Target IPv6 address, needing MAC address (if two devices have the same solicited node address, this resolves the isse)


MAC address of the sender, PC1

Mapped multicast address for PC2

* For Target’s Neighbor Cache


Neighbor Advertisement from PC2 (ARP Reply)Ethernet II, Src: 00:1b:24:04:a2:1e, Dst: 00:21:9b:d9:c6:44

Internet Protocol Version 6 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: 2001:db8:cafe:1::200 Destination: 2001:db8:cafe:1::100

Internet Control Message Protocol v6 Type: 136 (Neighbor advertisement) Code: 0 Checksum: 0x1b4d [correct] Flags: 0x60000000 Target: 2001:db8:cafe:1::200 ICMPv6 Option (Target link-layer address) Type: Target link-layer address (2) Length: 8 Link-layer address: 00:1b:24:04:a2:1e


Unicast MAC address of PC2

Global unicast address of PC2Global unicast address of PC1

Neighbor Advertisement message

MAC address of the sender, PC2

IPv6 address of the sender, PC2

* From previous Neighbor Solicitation


R1# show ipv6 interface fastethernet 0/0FastEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::FE99:47FF:FE75:C3E0 Global unicast address(es): 2001:DB8:CAFE:1::1, subnet is 2001:DB8:CAFE:1::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FF75:C3E0<output omitted for brevity>

All-IPv6 devices on this linkAll-IPv6 routers on this link: IPv6 routing enabled

Solicited-node multicast address Global Unicast

Member of these Multicast Groups

• FF02 – “2” means link-local scope

Multicast Groups of a Router

Solicited-node multicast address link-local


PC2Global Unicast - 2001:DB8:CAFE:1::200Link-local - FE80::1111:2222:3333:4444

Hopefully noNeighbor

Advertisement

Neighbor Solicitation

Duplicate Address Detection (DAD)

• Duplicate Address Detection (DAD) is used to guarantee that an IPv6 unicast address is unique on the link.

• A device will send a Neighbor Solicitation for its own unicast address (static or dynamic).

• After a period of time, if a NA is not received, then the address is deemed unique.

• Once required, RFC was updated to where it is only recommended - /64 Interface ID!


Neighbor Cache (IPv4 ARP Cache)

• Neighbor Cache – Maps IPv6 addresses with Ethernet MAC addresses

• Similar to ARP Cache for IPv4

• 5 States (2 noticeable and 3 transitory):

• Reachable: Packets have recently been received providing confirmation that this device is reachable.

• Stale: A certain time period has elapsed since a packet has been received from this address.• Transitory States: INCOMPLETE, DELAY, PROBE

PC1Neighbor CacheIPv6 Address MAC Address2001:DB8:ACAD:1::10 0021.9bd9.c644 IPv6 -

2001:DB8:ACAD:1::10MAC - 0021.9bd9.c644



R1# show ipv6 neighborsIPv6 Address Age Link-layer Addr State InterfaceFE80::50A5:8A35:A5BB:66E1 16 0021.9bd9.c644 STALE Fa0/02001:DB8:ACAD:1::10 16 0021.9bd9.c644 STALE Fa0/0

R1# ping 2001:db8:aaaa:1::100

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2001:DB8:AAAA:1::100, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 msR1# show ipv6 neighborsIPv6 Address Age Link-layer Addr State InterfaceFE80::50A5:8A35:A5BB:66E1 16 0021.9bd9.c644 STALE Fa0/02001:DB8:ACAD:1::10 0 0021.9bd9.c644 REACH Fa0/0

R1#

Neighbor CacheWindows: netsh interface ipv6 show neighborLinux/MAC: ip neighbor show


No Entry Exists Incomplete

Reachable

Stale – no action required(Requires resolution again)

Delay(Resolution pending)

Probe(Reresolution in progress)

Neighbor Solicitation (NS) sent

NA receivedReachable Time exceeded (timeout)

OrUnsolicited NA received

Packet sentPacket returned

5 sec

NS sent andNA received

3 NS sent with no NA returned

• Neighbor Solicitation (NS) = ARP Request

• Neighbor Advertisement (NA) = ARP Reply

3 NS sent with no NA returned

Neighbor Cache (“ARP Cache”)Neighbor Cache FSM


Overview of IPv6 Security FeaturesLearning from IPv4


Overview of IPv6 Security Features• Much has been learned from IPv4

• Similar features available for IPv6• Other features specific to IPv6

• Overview of features similar to CCNP • Details and more information…

Somewhat dated

“I’ll wait until I start running IPv6 on my network

• Windows Vista or later, Mac OSX, Linux already running IPv6• Potential man-in-the-middle or DoS attack

R1

RA

Rogue RA

RSIPv4IPv6IPv4

IPv6

IPv4IPv6

I need an IPv6 prefix

Here is an IPv6 prefix

and gateway

Here is an IPv6 prefix

and gateway


IPv6 RA Guard

• IPv6 Router Advertisement (RA) guard blocks unwanted or rogue RA guard messages. • A switch port in host mode blocks all Router Advertisement and router redirect

messages

R1

RA RA

RA

Switch(config)# ipv6 nd raguard policy HOST device-role host

Switch(config-nd-raguard)# device-role host

Switch(config)# ipv6 nd raguard policy ROUTER

Switch(config-nd-raguard)# device-role router

Switch(config)# ipv6 nd raguard attach-policy HOST vlan 100

Switch(config)# interface FastEthernet0/0

Switch(config-if)# ipv6 nd raguard attach-policy ROUTER

Fa0/0

RS VLAN 100


DHCPv6 Guard

• DHCPv6 guard blocks DHCP REPLY and ADVERTISEMENT messages that originate from unauthorized DHCPv6 servers and relay agents.

• Various phases, so check latest Cisco documentation.

R1

REPLY REPLY

REPLY

Fa0/0

Rogue DHCPv6 ServerDHCPv6 Server

SOLICIT


Neighbor Cache Exhaustion Attack and Mitigation

2001:db8::/64

2001:db8::1

2001:db8::2

2001:db8::3

NS: 2001:db8::1

NS: 2001:db8::2

NS: 2001:db8::3

NS: 2001:db8::1

NS: 2001:db8::2

NS: 2001:db8::3

NS: 2001:db8::1

NS: 2001:db8::2

NS: 2001:db8::3

• Aggressive scanning of potentially billions and billions of bogus Neighbor Solicitation messages can cause router and switch CPU/memory failures.

• Can cause a local router DoS attack.

I will send, billions of packets to your network

forcing you to send out and cache billions of Neighbor

Solicitation messages.


Neighbor Cache Exhaustion Attack and Mitigation

• Built-in rate limiter with options to tune it• Since 15.1(3)T: ipv6 nd cache interface-limit• Priority given to refresh existing entries vs. discovering new ones (RFC 6583)• Other related features can be used such as Destination Guard

• Use a /127 on point-to-point links (RFC 6164)• Reserve a /64 for easier management (/48 gives you 65,536 subnets!)

• Internet edge/presence: • Ingress ACL permitting traffic to specific IPv6 addresses only (within your

stateful DHCPv6 range)


/127 on Point-to-Point Links

• Reserve an entire /64 for each point-to-point link, but only use two of the addresses• Makes your addressing plan easier.• Configure each interface as a /127: “even and even+1” combination• /127 gives you two addresses – IPv6 lets you use the all 0’s and all 1’s addresses!• Recommend that you don’t use the first two addresses ::0 and ::1 so not to confuse

the first address with the network address (both are “::”)

R1 R2

2001:DB8:CAFE:F001::/127

R2(config)# interface serial 0/0/0

R2(config-if)# ipv6 add 2001:db8:cafe:f001::1/127


R1(config-if)# ipv6 add 2001:db8:cafe:f001::/127


R1(config-if)# ipv6 add 2001:db8:cafe:f001::a/127R2(config)# interface serial 0/0/0

R2(config-if)# ipv6 add 2001:db8:cafe:f001::b/127

2001:DB8:CAFE:F001::/64 Reserved


And much more!• The IPv6 Snooping and FHS feature provides

security and scalability by bundling several Layer 2 IPv6 first-hop security (FHS) features, including: • IPv6 neighbor discovery inspection• IPv6 device tracking• IPv6 address glean• IPv6 binding table recovery

• Secure Neighbor Discovery (SeND) is a protocol that enhances NDP with three additional capabilities:• Address ownership proof – Based upon

Cryptographically Generated Addresses (CGAs)

• Message protection• Router authorization• Note: But not in Windows Vista, 2008 and

7, Mac OS/X, iOS, Android - Crypto means slower…

• Other GOOD NEWS: • Private VLAN works with IPv6 • Port security works with IPv6 • IEEE 801.X works with IPv6


What we covered…• Getting IPv6: PA versus PI

Address Space

• Using IPv6: Happy Eyeballs

• ICMPv6• Dynamic Address Allocation

• RS and RA Message details• Ethernet Multicast Addresses for IPv6

• Address Resolution • Comparison with ARP• Solicited Node Multicast• NS and NA Message details• Neighbor Cache details

• Securing IPv6• RA Guard• DHCPv6 Guard• Neighbor Cache Exhaustion Mitigation• /127 for point-to-point addresses• Other stuff for IPv6 security


Web Site, Book, Etc.• Rick Graziani - [email protected]

• PowerPoints for CCNA, CCNP, IPv6• www.cabrillo.edu/~rgraziani• Username = cisco• Password = perlman

Shameless plug!

Quality time with my two nieces…


http://www.cabrillo.edu/~rgraziani


And…… Thank you very much!Rick Graziani - [email protected]/~rgrazianiUsername = ciscoPassword = perlman


http://www.cabrillo.edu/~rgraziani

regional cisco networking academy conference 2014

Documents

cisco confidential

cisco systems

cisco networking academywhen

pi prefix

pi address spaceusing

isp prefix

native ipv6

new address spacecustomer