regional cisco networking academy conference 2014
DESCRIPTION
Regional Cisco Networking Academy Conference 2014. Giving you the knowledge and confidence to teach IPv6. Getting and using IPv6 ICMPv6 : A Closer Look Securing IPv6 Rick Graziani CS/CIS Instructor Cabrillo College. Who am I?. Rick Graziani - [email protected] - PowerPoint PPT PresentationTRANSCRIPT
1© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Regional Cisco Networking Academy Conference 2014
Giving you the knowledge and confidence to teach IPv6Getting and using IPv6
ICMPv6: A Closer LookSecuring IPv6
Rick GrazianiCS/CIS Instructor Cabrillo College
2© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Who am I?• Rick Graziani - [email protected]
• CS/CIS instructor at Cabrillo College, Santa Cruz, California
• Cisco Networking Academy instructor since 1997
• Run native IPv6 at Cabrillo College and home
• Curriculum Development Team for Cisco Networking Academy
• When not working, hopefully I’m surfing.
3© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
“I understand IPv4, but how does it work for IPv6?”
CCNAIPv6 Basics Routing IPv6 ICMPv6 ND
CCNP ROUTE SWITCH TSHOOTAddress allocation (DHCP) Address resolution (ARP) Solicited Node MulticastMitigating attacks
4© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Topics• Getting and Using IPv6:
• Getting IPv6: PA versus PI Address Space
• Using IPv6: Happy Eyeballs
• ICMPv6• Dynamic Address Allocation
• RS and RA Message details• Ethernet Multicast Addresses for IPv6
• Address Resolution • Comparison with ARP• Solicited Node Multicast• NS and NA Message details• Neighbor Cache details
• Securing IPv6• RA Guard• DHCPv6 Guard• Neighbor Cache Exhaustion Mitigation• /127 for point-to-point addresses• Other stuff for IPv6 security
• Tomorrow: Flavors of DHCPv6• SLAAC – IPv6 Addressing without DHCPv6• Stateless DHCPv6 – I have my address
but need some other stuff• Stateful DHCPv6 – Just like DHCPv4 (only
different) • DHCPv6-PD (Prefix Delegation) – IPv6
Prefix for the “home”
5© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
PI and PA
6© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Interface IDSubnet IDGlobal Routing Prefix
/48 /64/32/23
*RIR*ISP Prefix*Site Prefix
Subnet Prefix
* This is a minimum allocation. The prefix-length may be less if it can be justified.
/56
Possible Home Site Prefix
Global Routing Prefixes Comcast is giving me a /64 at home
7© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
PA versus PI Address Space
• Provider Aggregatable (PA) Address Space - Address space that is typically assigned by an ISP to a customer. • Change provider, must get new address space• Customer must do prefix renumbering (Helpful IETF RFCs)
• Provider Independent (PI) Address Space – Address space that is assigned by the RIR. • Remains assigned to the customer regardless of provider• No prefix renumbering needed if change providers
Subnets Interface ID
/48/32Global Routing Prefix
https://www.arin.net/fees/fee_schedule.html
8© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
PA versus PI Address Space• Provider Aggregatable (PA)
Address Space (/48)• PA if you are single homed
• Provider Independent (PI) Address Space (/32)• Great for organizations who want to multihome to different ISPs
• Check with the upstream ISP whether they will route it or not
• Especially when the PI prefix is not local in the region (ARIN, APNIC, …) – can have asymmetric routing issues
• ftp://ftp.ripe.net/ripe/docs/ripe-127.txt• http://blog.ipspace.net/2014/01/pa-pi-or-ula-ipv6-address-space-it.html
ISP-B
CPE
ISP-A US
Europe
StaticIGPBGP
BGPStatic
9© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Happy Eyeballs
10© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
RFC6555 Happy Eyeballs: Success with Dual-Stack Hosts
11© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
RFC6555 Happy Eyeballs: Success with Dual-Stack Hosts
• The dual-stack code may get two addresses back from DNS…
• Which one does it use? • In order to use applications over
IPv6, it is necessary that users enjoy nearly identical performance as compared to IPv4.
IPv4
IPv6
12© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
RFC6555 Happy Eyeballs: Success with Dual-Stack Hosts
www.facebook.com
Query A record?www.facebook.com
Query AAAA record?www.facebook.com
Connect to:31.13.77.65
Connect to:2a03:2880:f016:401:face:b00c:0
1:1
GET HTTP/1.1www.facebook.com
13© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Happy Eyeballs in a nutshell
• In reality it depends on how the OS and application wants to handle it.
TIME
User: “www.example.com”
Attempt IPv6 lookup and connect
Attempt IPv4 lookup and connect
Retrieve and display
300ms
First come, first served
15© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
ICMPv6
16© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Internet Control Message Protocol (ICMPv6)
• Described in RFC 4443
• Much more robust than ICMP for IPv4
• Contains new functionality and improvements.
• More than just “messaging” but “how IPv6 conducts business”.
• General message similar to ICMP for IPv4
• Also uses Type and Code fields like in ICMPv4.
IPv6 Next Header Value: 58 decimal or 3A hexadecimal
IPv6 Header
Next Header58
ICMPv6 Header
ICMPv6 Message Body
IPv6 Data
17© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Neighbor Discovery Protocol Uses ICMPv6• ICMPv6 informational messages used by Neighbor
Discovery (RFC 4861):
• Router Solicitation Message• Router Advertisement Message
• Used with dynamic configuration of IPv6 addresses• Uses assigned multicast addresses
• Neighbor Solicitation Message• Neighbor Advertisement Message
• Used with neighbor discovery (IPv4 ARP)• Uses solicited node multicast address and assigned multicast
• Redirect Message (Similar to ICMPv4)
Router-Device Messaging
Device-Device Messaging
18© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
IPv6 Multicast and Neighbor DiscoveryIPv6 Addressing
MulticastUnicast Anycast
Assigned Solicited NodeFF00::/8 FF02::1:FF00:0000/104
ICMPv6 Neighbor DiscoveryNeighbor Solicitation
ICMPv6 Neighbor DiscoveryRouter SolicitationRouter Advertisement
Dynamically obtaining an IPv6 address
Address resolution: IPv6 equivalent of ARP
19© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
ICMPv6: Neighbor Discovery and Address Allocation
20© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
IPv4 Dynamic AddressesDHCP Server
21© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
• The Router Advertisement (RA) tells hosts how it will receive IPv6 Address Information.
• Sent periodically by an IPv6 router or…
• … when the router receives a Router Solicitation message from a host.
With IPv6 it begins with the Router Advertisement
DHCPv6 Server
ICMPv6 Router Advertisement
ICMPv6 Router Solicitation
To all IPv6 routers: I need
IPv6 address information
To all IPv6 devices:
Let me tell you how to do this …
ICMPv6 Neighbor DiscoveryRouter SolicitationRouter Advertisement
22© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
A Router Must Be Enabled as an “IPv6 Router”
Router Advertisement/Solicitation Messages• Part of ICMPv6 (Internet Control Message Protocol for IPv6)
• Router Advertisements are sent by an “IPv6 router” – ipv6 unicast-routing command• Forwards IPv6 Packets• Can be enabled for IPv6 static and dynamic routing• Sends ICMPv6 Router Advertisements
• Note: Routers can be configured with IPv6 addresses without being an IPv6 router
DHCPv6 Server
R1(config)# ipv6 unicast-routing
ICMPv6 Router Advertisement
23© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
SLAAC (Stateless Address Autoconfiguration)
DHCPv6 Server
R1(config)# ipv6 unicast-routing
Option 1: SLAAC (Default on Cisco routers)“I’m everything you need (Prefix, Prefix-length, Default Gateway)”
Option 2: SLAAC + Stateless DHCPv6 for DNS address“Here is my information but you need to get other information such as DNS addresses from a DHCPv6 server.”
Option 3: All addressing except default gateway – DHCPv6“I can’t help you. Ask a DHCPv6 server for all your information.”
RA
DHCPv6
• Option 1 and 2: Stateless Address Autconfiguration – DHCPv6 Server does not maintain state of addresses
• Option 3: Stateful Address Configuration – Address received from DHCPv6 Server
24© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Router Advertisement – Option 1 SLAAC
To: FF02::1 (All IPv6 devices)From: FE80::1 (Link-local address)ICMPv6 RA MessagePrefix: 2001:DB8:CAFE:1:: Prefix-length: /64
RA
2 To: FF02::2 (All IPv6 Routers)From: FE80::50A5:8A35:A5BB:66E1 (Link-local address)ICMPv6 RS Message
2001:DB8:CAFE:1::/64
1
RS
R1
25© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Router Solicitation (RS) from PC1Ethernet II, Src: 00:21:9b:d9:c6:44, Dst: 33:33:00:00:00:02
Internet Protocol Version 6 0110 .... = Version: 6 [Traffic class and Flowlabel not shown] Payload length: 16 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::50a5:8a35:a5bb:66e1 Destination: ff02::2
Internet Control Message Protocol v6 Type: 133 (Router solicitation) Code: 0 Checksum: 0x3277 [correct] ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: 00:21:9b:d9:c6:44
Link-local address of PC1All-IPv6-routers multicast address
Router Solicitation message
MAC address of PC1 but RAis sent as all-IPv6-host multicast
Next header is an ICMPv6 header
Ethernet multicast MAC address – Maps to “all IPv6 routers”
26© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
R1(config)# ipv6 unicast-routing
R1# show ipv6 interface fastethernet 0/0FastEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::1 Global unicast address(es): 2001:DB8:CAFE:1::1, subnet is 2001:DB8:CAFE:1::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 MTU is 1500 bytes <output omitted for brevity> ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses.R1#
All-routers multicast group
27© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Router Advertisement (RA) from Router R1
Ethernet II, Src: 00:03:6b:e9:d4:80, Dst: 33:33:00:00:00:01
Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 64 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::1 Destination: ff02::1
Link-local address of R1. Added to the Default Router List and is the address hosts will use as their default gateway
All-IPv6 devices multicast
Next Header is an ICMPv6 header
Ethernet multicast MAC address – Maps to “All-IPv6 devices”
28© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Router Advertisement from Router R1 – some fields omitted
Internet Control Message Protocol v6 Type: 134 (Router advertisement) Code: 0 Cur hop limit: 64 Flags: 0x00 ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: 00:03:6b:e9:d4:80 ICMPv6 Option (MTU) Type: MTU (5) Length: 8 MTU: 1500 ICMPv6 Option (Prefix information) Type: Prefix information (3) Length: 32 Prefix Length: 64 Prefix: 2001:db8:cafe:1::
Recommended Hop Limit value for hosts M and O flags indicate that no information is available
via DHCPv6
Router R1’s MAC address
MTU of the link.
Prefix-length (/64) to be used for autoconfiguration.Prefix of this network to be used for
autoconfiguration
29© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
M and O Flags
• M Flag: Managed Address Configuration flag• Tells the host whether to use the configuration information in this Router Advertisement (SLAAC by
default) or to get all of its information from a stateful DHCPv6 server.
• O Flag: Other Configuration flag• When SLAAC is being used (using the RA), it tells the host whether more information (like DNS) is
available from a stateless DHCPv6 server.
Internet Control Message Protocol v6 Type: 134 (Router advertisement) Code: 0 Cur hop limit: 64 Flags: 0x00 <output omitted for brevity?
M and O flags: Both 0, no additional information from DHCPv6 server
Router Advertisement message
30© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Mapping IPv6 Multicast Address to an Ethernet MAC Address
FF02:0000:0000:0000:0000:0000:0000:0002
33:33:00:00:00:02
• 48-bit MAC addresses in the range from 33-33-00-00-00-00 to 33-33-FF-FF-FF-FF are used for IPv6 multicast.
• Low-order 32 bits of IPv6 multicast address mapped to low-order 32 bits of MAC address.
• Remember, source addresses are always a unicast.
• RFC 7042 Historical note: It was the custom during IPv6 design to use "3” for unknown or example values, and 3333 Coyote Hill Road, Palo Alto, California, is the address of PARC (Palo Alto Research Center, formerly "Xerox PARC”). Ethernet was initially developed at Xerox PARC
Destination IPv6 address: All IPv6 Routers Multicast Address (RS)
D-MACIPv6 Header
Data FCS
Corresponding Destination MAC Address (RS)
D-IPv6Ethernet Header
31© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Ethernet MAC Addresses in RS and RA Messages
2
2001:DB8:CAFE:1::/64
1
R1
Dst: 33:33:00:00:00:02Src: 00:21:9b:d9:c6:44 RS
Dst: 33:33:00:00:00:01Src: 00:03:6b:e9:d4:80
RA
To: FF02::1 (All IPv6 devices)From: FE80::1 (Link-local address)ICMPv6 RA Message
To: FF02::2 (All IPv6 Routers)From: FE80::50A5:8A35:A5BB:66E1 (Link-local address)ICMPv6 RS Message
Ethernet
Ethernet
But how does this
help anything?
Because I will filter on
multicast MAC addresses!
32© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
• Besides its own MAC address, the Ethernet NIC will accept multicast addresses created from:
• Any assigned multicast address such as All-IPv6-Devices.• Any solicited node multicasts… what?
• A host NIC would not accept frames looking for an IPv6 router using the Destination MAC address 33:33:00:00:00:02
Unicast Addresses Ethernet MACEthernet NIC N/A 00-21-9b-d9-c6-44Multicast(All-IPv6-Devices)
FF02::1 33-33-00-00-00-01
PC Processes the following IPv6 and Ethernet MAC Addresses
* Ethernet MAC addresses such as broadcasts and those associated with other protocols are not shown.
33© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
ICMPv6: Neighbor Discovery and Address Resolution (ARP in IPv4)
34© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
IPv6 Multicast and Neighbor DiscoveryIPv6 Addressing
MulticastUnicast Anycast
Assigned Solicited NodeFF00::/8 FF02::1:FF00:0000/104
ICMPv6 Neighbor DiscoveryNeighbor Solicitation
ICMPv6 Neighbor DiscoveryRouter SolicitationRouter Advertisement
Dynamically obtaining an IPv6 address
Address resolution: IPv6 equivalent of ARP
35© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Address Resolution: IP to MAC Mapping
IP to data link(MAC) address mapping:
• IPv4 addresses use ARP
• IPv6 addressing use ICMPv6 Neighbor Discovery messages• Neighbor Solicitation• Neighbor Advertisement
• Devices store this mapping in their Neighbor Cache
PC1PC2ARP Request
Neighbor Advertisement
1
2Neighbor
Solicitation
1
ARP Reply2
Know IPv4, what is
the MAC?My IPv4! Here is the
MAC?
Know IPv6, what is
the MAC?
My IPv6! Here is the
MAC?
ICMPv6 Neighbor DiscoveryNeighbor SolicitationNeighbor Advertisement
ARP Cache
NeighborCache
3
3
36© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Address Resolution: IP to MAC Mapping
ARP Request/ReplyEthernet
ICMPv6: Neighbor Solicitation/Advertisement IPv6 HeaderEthernet
IPv4: ARP over Ethernet
IPv6: ICMPv6 over IPv6 over Ethernet
PC1PC2ARP Request
Neighbor Advertisement
1
2Neighbor
Solicitation
1
ARP Reply2
Know IPv4, what is
the MAC?My IPv4!
Here is the MAC?
Know IPv6, what is
the MAC?
My IPv6! Here is the
MAC?
ARP Request: Broadcast
NS: Multicast NS: Solicited Node Multicast
37© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
What is a solicited node multicast address?• A layer 3 multicast address with link-local scope “FF02” (within the
subnet/VLAN).• There is a solicited node multicast address for every IPv6 unicast (or anycast)
address including:• Global Unicast Address (GUA)• Link-local Address
• Used in Neighbor Solicitation messages during:• Address Resolution (ARP for IPv4)• Duplicate Address Detection (DAD)
Unicast Addresses Solicited Node Multicast
Global Unicast 2001:DB8:CAFE:1::20 FF02::1:FF00:20Link-local unicast FE80::1111:2222:3333
:4444FF02::1:FF33:4444
Solicited Node Multicast
PC2
38© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
PC2
How is created?• There is a direct relationship between the unicast/anycast address its
solicited node multicast address.• The solicited node multicast address formed by:
• Prefix FF02:0:0:0:0:1:FF00::/104 (FF02::1:FFxx:xxxx)• Append the low-order 24 bits of the address (unicast or anycast• Like other multicast addresses, solicited node multicast addresses are also
mapped to an Ethernet MAC address. (next)
Unicast Addresses Solicited Node Multicast
Global Unicast 2001:DB8:CAFE:1::20 FF02::1:FF00:20Link-local unicast FE80::1111:2222:3333
:4444FF02::1:FF33:4444
Solicited Node Multicast
39© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Interface ID
FF02 0000 0000 0000 0000 0001 FF
Global Routing Prefix104 bits
24 bits
PC2’s Global Unicast Address
PC2’s IPv6 Solicited-Node Multicast Address
Copy
PC2’s IPv6 global unicast address: 2001:DB8:CAFE:1::200PC2’s IPv6 solicited-node multicast address: FF02::1:FF00:200PC2’s mapped Ethernet multicast address : 33-33-FF-00-02-00
Subnet ID
2001:0DB8:CAFE 0001 0000:0000:00 00:0200
00:0200
FF-00-02-00
Copy
33-33
Solicited-node Multicast address mapped to Ethernet destination MAC address
Ability to filter at the NIC
IPv6 Multicast
Solicited Node Multicast Example
Low-order 32 bits of IPv6 multicast address mapped to low-order 32 bits of MAC address.
40© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
• Although rare, solicited node multicast addresses may not be unique.• Possible to have multiple devices with the same solicited node multicast address
(and same Ethernet multicast) if the low-order 24 bits match• High-order 40 bits of Interface ID may differ.
• But that is ok... Upper layer protocols like ICMPv6 contain target address (coming)
Unicast Addresses Solicited Node MulticastPCA Global Unicast 2001:DB8:CAFE:1:AAAA::200 FF02::1:FF00:200PCB Global Unicast 2001:DB8:CAFE:1:BBBB::200 FF02::1:FF00:200
Interface IDGlobal Routing Prefix104 bits
24 bitsSubnet ID
2001:0DB8:CAFE 0001 AAAA:0000:00 00:0200
2001:0DB8:CAFE 0001 BBBB:0000:00 00:0200
Same for both
41© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
• So, why are solicited node multicasts better than broadcasts?• Multicasts can be mapped to MAC addresses and Ethernet NICs (hardware or
drivers) can filter these frames.• Why is that a good thing?
Unicast Addresses Solicited Node Multicast
Ethernet MAC
Global Unicast 2001:DB8:CAFE:1::200 FF02::1:FF00:200 33-33-FF-00-02-00Link-local FE80::1111:2222:3333:4
444FF02::1:FF33:4444 33-33-FF-33-44-44
PC2
42© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Advantages of Multicast
Ethernet Broadcast
IPv4/IPv6 MulticastIGMP/MLD Snooping
Ethernet Broadcast
• Destination MAC Address: Broadcast
• Data must be passed to upper layer for processing.
IPv4 or IPv6 Multicast
• IP multicast packets can be filtered by the switch, only sending packets to members of that group • IPv4 - IGMP (Internet Group Management
Protocol) • IPv6 - MLD (Multicast Listener Discovery)
• However, Solicited Node Multicasts are forwarded out all ports because of the potentially huge forwarding tables needed to to store these addresses. (For now.) But wait….
43© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Solicited Node Multicasts are mapped to Ethernet!ARP Requests: Layer 2 broadcasts:• Ethernet broadcasts are sent to all devices.• Flood the entire broadcast domain (subnet/VLAN).• Ethernet NIC must process the frame.• Any filtering is done by a higher layer protocol such as ARP.
Solicited Node Multicasts: Layer 2 and Layer 3 multicasts:• Although solicited node multicasts are forwarded out all ports by the switch, ….• Layer 2 multicast allows frames to be filtered by the NIC and not have send data to an
upper layer protocol for inspection.
Target IPv4Address
44© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
• Besides its own MAC address, the Ethernet NIC will accept multicast addresses created from the:
• Solicited node multicast (global unicast address)• Solicited node multicast (link-local address)• Any assigned multicast address such as All-IPv6-Devices.
Unicast Addresses Solicited Node Multicast
Ethernet MAC
Ethernet NIC N/A N/A 00-1B-24-04-A2-1EGlobal Unicast 2001:DB8:CAFE:1::200 FF02::1:FF00:200 33-33-FF-00-02-00Link-local FE80::1111:2222:3333:
4444FF02::1:FF33:4444 33-33-FF-33-44-44
Multicast(All-IPv6-Devices)
FF02::1 N/A 33-33-00-00-00-01
PC2 Processes the following IPv6 and Ethernet MAC Addresses
* Ethernet MAC addresses such as broadcasts and those associated with other protocols are not shown.
45© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
ipv6 unicast-routing
2001:DB8:CAFE:1::100/64
PC1
R1
PC2
2001:0DB8:CAFE:0001::/64
2001:DB8:CAFE:1::200/64FF02::1:FF00:200 (Solicited Node Multicast)
MAC Address00-21-9B-D9-C6-44
MAC Address00-1B-24-04-A2-1E
PC1> ping 2001:DB8:CAFE:1::200
Neighbor Cache<empty until step 5>
Neighbor Solicitation
3
Neighbor Advertisement
4
12 5
ICMPv6: Neighbor Solicitation/Advertisement IPv6 HeaderEthernet
Back to Address Resolution (ARP in IPv4)
46© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Neighbor Solicitation from PC1 (ARP Request)Ethernet II, Src: 00:21:9b:d9:c6:44, Dst: 33:33:ff:00:02:00
Internet Protocol Version 6 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: 2001:db8:cafe:1::100 Destination: ff02::1:ff00:200
Internet Control Message Protocol v6 Type: 135 (Neighbor solicitation) Code: 0 Checksum: 0xbbab [correct] Reserved: 0 (Should always be zero) Target: 2001:db8:cafe:1::200 ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: 00:21:9b:d9:c6:44
Global unicast address of PC1Solicited-node multicast address of PC2
Neighbor Solicitation message
Target IPv6 address, needing MAC address (if two devices have the same solicited node address, this resolves the isse)
Next header is an ICMPv6 header
MAC address of the sender, PC1
Mapped multicast address for PC2
* For Target’s Neighbor Cache
47© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Neighbor Advertisement from PC2 (ARP Reply)Ethernet II, Src: 00:1b:24:04:a2:1e, Dst: 00:21:9b:d9:c6:44
Internet Protocol Version 6 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: 2001:db8:cafe:1::200 Destination: 2001:db8:cafe:1::100
Internet Control Message Protocol v6 Type: 136 (Neighbor advertisement) Code: 0 Checksum: 0x1b4d [correct] Flags: 0x60000000 Target: 2001:db8:cafe:1::200 ICMPv6 Option (Target link-layer address) Type: Target link-layer address (2) Length: 8 Link-layer address: 00:1b:24:04:a2:1e
Next header is an ICMPv6 header
Unicast MAC address of PC2
Global unicast address of PC2Global unicast address of PC1
Neighbor Advertisement message
MAC address of the sender, PC2
IPv6 address of the sender, PC2
* From previous Neighbor Solicitation
48© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
R1# show ipv6 interface fastethernet 0/0FastEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::FE99:47FF:FE75:C3E0 Global unicast address(es): 2001:DB8:CAFE:1::1, subnet is 2001:DB8:CAFE:1::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FF75:C3E0<output omitted for brevity>
All-IPv6 devices on this linkAll-IPv6 routers on this link: IPv6 routing enabled
Solicited-node multicast address Global Unicast
Member of these Multicast Groups
• FF02 – “2” means link-local scope
Multicast Groups of a Router
Solicited-node multicast address link-local
49© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
PC2Global Unicast - 2001:DB8:CAFE:1::200Link-local - FE80::1111:2222:3333:4444
Hopefully noNeighbor
Advertisement
Neighbor Solicitation
Duplicate Address Detection (DAD)
• Duplicate Address Detection (DAD) is used to guarantee that an IPv6 unicast address is unique on the link.
• A device will send a Neighbor Solicitation for its own unicast address (static or dynamic).
• After a period of time, if a NA is not received, then the address is deemed unique.
• Once required, RFC was updated to where it is only recommended - /64 Interface ID!
51© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Neighbor Cache (IPv4 ARP Cache)
• Neighbor Cache – Maps IPv6 addresses with Ethernet MAC addresses
• Similar to ARP Cache for IPv4
• 5 States (2 noticeable and 3 transitory):
• Reachable: Packets have recently been received providing confirmation that this device is reachable.
• Stale: A certain time period has elapsed since a packet has been received from this address.• Transitory States: INCOMPLETE, DELAY, PROBE
PC1Neighbor CacheIPv6 Address MAC Address2001:DB8:ACAD:1::10 0021.9bd9.c644 IPv6 -
2001:DB8:ACAD:1::10MAC - 0021.9bd9.c644
Neighbor Advertisement
52© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
R1# show ipv6 neighborsIPv6 Address Age Link-layer Addr State InterfaceFE80::50A5:8A35:A5BB:66E1 16 0021.9bd9.c644 STALE Fa0/02001:DB8:ACAD:1::10 16 0021.9bd9.c644 STALE Fa0/0
R1# ping 2001:db8:aaaa:1::100
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2001:DB8:AAAA:1::100, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 msR1# show ipv6 neighborsIPv6 Address Age Link-layer Addr State InterfaceFE80::50A5:8A35:A5BB:66E1 16 0021.9bd9.c644 STALE Fa0/02001:DB8:ACAD:1::10 0 0021.9bd9.c644 REACH Fa0/0
R1#
Neighbor CacheWindows: netsh interface ipv6 show neighborLinux/MAC: ip neighbor show
53© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
No Entry Exists Incomplete
Reachable
Stale – no action required(Requires resolution again)
Delay(Resolution pending)
Probe(Reresolution in progress)
Neighbor Solicitation (NS) sent
NA receivedReachable Time exceeded (timeout)
OrUnsolicited NA received
Packet sentPacket returned
5 sec
NS sent andNA received
3 NS sent with no NA returned
• Neighbor Solicitation (NS) = ARP Request
• Neighbor Advertisement (NA) = ARP Reply
3 NS sent with no NA returned
Neighbor Cache (“ARP Cache”)Neighbor Cache FSM
54© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Overview of IPv6 Security FeaturesLearning from IPv4
55© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Overview of IPv6 Security Features• Much has been learned from IPv4
• Similar features available for IPv6• Other features specific to IPv6
• Overview of features similar to CCNP • Details and more information…
Somewhat dated
“I’ll wait until I start running IPv6 on my network
• Windows Vista or later, Mac OSX, Linux already running IPv6• Potential man-in-the-middle or DoS attack
R1
RA
Rogue RA
RSIPv4IPv6IPv4
IPv6
IPv4IPv6
I need an IPv6 prefix
Here is an IPv6 prefix
and gateway
Here is an IPv6 prefix
and gateway
57© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
IPv6 RA Guard
• IPv6 Router Advertisement (RA) guard blocks unwanted or rogue RA guard messages. • A switch port in host mode blocks all Router Advertisement and router redirect
messages
R1
RA RA
RA
Switch(config)# ipv6 nd raguard policy HOST device-role host
Switch(config-nd-raguard)# device-role host
Switch(config)# ipv6 nd raguard policy ROUTER
Switch(config-nd-raguard)# device-role router
Switch(config)# ipv6 nd raguard attach-policy HOST vlan 100
Switch(config)# interface FastEthernet0/0
Switch(config-if)# ipv6 nd raguard attach-policy ROUTER
Fa0/0
RS VLAN 100
58© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
DHCPv6 Guard
• DHCPv6 guard blocks DHCP REPLY and ADVERTISEMENT messages that originate from unauthorized DHCPv6 servers and relay agents.
• Various phases, so check latest Cisco documentation.
R1
REPLY REPLY
REPLY
Fa0/0
Rogue DHCPv6 ServerDHCPv6 Server
SOLICIT
59© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Neighbor Cache Exhaustion Attack and Mitigation
2001:db8::/64
2001:db8::1
2001:db8::2
2001:db8::3
NS: 2001:db8::1
NS: 2001:db8::2
NS: 2001:db8::3
NS: 2001:db8::1
NS: 2001:db8::2
NS: 2001:db8::3
NS: 2001:db8::1
NS: 2001:db8::2
NS: 2001:db8::3
• Aggressive scanning of potentially billions and billions of bogus Neighbor Solicitation messages can cause router and switch CPU/memory failures.
• Can cause a local router DoS attack.
I will send, billions of packets to your network
forcing you to send out and cache billions of Neighbor
Solicitation messages.
60© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Neighbor Cache Exhaustion Attack and Mitigation
• Built-in rate limiter with options to tune it• Since 15.1(3)T: ipv6 nd cache interface-limit• Priority given to refresh existing entries vs. discovering new ones (RFC 6583)• Other related features can be used such as Destination Guard
• Use a /127 on point-to-point links (RFC 6164)• Reserve a /64 for easier management (/48 gives you 65,536 subnets!)
• Internet edge/presence: • Ingress ACL permitting traffic to specific IPv6 addresses only (within your
stateful DHCPv6 range)
61© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
/127 on Point-to-Point Links
• Reserve an entire /64 for each point-to-point link, but only use two of the addresses• Makes your addressing plan easier.• Configure each interface as a /127: “even and even+1” combination• /127 gives you two addresses – IPv6 lets you use the all 0’s and all 1’s addresses!• Recommend that you don’t use the first two addresses ::0 and ::1 so not to confuse
the first address with the network address (both are “::”)
R1 R2
2001:DB8:CAFE:F001::/127
R2(config)# interface serial 0/0/0
R2(config-if)# ipv6 add 2001:db8:cafe:f001::1/127
R1(config)# interface serial 0/0/0
R1(config-if)# ipv6 add 2001:db8:cafe:f001::/127
R1(config)# interface serial 0/0/0
R1(config-if)# ipv6 add 2001:db8:cafe:f001::a/127R2(config)# interface serial 0/0/0
R2(config-if)# ipv6 add 2001:db8:cafe:f001::b/127
2001:DB8:CAFE:F001::/64 Reserved
62© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
And much more!• The IPv6 Snooping and FHS feature provides
security and scalability by bundling several Layer 2 IPv6 first-hop security (FHS) features, including: • IPv6 neighbor discovery inspection• IPv6 device tracking• IPv6 address glean• IPv6 binding table recovery
• Secure Neighbor Discovery (SeND) is a protocol that enhances NDP with three additional capabilities:• Address ownership proof – Based upon
Cryptographically Generated Addresses (CGAs)
• Message protection• Router authorization• Note: But not in Windows Vista, 2008 and
7, Mac OS/X, iOS, Android - Crypto means slower…
• Other GOOD NEWS: • Private VLAN works with IPv6 • Port security works with IPv6 • IEEE 801.X works with IPv6
64© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
What we covered…• Getting IPv6: PA versus PI
Address Space
• Using IPv6: Happy Eyeballs
• ICMPv6• Dynamic Address Allocation
• RS and RA Message details• Ethernet Multicast Addresses for IPv6
• Address Resolution • Comparison with ARP• Solicited Node Multicast• NS and NA Message details• Neighbor Cache details
• Securing IPv6• RA Guard• DHCPv6 Guard• Neighbor Cache Exhaustion Mitigation• /127 for point-to-point addresses• Other stuff for IPv6 security
65© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
Web Site, Book, Etc.• Rick Graziani - [email protected]
• PowerPoints for CCNA, CCNP, IPv6• www.cabrillo.edu/~rgraziani• Username = cisco• Password = perlman
Shameless plug!
Quality time with my two nieces…
66© 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, US/Canada
And…… Thank you very much!Rick Graziani - [email protected]/~rgrazianiUsername = ciscoPassword = perlman