Saturday, April 26, 2014

IPv6 security – IPv6 First Hop Security - IPv6 RA Guard – part two.

In my last post I described ICMPv6 messages and one of them was Router Advertisement (RA). Today I would like to implement RA Guard feature.

Router Advertisement (RA) – ICMPv6 – type 134 - the message can be sent as a response on the Router Solicitation, and as unsolicited RA. The source address is local link address for example: fe80::2 and the destination is a multicast ff02::1, which represents “All Nodes Address”.

On Cisco switches we can apply policy which permits or drops this kind of packets. We have following options:
  • Policy type ‘host’ – RA messages are blocked by default
  • Policy type ‘router’ – with this type you can apply additional parameters like prefix control and ACL
  • Policy type ‘trusted port’- with this setting all RA messages are allowed
Let’s configure them and check how they behave.


                   Gi1/0/1   Gi1/0/2           
          /----\      \  ----- /       /----\ 
         |  R4  |-------| sw3 |-------|  R5  |
          \----/         -----         \----/ 
                           |\      
                           | Gi1/0/3        
                        /----\   
                       |  R6  |
                        \----/

R4 interface:

R4#sh ipv6 interface 
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::21E:4AFF:FE60:ED80 
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:1:1::4, subnet is 2001:1:1::/64 
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:4
    FF02::1:FF60:ED80
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  ND advertised reachable time is 0 (unspecified)
  ND advertised retransmit interval is 0 (unspecified)
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  ND advertised default router preference is Medium
  Hosts use stateless autoconfig for addresses.
R4#

Confirmation that R4 sends ND messages:

R4#
%LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
ICMPv6-ND: L2 came up on FastEthernet0/0
IPv6-Addrmgr-ND: DAD request for FE80::21E:4AFF:FE60:ED80 on FastEthernet0/0
ICMPv6-ND: Sending NS for FE80::21E:4AFF:FE60:ED80 on FastEthernet0/0
R4#
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Solicit, Src=::, Dst=FF02::1:FF60:ED80
IPv6-Addrmgr-ND: DAD: FE80::21E:4AFF:FE60:ED80 is unique.
ICMPv6-ND: Sending NA for FE80::21E:4AFF:FE60:ED80 on FastEthernet0/0
ICMPv6-ND: L3 came up on FastEthernet0/0
IPv6-Addrmgr-ND: DAD request for 2001:1:1::4 on FastEthernet0/0
ICMPv6-ND: Sending NS for 2001:1:1::4 on FastEthernet0/0
ICMPv6-ND: Linklocal FE80::21E:4AFF:FE60:ED80 on FastEthernet0/0, Up
ICMPv6-ND: Created RA context for FE80::21E:4AFF:FE60:ED80
ICMPv6-ND: Request to send RA for FE80::21E:4AFF:FE60:ED80
ICMPv6-ND: Sending RA from FE80::21E:4AFF:FE60:ED80 to FF02::1 on FastEthernet0/0
R4#
ICMPv6-ND:     MTU = 1500
ICMPv6-ND:     prefix = 2001:1:1::/64 onlink autoconfig
ICMPv6-ND:           2592000/604800 (valid/preferred)
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Advert, Src=FE80::21E:4AFF:FE60:ED80, Dst=FF02::1
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Solicit, Src=::, Dst=FF02::1:FF00:4
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent R-Advert, Src=FE80::21E:4AFF:FE60:ED80, Dst=FF02::1
IPv6-Addrmgr-ND: DAD: 2001:1:1::4 is unique.
ICMPv6-ND: Sending NA for 2001:1:1::4 on FastEthernet0/0
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Advert, Src=2001:1:1::4, Dst=FF02::1
R4#

Now I apply policy on the switch port where R4 is attached. The port will be the trusted port what means it will pass all ND messages:

SW3:
!

ipv6 nd raguard policy POLICY-R4
 trusted-port
!
!
interface GigabitEthernet1/0/1
 switchport access vlan 11
 switchport mode access
 logging event spanning-tree
 ipv6 nd raguard attach-policy POLICY-R4
 spanning-tree portfast
end
!

On the switch we check snooping messages:

SW3#sh ipv6 snooping messages  | i Gi1/0/1
 [02:18:10] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
 [02:18:26] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
 [02:18:42] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
 [02:21:45] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
 [02:24:46] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
 [02:27:47] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
 [02:30:28] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
 [02:33:19] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
 [02:36:04] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
 [02:38:43] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
 [02:41:58] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
 [02:45:09] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
SW3#

policies:

SW3#sh ipv6 snooping policies 
Target               Type  Policy               Feature        Target range
Gi1/0/1              PORT  POLICY-R4            RA guard       vlan all
SW3#

and counters:

SW3#sh ipv6 snooping counters interface gig1/0/1
Received messages on Gi1/0/1:
Protocol        Protocol message
NDP             RA[17] 
DHCPv6          

Bridged messages from Gi1/0/1:
Protocol        Protocol message
NDP             RA[17] 
DHCPv6          

Dropped messages on Gi1/0/1:
Feature         Protocol Msg [Total dropped]
SW3#

As we see the ‘trusted-port’ setting pass all RAs (17pkt).
Now, on R5 I set ‘host’ type.

R5 interface:

R5#sh ipv6 interface 
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::213:19FF:FE37:4DF0 
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:1:1::5, subnet is 2001:1:1::/64 
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:5
    FF02::1:FF37:4DF0
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  ND advertised reachable time is 0 (unspecified)
  ND advertised retransmit interval is 0 (unspecified)
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  ND advertised default router preference is Medium
  Hosts use stateless autoconfig for addresses.
R5#

Confirmation that R5 sends ND messages:

R5#
ICMPv6-ND: L2 came up on FastEthernet0/0
IPv6-Addrmgr-ND: DAD request for FE80::213:19FF:FE37:4DF0 on FastEthernet0/0
ICMPv6-ND: Sending NS for FE80::213:19FF:FE37:4DF0 on FastEthernet0/0
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Solicit, Src=::, Dst=FF02::1:FF37:4DF0
IPv6-Addrmgr-ND: DAD: FE80::213:19FF:FE37:4DF0 is unique.
ICMPv6-ND: Sending NA for FE80::213:19FF:FE37:4DF0 on FastEthernet0/0
ICMPv6-ND: L3 came up on FastEthernet0/0
IPv6-Addrmgr-ND: DAD request for 2001:1:1::5 on FastEthernet0/0
ICMPv6-ND: Sending NS for 2001:1:1::5 on FastEthernet0/0
ICMPv6-ND: Linklocal FE80::213:19FF:FE37:4DF0 on FastEthernet0/0, Up
ICMPv6-ND: Created RA context for FE80::213:19FF:FE37:4DF0
ICMPv6-ND: Request to send RA for FE80::213:19FF:FE37:4DF0
ICMPv6-ND: Sending RA from FE80::213:19FF:FE37:4DF0 to FF02::1 on FastEthernet0/0
ICMPv6-ND:     MTU = 1500
ICMPv6-ND:     prefix = 2001:1:1::/64 onlink autoconfig
ICMPv6-ND:           2592000/604800 (valid/preferred)
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Advert, Src=FE80::213:19FF:FE37:4DF0, Dst=FF02::1
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Solicit, Src=::, Dst=FF02::1:FF00:5
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent R-Advert, Src=FE80::213:19FF:FE37:4DF0, Dst=FF02::1
R5#
IPv6-Addrmgr-ND: DAD: 2001:1:1::5 is unique.
ICMPv6-ND: Sending NA for 2001:1:1::5 on FastEthernet0/0
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Advert, Src=2001:1:1::5, Dst=FF02::1
R5#

Configuration of switch port belongs to R5:

SW3:

!
ipv6 nd raguard policy POLICY-R5
 device-role host
!
!
interface GigabitEthernet1/0/2
 switchport access vlan 11
 switchport mode access
 logging event spanning-tree
 ipv6 nd raguard attach-policy POLICY-R5
 spanning-tree portfast
end
!

In the below output we can see RA packets are dropped due to port settings:

SW3#sh ipv6 snooping messages  | i Gi1/0/2
 [02:29:30] VLAN 11, From Gi1/0/2 NDP::RA, FE80::213:19FF:FE37:4DF0, Drop reason=Message unauthorized on port
 [02:32:42] VLAN 11, From Gi1/0/2 NDP::RA, FE80::213:19FF:FE37:4DF0, Drop reason=Message unauthorized on port
 [02:35:28] VLAN 11, From Gi1/0/2 NDP::RA, FE80::213:19FF:FE37:4DF0, Drop reason=Message unauthorized on port
 [02:38:10] VLAN 11, From Gi1/0/2 NDP::RA, FE80::213:19FF:FE37:4DF0, Drop reason=Message unauthorized on port
 [02:40:50] VLAN 11, From Gi1/0/2 NDP::RA, FE80::213:19FF:FE37:4DF0, Drop reason=Message unauthorized on port
 [02:43:36] VLAN 11, From Gi1/0/2 NDP::RA, FE80::213:19FF:FE37:4DF0, Drop reason=Message unauthorized on port
 [02:46:38] VLAN 11, From Gi1/0/2 NDP::RA, FE80::213:19FF:FE37:4DF0, Drop reason=Message unauthorized on port
SW3# 

Snooping policy applied on the R5’s switch port:

SW3#sh ipv6 snooping policies interface Gig1/0/2
Target               Type  Policy               Feature        Target range
Gi1/0/2              PORT  POLICY-R5            RA guard       vlan all
SW3#

We can monitors counters to learn how many messages are dropped:

SW3#sh ipv6 snooping counters interface Gig1/0/2
Received messages on Gi1/0/2:
Protocol        Protocol message
NDP             RA[8] 
DHCPv6          

Bridged messages from Gi1/0/2:
Protocol        Protocol message
NDP             
DHCPv6          

Dropped messages on Gi1/0/2:
Feature         Protocol Msg [Total dropped]
RA guard        NDP      RA  [8]
                reason:  Message unauthorized on port [8]

SW3#

If the port is set as a host (default), all RA messages are blocked.
Now I will test ‘router’ type and some additional policies.

R6 interface:

R6#sh ipv6 interface 
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::219:AAFF:FE00:B298 
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:1:1::6, subnet is 2001:1:1::/64 
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:6
    FF02::1:FF00:B298
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  ND advertised reachable time is 0 (unspecified)
  ND advertised retransmit interval is 0 (unspecified)
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  ND advertised default router preference is Medium
  Hosts use stateless autoconfig for addresses.
R6#

Confirmation that R6 sends ND messages:

R6#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R6#
ICMPv6-ND: L2 came up on FastEthernet0/0
IPv6-Addrmgr-ND: DAD request for FE80::219:AAFF:FE00:B298 on FastEthernet0/0
ICMPv6-ND: Sending NS for FE80::219:AAFF:FE00:B298 on FastEthernet0/0
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Solicit, Src=::, Dst=FF02::1:FF00:B298
IPv6-Addrmgr-ND: DAD: FE80::219:AAFF:FE00:B298 is unique.
ICMPv6-ND: Sending NA for FE80::219:AAFF:FE00:B298 on FastEthernet0/0
ICMPv6-ND: L3 came up on FastEthernet0/0
ICMPv6: Sent type 58, Src=FE80::219:AAFF:FE00:B298, Dst=FF02::16
IPv6-Addrmgr-ND: DAD request for 2001:1:1::6 on FastEthernet0/0
ICMPv6-ND: Sending NS for 2001:1:1::6 on FastEthernet0/0
ICMPv6-ND: Linklocal FE80::219:AAFF:FE00:B298 on FastEthernet0/0, Up
ICMPv6-ND: Created RA context for FE80::219:AAFF:FE00:B298
ICMPv6-ND: Request to send RA for FE80::219:AAFF:FE00:B298
ICMPv6-ND: Sending RA from FE80::219:AAFF:FE00:B298 to FF02::1 on FastEthernet0/0
ICMPv6-ND:     MTU = 1500
R6#
ICMPv6-ND:     prefix = 2001:1:1::/64 onlink autoconfig
ICMPv6-ND:           2592000/604800 (valid/preferred)
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Advert, Src=FE80::219:AAFF:FE00:B298, Dst=FF02::1
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Solicit, Src=::, Dst=FF02::1:FF00:6
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent R-Advert, Src=FE80::219:AAFF:FE00:B298, Dst=FF02::1
IPv6-Addrmgr-ND: DAD: 2001:1:1::6 is unique.
ICMPv6-ND: Sending NA for 2001:1:1::6 on FastEthernet0/0
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Advert, Src=2001:1:1::6, Dst=FF02::1
R6#

Settings of switch port which belongs to R6:

SW3#sh run all | b POLICY-R6
ipv6 nd raguard policy POLICY-R6
 device-role router
 match ra prefix-list R6-PRF
!
!
interface GigabitEthernet1/0/3
 switchport access vlan 11
 switchport mode access
 logging event spanning-tree
 ipv6 nd raguard attach-policy POLICY-R6
 spanning-tree portfast
!
ipv6 prefix-list R6-PRF seq 5 permit 2001:1:1::/64
SW3#

We can see snooping messages coming from R6:

SW3#sh ipv6 snooping messages  | i Gi1/0/3
 [02:41:14] VLAN 11, From Gi1/0/3 MAC 0019.AA00.B298: NDP::RA, FE80::219:AAFF:FE00:B298, 
 [02:41:30] VLAN 11, From Gi1/0/3 MAC 0019.AA00.B298: NDP::RA, FE80::219:AAFF:FE00:B298, 
 [02:41:46] VLAN 11, From Gi1/0/3 MAC 0019.AA00.B298: NDP::RA, FE80::219:AAFF:FE00:B298, 
 [02:45:03] VLAN 11, From Gi1/0/3 MAC 0019.AA00.B298: NDP::RA, FE80::219:AAFF:FE00:B298, 
 [02:47:34] VLAN 11, From Gi1/0/3 MAC 0019.AA00.B298: NDP::RA, FE80::219:AAFF:FE00:B298, 
SW3#

Confirmation the proper policy is applied on the correct interface:

SW3#sh ipv6 snooping policies interface Gig1/0/3
Target               Type  Policy               Feature        Target range
Gi1/0/3              PORT  POLICY-R6            RA guard       vlan all
SW3#

When we check counters we see the ND messages are allowed on SW3:

SW3#sh ipv6 snooping counters interface Gig1/0/3
Received messages on Gi1/0/3:
Protocol        Protocol message
NDP             RA[5] 
DHCPv6          

Bridged messages from Gi1/0/3:
Protocol        Protocol message
NDP             RA[5] 
DHCPv6          

Dropped messages on Gi1/0/3:
Feature         Protocol Msg [Total dropped]
SW3#

Let’s change now the prefix list to match non-existing prefix:

SW3#sh ipv6 prefix-list 
ipv6 prefix-list R6-PRF: 1 entries
   seq 5 permit 2002:1:1::/64
SW3#

and check if R6 is still able to send RAs:

SW3#sh ipv6 snooping counters interface Gig1/0/3
Received messages on Gi1/0/3:
Protocol        Protocol message
NDP             RA[7] 
DHCPv6          

Bridged messages from Gi1/0/3:
Protocol        Protocol message
NDP             RA[6] 
DHCPv6          

Dropped messages on Gi1/0/3:
Feature         Protocol Msg [Total dropped]
RA guard        NDP      RA  [1]
                reason:  Unauthorized prefix in prefix list [1]

SW3#

As we see R6 stopped sending RAs due to unauthorized prefix.
Let’s see what we can learn about the network from the following debug output:

SW3# debug ipv6 snooping raguard     
#
SW3#
SISF[RAG]: Gi1/0/1 vlan 11 RA Guard setting sec level to GUARD
SISF[RAG]: Gi1/0/1 vlan 11 RA received by RA guard on Gi1/0/1 from FE80::21E:4AFF:FE60:ED80
SISF[RAG]: Gi1/0/1 vlan 11         option 1 : ND_OPT_SOURCE_LINKADDR
SISF[RAG]: Gi1/0/1 vlan 11         option 3 : ND_OPT_PREFIX_INFORMATION
SISF[RAG]: Gi1/0/1 vlan 11         option 5 : ND_OPT_MTU
SISF[RAG]: Gi1/0/1 vlan 11 Trusted port

 
SISF[RAG]: Gi1/0/2 vlan 11 RA Guard setting sec level to GUARD
SISF[RAG]: Gi1/0/2 vlan 11 RA received by RA guard on Gi1/0/2 from FE80::213:19FF:FE37:4DF0
SISF[RAG]: Gi1/0/2 vlan 11         option 1 : ND_OPT_SOURCE_LINKADDR
SISF[RAG]: Gi1/0/2 vlan 11         option 3 : ND_OPT_PREFIX_INFORMATION
SISF[RAG]: Gi1/0/2 vlan 11         option 5 : ND_OPT_MTU
SISF[RAG]: Gi1/0/2 vlan 11 !Not a router port: all router messages disallowed
SISF[RAG]: Gi1/0/2 vlan 11 ! DROP ROUTER-ADVERT  src FE80::213:19FF:FE37:4DF0 dst FF02::1 reason = 3

 
SISF[RAG]: Gi1/0/3 vlan 11 RA Guard setting sec level to GUARD
SISF[RAG]: Gi1/0/3 vlan 11 RA received by RA guard on Gi1/0/3 from FE80::219:AAFF:FE00:B298
SISF[RAG]: Gi1/0/3 vlan 11         option 1 : ND_OPT_SOURCE_LINKADDR
SISF[RAG]: Gi1/0/3 vlan 11         option 3 : ND_OPT_PREFIX_INFORMATION
SISF[RAG]: Gi1/0/3 vlan 11         option 5 : ND_OPT_MTU
SISF[RAG]: Gi1/0/3 vlan 11      RA with prefix option 2001:1:1:: len 64
SISF[RAG]: Gi1/0/3 vlan 11 !RA prefix not in prefix-list
SISF[RAG]: Gi1/0/3 vlan 11 ! DROP ROUTER-ADVERT  src FE80::219:AAFF:FE00:B298 dst FF02::1 reason = 5

Let’s change back the prefix list for R6:

SW3#
SISF[RAG]: Gi1/0/3 vlan 11 RA Guard setting sec level to GUARD
SISF[RAG]: Gi1/0/3 vlan 11 RA received by RA guard on Gi1/0/3 from FE80::219:AAFF:FE00:B298
SISF[RAG]: Gi1/0/3 vlan 11         option 1 : ND_OPT_SOURCE_LINKADDR
SISF[RAG]: Gi1/0/3 vlan 11         option 3 : ND_OPT_PREFIX_INFORMATION
SISF[RAG]: Gi1/0/3 vlan 11         option 5 : ND_OPT_MTU
SISF[RAG]: Gi1/0/3 vlan 11      RA with prefix option 2001:1:1:: len 64
SW3#
 
Conclusion: we can easily apply policies to control which device in our network can send ND messages. You have to remember in the default policy the default type is ‘host’ what means all ND packets are dropped. In my next post I will test next security feature.

No comments:

Post a Comment