Monday, April 28, 2014

IPv6 security – IPv6 First Hop Security – Binding Table – part three.

Similar to IPv4, where we can create a binding table with all hosts connected, for IPv6 we can enable the IPv6 Binding Table. The table is populated by ND, DHCP registration process or static entries.

               Gi1/0/1   Gi1/0/2           
      /----\      \  ----- /       /----\ 
     |  R4  |-------| sw1 |-------|  R5  |
      \----/         -----         \----/ 
                       |\      
                       | Gi1/0/3        
                    /----\   
                   |  R6  |
                    \----/

I enable IPv6 and apply ND policy with port role as a ‘router’. R4:

R4#sh ipv6 interface 
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::223:4FF:FE8E:5E08 
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:10:10:10::4, subnet is 2001:10:10:10::/64 
  Joined group address(es):
    FF02::1
    FF02::1:FF00:4
    FF02::1:FF8E:5E08
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
R4#

R5:
 
R5#sh ipv6 interface 
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::21C:58FF:FE9E:2B00 
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:10:10:10::5, subnet is 2001:10:10:10::/64 
  Joined group address(es):
    FF02::1
    FF02::1:FF00:5
    FF02::1:FF9E:2B00
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
R5#

R6:
 
R6#sh ipv6 interface 
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::21C:58FF:FEF4:AEE0 
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:10:10:10::6, subnet is 2001:10:10:10::/64 
  Joined group address(es):
    FF02::1
    FF02::1:FF00:6
    FF02::1:FFF4:AEE0
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
R6#

Let’s ping all routers and check their neighbor tables:

R4#sh ipv6 neighbors 
IPv6 Address                              Age Link-layer Addr State Interface
2001:10:10:10::5                            0 001c.589e.2b00  REACH Fa0/0
2001:10:10:10::6                            0 001c.58f4.aee0  REACH Fa0/0
FE80::21C:58FF:FEF4:AEE0                    0 001c.58f4.aee0  REACH Fa0/0
FE80::21C:58FF:FE9E:2B00                    0 001c.589e.2b00  REACH Fa0/0
R5#sh ipv6 neighbors         
IPv6 Address                              Age Link-layer Addr State Interface
2001:10:10:10::4                            3 0023.048e.5e08  STALE Fa0/0
2001:10:10:10::6                            0 001c.58f4.aee0  REACH Fa0/0
FE80::223:4FF:FE8E:5E08                     3 0023.048e.5e08  STALE Fa0/0
R6#sh ipv6 neighbors 
IPv6 Address                              Age Link-layer Addr State Interface
2001:10:10:10::5                            0 001c.589e.2b00  STALE Fa0/0
2001:10:10:10::4                            4 0023.048e.5e08  STALE Fa0/0
FE80::223:4FF:FE8E:5E08                     4 0023.048e.5e08  STALE Fa0/0
FE80::21C:58FF:FE9E:2B00                    0 001c.589e.2b00  STALE Fa0/0

Let’s check the binding table on SW1:

SW1#sh ipv6 neighbors binding vlanid 20
vlanDB has 6 entries for vlan 20, 6 dynamic 
Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   
    IPv6 address                            Link-Layer addr Interface vlan prlvl  age   state    Time left
ND  FE80::223:4FF:FE8E:5E08                 0023.048E.5E08  Gi1/0/1     20  0011  120s  REACHABLE  194 s            
ND  FE80::21C:58FF:FEF4:AEE0                001C.58F4.AEE0  Gi1/0/3     20  0011  127s  REACHABLE  180 s            
ND  FE80::21C:58FF:FE9E:2B00                001C.589E.2B00  Gi1/0/2     20  0011  120s  REACHABLE  188 s            
ND  2001:10:10:10::6                        001C.58F4.AEE0  Gi1/0/3     20  0011  142s  REACHABLE  158 s            
ND  2001:10:10:10::5                        001C.589E.2B00  Gi1/0/2     20  0011  135s  REACHABLE  171 s            
ND  2001:10:10:10::4                        0023.048E.5E08  Gi1/0/1     20  0011  130s  REACHABLE  179 s            

SW1#
SW1#sh ipv6 neighbors binding vlanid 20 details 
vlanDB has 6 entries for vlan 20, 6 dynamic 


 Binding table configuration:
 ----------------------------
 max/box  : 2
 max/vlan : no limit
 max/port : 2
 max/mac  : no limit

 Binding table current counters:
 ------------------------------
 dynamic  : 6
 local    : 0
 total    : 6

 Binding table counters by state:
 ----------------------------------
 STALE      : 6
   total    : 6

Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   


    IPv6 address                            Link-Layer addr Interface vlan prlvl  age   state    Time left        Filter Policy (feature)
ND  FE80::223:4FF:FE8E:5E08                 0023.048E.5E08  Gi1/0/1     20  0011    8mn STALE      90311 s           no  ROUTER-POLICY (NDP inspection)
ND  FE80::21C:58FF:FEF4:AEE0                001C.58F4.AEE0  Gi1/0/3     20  0011    5mn STALE      89229 s           no  ROUTER-POLICY (NDP inspection)
ND  FE80::21C:58FF:FE9E:2B00                001C.589E.2B00  Gi1/0/2     20  0011    5mn STALE      86953 s           no  ROUTER-POLICY (NDP inspection)
ND  2001:10:10:10::6                        001C.58F4.AEE0  Gi1/0/3     20  0011    5mn STALE      88042 s           no  ROUTER-POLICY (NDP inspection)
ND  2001:10:10:10::5                        001C.589E.2B00  Gi1/0/2     20  0011    5mn STALE      88554 s           no  ROUTER-POLICY (NDP inspection)
ND  2001:10:10:10::4                        0023.048E.5E08  Gi1/0/1     20  0011    9mn STALE      86353 s           no  ROUTER-POLICY (NDP inspection)

SW1#

Now I change/add IP addresses on R4:
 
SW1#sh ipv6 neighbors binding interface gig1/0/1         
portDB has 2 entries for interface Gi1/0/1, 2 dynamic (limit 2)
Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   


    IPv6 address                            Link-Layer addr Interface vlan prlvl  age   state    Time left
ND  FE80::223:4FF:FE8E:5E08                 0023.048E.5E08  Gi1/0/1     20  0011   10mn STALE      90194 s          
ND  2001:10:10:10::4                        0023.048E.5E08  Gi1/0/1     20  0011   11mn STALE      86236 s          

SW1#

We see we are able to add new IP address and the bindings table is updated:
 
SW1#
Mar 30 02:25:53.281: %SISF-6-ENTRY_CREATED: Entry created A=2001:20:20:20::4 V=20 I=Gi1/0/1 P=0011 M=
Mar 30 02:25:53.281: %SISF-6-ENTRY_CHANGED: Entry changed A=2001:20:20:20::4 V=20 I=Gi1/0/1 P=0011 M=
Mar 30 02:25:54.279: %SISF-6-ENTRY_CHANGED: Entry changed A=2001:20:20:20::4 V=20 I=Gi1/0/1 P=0011 M=0023.048E.5E08
SW1# 
 
SW1#sh ipv6 neighbors binding interface gig1/0/1 
portDB has 3 entries for interface Gi1/0/1, 3 dynamic (limit 2)
Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   


    IPv6 address                            Link-Layer addr Interface vlan prlvl  age   state    Time left
ND  FE80::223:4FF:FE8E:5E08                 0023.048E.5E08  Gi1/0/1     20  0011   13mn STALE      90053 s          
ND  2001:20:20:20::4                        0023.048E.5E08  Gi1/0/1     20  0011   20s  REACHABLE  288 s            
ND  2001:10:10:10::4                        0023.048E.5E08  Gi1/0/1     20  0011   13mn STALE      86095 s          

SW1#
Mar 30 02:26:39.225: %SISF-6-ENTRY_CREATED: Entry created A=2001:30:30:30::4 V=20 I=Gi1/0/1 P=0011 M=
Mar 30 02:26:39.225: %SISF-6-ENTRY_CHANGED: Entry changed A=2001:30:30:30::4 V=20 I=Gi1/0/1 P=0011 M=
Mar 30 02:26:40.232: %SISF-6-ENTRY_CHANGED: Entry changed A=2001:30:30:30::4 V=20 I=Gi1/0/1 P=0011 M=0023.048E.5E08
SW1#                                             
SW1# 
 
SW1#sh ipv6 neighbors binding interface gig1/0/1 
portDB has 4 entries for interface Gi1/0/1, 4 dynamic (limit 2)
Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   


    IPv6 address                            Link-Layer addr Interface vlan prlvl  age   state    Time left
ND  FE80::223:4FF:FE8E:5E08                 0023.048E.5E08  Gi1/0/1     20  0011   13mn STALE      90014 s          
ND  2001:30:30:30::4                        0023.048E.5E08  Gi1/0/1     20  0011   14s  REACHABLE  290 s            
ND  2001:20:20:20::4                        0023.048E.5E08  Gi1/0/1     20  0011   60s  REACHABLE  249 s            
ND  2001:10:10:10::4                        0023.048E.5E08  Gi1/0/1     20  0011   14mn STALE      86055 s          

SW1#

Now, I remove the ND policy from Gig1/0/1 and enable ND inspection on the interface:

SW1#sh run int gig1/0/1                
Building configuration...

Current configuration : 140 bytes
!
interface GigabitEthernet1/0/1
 switchport access vlan 20
 switchport mode access
 ipv6 nd inspection vlan 20
 ipv6 snooping vlan 20
end

SW1#

Let’s create static bindings:
 
SW1#
!
ipv6 neighbor binding reachable-lifetime 50
ipv6 neighbor binding logging
ipv6 neighbor binding max-entries 2 vlan-limit 2
ipv6 neighbor binding vlan 20 FE80::223:4FF:FE8E:5E08 interface Gi1/0/1 0023.048e.5e08 tracking enable
ipv6 neighbor binding vlan 20 2001:10:10:10::20 interface Gi1/0/1 0023.048e.5e08 tracking enable
ipv6 neighbor tracking 
!  
 
and if the static entry appears:
 
SW1#sh ipv6 neighbors binding 
Binding Table has 6 entries, 4 dynamic (limit 2)
Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   


    IPv6 address                            Link-Layer addr Interface vlan prlvl  age   state    Time left
S   FE80::223:4FF:FE8E:5E08                 0023.048E.5E08  Gi1/0/1     20  0100   15s  REACHABLE  36 s             
ND  FE80::21C:58FF:FEF4:AEE0                001C.58F4.AEE0  Gi1/0/3     20  0011   47s  REACHABLE  4 s try 0        
ND  FE80::21C:58FF:FE9E:2B00                001C.589E.2B00  Gi1/0/2     20  0011   43mn STALE      88731 s          
S   2001:10:10:10::20                       0023.048E.5E08  Gi1/0/1     20  0100   32s  REACHABLE  19 s try 0       
ND  2001:10:10:10::6                        001C.58F4.AEE0  Gi1/0/3     20  0011    1s  REACHABLE  50 s try 0       
ND  2001:10:10:10::5                        001C.589E.2B00  Gi1/0/2     20  0011   43mn STALE      86340 s          

Let’s try to add a new IP:
 
R4(config-if)#ipv6 address 2001:10:10:10::14/64

And check what’s happen when we ping R6:
 
SW1#
Mar 30 03:03:16.059: SISF[CLA]: Packet for: 
Mar 30 03:03:16.059: SISF[CLA]:         Protocol number: 58 value 136
Mar 30 03:03:16.059: SISF[CLA]:                 feature NDP inspection
Mar 30 03:03:16.059: SISF[CLA]:                 feature Snooping
Mar 30 03:03:16.059: SISF[SWI]: Gi1/0/1 vlan 20 Feature_0  NDP inspection priority 160
Mar 30 03:03:16.059: SISF[SWI]: Gi1/0/1 vlan 20 Feature_1  Snooping priority 128
Mar 30 03:03:16.067: SISF[MEM]: Owner is this process
Mar 30 03:03:16.067: SISF[MEM]: semaphore 6930E18 (re)locked
Mar 30 03:03:16.067: SISF[MEM]: Locking, count is now 1
Mar 30 03:03:16.067: SISF[CLA]: Packet for: 
Mar 30 03:03:16.067: SISF[CLA]:         Protocol number: 58 value 136
Mar 30 03:03:16.067: SISF[CLA]:                 feature NDP inspection
Mar 30 03:03:16.067: SISF[CLA]:                 feature Snooping
Mar 30 03:03:16.067: SISF[SWI]: Gi1/0/1 vlan 20 Feature_0  NDP inspection priority 160
Mar 30 03:03:16.067: SISF[SWI]: Gi1/0/1 vlan 20 Feature_1  Snooping priority 128
Mar 30 03:03:16.067: SISF[PRS]: Gi1/0/1 vlan 20 Parse msg  ND_NEIGHBOR_ADVERT. len 8
Mar 30 03:03:16.067: SISF[PRS]: Gi1/0/1 vlan 20 Found 1 options
Mar 30 03:03:16.067: SISF[PRS]: Gi1/0/1 vlan 20            option 2 : ND_OPT_TARGET_LINKADDR
Mar 30 03:03:16.067: SISF[GLN]: Gi1/0/1 vlan 20 setting action to 0 pid 0
Mar 30 03:03:16.067: SISF[POL]: Vlan 20ac check(smac,lla): MATCH for 2001:10:10:10::14
Mar 30 03:03:16.067: SISF[PRS]: Gi1/0/1 vlan 20 Source and LLA match
Mar 30 03:03:16.067:  matches vlan list on policy dSISF[PRS]: Gi1/0/1 vlan 20    No RSA option
Mar 30 03:03:16.067: SISF[PRS]: Gi1/0/1 vlan 20 preference level set 5
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20 (unsecure)NA without CGA option
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20 Unsecure message from untrusted port
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20 NDP Inspection setting sec level to INSPECT
Mar 30 03:03:16.067: SISF[PRS]: Gi1/0/1 vlan 20 Advertise from access: default action is update entry
Mar 30 03:03:16.067: SISF[GLN]: Gi1/0/1 vlan 20 setting action to 2 pid 0
Mar 30 03:03:16.067: SISF[BT ]:         Max dynamic entries 2 reached
Mar 30 03:03:16.067: SISF[GLN]: Gi1/0/1 vlan 20 setting action to 4 pid 0efault
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20 NDPI rcv:  ND_NEIGHBOR_ADVERT on Gi1/0/1
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20          src 2001:10:10:10::14
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20          dst 2001:10:10:10::6
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20          Target: 2001:10:10:10::14
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20            option 2 : ND_OPT_TARGET_LINKADDR
Mar 30 03:03:16.067: SISF[PRS]: Gi1/0/1 vlan 20 Source-m
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20 ! DROP:  ND_NEIGHBOR_ADVERT  src 2001:10:10:10::14 dst 2001:10:10:10::6 reason=14
Mar 30 03:03:16.067: SISF[SWI]: Gi1/0/1 vlan 20 Feature NDP inspection rc 1
Mar 30 03:03:16.067: SISF[SWI]: Gi1/0/1 vlan 20 Feature drop
Mar 30 03:03:16.067: SISF[MEM]: Unlocking, count is now 0
Mar 30 03:03:16.067: SISF[MEM]:  6930E18 semaphore system unlocked

Mar 30 03:03:17.166: SISF[NDP]: Gi1/0/1 vlan 20 ! DROP:  ND_NEIGHBOR_ADVERT  src 2001:10:10:10::14 dst 2001:10:10:10::6 reason=14
Mar 30 03:03:17.166: SISF[SWI]: Gi1/0/1 vlan 20 Feature NDP inspection rc 1
Mar 30 03:03:17.166: SISF[SWI]: Gi1/0/1 vlan 20 Feature drop
Mar 30 03:03:17.166: SISF[MEM]: Unlocking, count is now 0
Mar 30 03:03:17.166: SISF[MEM]:  6930E18 semaphore system unlocked

Mar 30 03:03:19.431: SISF[CLA]: Packet for: 
Mar 30 03:03:19.431: SISF[CLA]:         Protocol number: 58 value 136
Mar 30 03:03:19.431: SISF[CLA]:                 feature NDP inspection
Mar 30 03:03:19.431: SISF[CLA]:                 feature Snooping
Mar 30 03:03:19.431: SISF[SWI]: Gi1/0/1 vlan 20 Feature_0  NDP inspection priority 160
Mar 30 03:03:19.431: SISF[SWI]: Gi1/0/1 vlan 20 Feature_1  Snooping priority 128
Mar 30 03:03:19.456: SISF[MEM]: Owner is this process
Mar 30 03:03:19.456: SISF[MEM]: semaphore 6930E18 (re)locked
Mar 30 03:03:19.456: SISF[MEM]: Locking, count is now 1
Mar 30 03:03:19.456: SISF[CLA]: Packet for: 
Mar 30 03:03:19.456: 
Mar 30 03:03:41.569: %SYS-3-MSGLOST: 51 messages lost because of queue overflow
Mar 30 03:03:19.456: SISF[NDP]: Gi1/0/1 vlan 20 ! DROP:  ND_NEIGHBOR_ADVERT  src 2001:10:10:10::14 dst 2001:10:10:10::6 reason=14
Mar 30 03:03:19.456: SISF[SWI]: Gi1/0/1 vlan 20 Feature NDP inspection rc 1
Mar 30 03:03:19.456: SISF[SWI]: Gi1/0/1 vlan 20 Feature drop
Mar 30 03:03:19.456: SISF[MEM]: Unlocking, count is now 0
Mar 30 03:03:19.456: SISF[MEM]:  6930E18 semaphore system unlocked
Mar 30 03:03:42.575: %SYS-3-MSGLOST: 202 messages lost because of queue overflowSISF[PRS]: Gi1/0/1 vlan 20 Advertise from access: default action is update entry
Mar 30 03:03:20.396: SISF[GLN]: Gi1/0/1 vlan 20 setting action to 2 pid 0
Mar 30 03:03:20.396: SISF[BT ]:         Max dynamic entries 2 reached
Mar 30 03:03:20.396: SISF[GLN]: Gi1/0/1 vlan 20 setting action to 4 pid 0
Mar 30 03:03:20.396: SISF[NDP]: Gi1/0/1 vlan 20 ! DROP:  ND_NEIGHBOR_ADVERT  src 2001:10:10:10::14 dst 2001:10:10:10::6 reason=14
Mar 30 03:03:20.396: SISF[SWI]: Gi1/0/1 vlan 20 Feature NDP inspection rc 1
Mar 30 03:03:20.396: SISF[SWI]: Gi1/0/1 vlan 20 Feature drop
Mar 30 03:03:20.396: SISF[MEM]: Unlocking, count is now 0
Mar 30 03:03:20.396: SISF[MEM]:  6930E18 semaphore system unlocked
Mar 30 03:03:44.589: %SYS-3-MSGLOST: 494 messages lost because of queue overflow
Mar 30 03:03:21.369: SISF[MEM]: Unlocking, count is now 1
Mar 30 03:03:21.369: SISF[MEM]:  6930E18 semaphore system unlocked
Mar 30 03:03:21.369: SISF[SWI]: SVI is Vlan20

As we see the ping is blocked due to an address limit exceeded.
 
SW1#show ipv6 snooping counters interface gigabitEthernet1/0/1
Received messages on Gi1/0/1:
Protocol        Protocol message
NDP             NS[14] NA[51] 
DHCPv6          

Bridged messages from Gi1/0/1:
Protocol        Protocol message
NDP             NS[19] NA[3] 
DHCPv6          

Dropped messages on Gi1/0/1:
Feature         Protocol Msg [Total dropped]
NDP inspection  NDP      NS  [5]
                reason:  Address limit per box reached [5]

                         NA  [32]
                reason:  Address limit per box reached [32]

Snooping        NDP      NS  [3]
                reason:  Address limit per box reached [3]

                         NA  [3]
                reason:  Address limit per box reached [3]

SW1#

Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-2s/ip6-15-2s-book/ip6-ra-guard.html#GUID-2EB7C149-6FF0-418F-9A68-6097DF61B03C

No comments:

Post a Comment