Download presentation
Presentation is loading. Please wait.
Published bySteven Boyd Modified over 9 years ago
1
1 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Regional Cisco Networking Academy Conference 2014 Giving you the knowledge and confidence to teach IPv6 Getting and using IPv6 ICMPv6: A Closer Look Securing IPv6 Rick Graziani CS/CIS Instructor Cabrillo College
2
2 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Rick Graziani - graziani@cabrillo.edugraziani@cabrillo.edu CS/CIS instructor at Cabrillo College, Santa Cruz, California Cisco Networking Academy instructor since 1997 Run native IPv6 at Cabrillo College and home Curriculum Development Team for Cisco Networking Academy When not working, hopefully I’m surfing.
3
3 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada CCNA IPv6 Basics Routing IPv6 ICMPv6 ND CCNP ROUTE SWITCH TSHOOT Address allocation (DHCP) Address resolution (ARP) Solicited Node Multicast Mitigating attacks
4
4 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Getting and Using IPv6: Getting IPv6: PA versus PI Address Space Using IPv6: Happy Eyeballs ICMPv6 Dynamic Address Allocation RS and RA Message details Ethernet Multicast Addresses for IPv6 Address Resolution Comparison with ARP Solicited Node Multicast NS and NA Message details Neighbor Cache details Securing IPv6 RA Guard DHCPv6 Guard Neighbor Cache Exhaustion Mitigation /127 for point-to-point addresses Other stuff for IPv6 security Tomorrow: Flavors of DHCPv6 SLAAC – IPv6 Addressing without DHCPv6 Stateless DHCPv6 – I have my address but need some other stuff Stateful DHCPv6 – Just like DHCPv4 (only different) DHCPv6-PD (Prefix Delegation) – IPv6 Prefix for the “home”
5
5 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada PI and PA
6
6 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Interface IDSubnet ID Global Routing Prefix /48/64/32 /23 *RIR *ISP Prefix *Site Prefix Subnet Prefix * This is a minimum allocation. The prefix-length may be less if it can be justified. /56 Possible Home Site Prefix Comcast is giving me a /64 at home
7
7 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Provider Aggregatable (PA) Address Space - Address space that is typically assigned by an ISP to a customer. Change provider, must get new address space Customer must do prefix renumbering (Helpful IETF RFCs) Provider Independent (PI) Address Space – Address space that is assigned by the RIR. Remains assigned to the customer regardless of provider No prefix renumbering needed if change providers Subnet s Interface ID /48/32 Global Routing Prefix https://www.arin.net/fees/fee_schedule.html
8
8 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Provider Aggregatable (PA) Address Space (/48) PA if you are single homed Provider Independent (PI) Address Space (/32) Great for organizations who want to multihome to different ISPs Check with the upstream ISP whether they will route it or not Especially when the PI prefix is not local in the region (ARIN, APNIC, …) – can have asymmetric routing issues ftp://ftp.ripe.net/ripe/docs/ripe-127.txt http://blog.ipspace.net/2014/01/pa-pi- or-ula-ipv6-address-space-it.htmlhttp://blog.ipspace.net/2014/01/pa-pi- or-ula-ipv6-address-space-it.html ISP-B CPE ISP-A US Europe Static IGP BGP Static
9
9 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Happy Eyeballs
10
10 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada
11
11 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada The dual-stack code may get two addresses back from DNS… Which one does it use? In order to use applications over IPv6, it is necessary that users enjoy nearly identical performance as compared to IPv4. IPv4 IPv6
12
12 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada www.facebook.com Query A record? www.facebook.com Query A record? www.facebook.com Query AAAA record? www.facebook.com Query AAAA record? www.facebook.com Connect to: 31.13.77.65 Connect to: 31.13.77.65 Connect to: 2a03:2880:f016:401:face:b00c:01:1 Connect to: 2a03:2880:f016:401:face:b00c:01:1 GET HTTP/1.1 www.facebook.com GET HTTP/1.1 www.facebook.com
13
13 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada In reality it depends on how the OS and application wants to handle it. TIME User: “www.example.com” Attempt IPv6 lookup and connect Attempt IPv4 lookup and connect Retrieve and display 300ms First come, first served
14
14 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada
15
15 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada ICMPv6
16
16 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Described in RFC 4443 Much more robust than ICMP for IPv4 Contains new functionality and improvements. More than just “messaging” but “how IPv6 conducts business”. General message similar to ICMP for IPv4 Also uses Type and Code fields like in ICMPv 4. IPv6 Next Header Value: 58 decimal or 3A hexadecimal IPv6 Header Next Header 58 ICMPv6 Header ICMPv6 Message Body IPv6 Data
17
17 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada ICMPv6 informational messages used by Neighbor Discovery (RFC 4861): Router Solicitation Message Router Advertisement Message Used with dynamic configuration of IPv6 addresses Uses assigned multicast addresses Neighbor Solicitation Message Neighbor Advertisement Message Used with neighbor discovery (IPv4 ARP) Uses solicited node multicast address and assigned multicast Redirect Message (Similar to ICMPv4) Router-Device Messaging Device-Device Messaging
18
18 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada IPv6 Addressing Multicast Unicast Anycast AssignedSolicited Node FF00::/8 FF02::1:FF00:0000/104 ICMPv6 Neighbor Discovery Neighbor Solicitation ICMPv6 Neighbor Discovery Router Solicitation Router Advertisement Dynamically obtaining an IPv6 address Address resolution: IPv6 equivalent of ARP
19
19 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada ICMPv6: Neighbor Discovery and Address Allocation
20
20 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada DHCP Server
21
21 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada The Router Advertisement (RA) tells hosts how it will receive IPv6 Address Information. Sent periodically by an IPv6 router or… … when the router receives a Router Solicitation message from a host. DHCPv6 Server ICMPv6 Router Advertisement ICMPv6 Router Solicitation To all IPv6 routers: I need IPv6 address information To all IPv6 devices: Let me tell you how to do this … To all IPv6 devices: Let me tell you how to do this … ICMPv6 Neighbor Discovery Router Solicitation Router Advertisement
22
22 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Router Advertisement/Solicitation Messages Part of ICMPv6 (Internet Control Message Protocol for IPv6) Router Advertisements are sent by an “IPv6 router” – ipv6 unicast-routing command Forwards IPv6 Packets Can be enabled for IPv6 static and dynamic routing Sends ICMPv6 Router Advertisements Note: Routers can be configured with IPv6 addresses without being an IPv6 router DHCPv6 Server R1(config)# ipv6 unicast-routing ICMPv6 Router Advertisement
23
23 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada DHCPv6 Server R1(config)# ipv6 unicast-routing Option 1: SLAAC (Default on Cisco routers) “I’m everything you need (Prefix, Prefix-length, Default Gateway)” Option 2: SLAAC + Stateless DHCPv6 for DNS address “Here is my information but you need to get other information such as DNS addresses from a DHCPv6 server.” Option 3: All addressing except default gateway – DHCPv6 “I can’t help you. Ask a DHCPv6 server for all your information.” RA DHCPv6 Option 1 and 2: Stateless Address Autconfiguration – DHCPv6 Server does not maintain state of addresses Option 3: Stateful Address Configuration – Address received from DHCPv6 Server
24
24 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada To: FF02::1 (All IPv6 devices) From: FE80::1 (Link-local address) ICMPv6 RA Message Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64 RA 2 2 To: FF02::2 (All IPv6 Routers) From: FE80::50A5:8A35:A5BB:66E1 (Link-local address) ICMPv6 RS Message 2001:DB8:CAFE:1::/64 1 1 RS R1
25
25 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Router Solicitation (RS) from PC1 Ethernet II, Src: 00:21:9b:d9:c6:44, Dst: 33:33:00:00:00:02 Internet Protocol Version 6 0110.... = Version: 6 [Traffic class and Flowlabel not shown] Payload length: 16 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::50a5:8a35:a5bb:66e1 Destination: ff02::2 Internet Control Message Protocol v6 Type: 133 (Router solicitation) Code: 0 Checksum: 0x3277 [correct] ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: 00:21:9b:d9:c6:44 Link-local address of PC1 All-IPv6-routers multicast address Router Solicitation message MAC address of PC1 but RA is sent as all-IPv6-host multicast Next header is an ICMPv6 header Ethernet multicast MAC address – Maps to “all IPv6 routers”
26
26 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada R1(config)# ipv6 unicast-routing R1# show ipv6 interface fastethernet 0/0 FastEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::1 Global unicast address(es): 2001:DB8:CAFE:1::1, subnet is 2001:DB8:CAFE:1::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 MTU is 1500 bytes ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses. R1# All-routers multicast group
27
27 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Router Advertisement (RA) from Router R1 Ethernet II, Src: 00:03:6b:e9:d4:80, Dst: 33:33:00:00:00:01 Internet Protocol Version 6 0110.... = Version: 6.... 1110 0000.................... = Traffic class: 0x000000e0............ 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 64 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::1 Destination: ff02::1 Link-local address of R1. Added to the Default Router List and is the address hosts will use as their default gateway All-IPv6 devices multicast Next Header is an ICMPv6 header Ethernet multicast MAC address – Maps to “All-IPv6 devices”
28
28 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Router Advertisement from Router R1 – some fields omitted Internet Control Message Protocol v6 Type: 134 (Router advertisement) Code: 0 Cur hop limit: 64 Flags: 0x00 ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: 00:03:6b:e9:d4:80 ICMPv6 Option (MTU) Type: MTU (5) Length: 8 MTU: 1500 ICMPv6 Option (Prefix information) Type: Prefix information (3) Length: 32 Prefix Length: 64 Prefix: 2001:db8:cafe:1:: Recommended Hop Limit value for hosts M and O flags indicate that no information is available via DHCPv6 Router R1’s MAC address MTU of the link. Prefix-length (/64) to be used for autoconfiguration. Prefix of this network to be used for autoconfiguration
29
29 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada M Flag: Managed Address Configuration flag Tells the host whether to use the configuration information in this Router Advertisement (SLAAC by default) or to get all of its information from a stateful DHCPv6 server. O Flag: Other Configuration flag When SLAAC is being used (using the RA), it tells the host whether more information (like DNS) is available from a stateless DHCPv6 server. Internet Control Message Protocol v6 Type: 134 (Router advertisement) Code: 0 Cur hop limit: 64 Flags: 0x00 <output omitted for brevity? M and O flags: Both 0, no additional information from DHCPv6 server Router Advertisement message
30
30 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada FF02:0000:0000:0000:0000:0000:0000:0002 33:33:00:00:00:02 48-bit MAC addresses in the range from 33-33-00-00-00-00 to 33-33-FF-FF-FF-FF are used for IPv6 multicast. Low-order 32 bits of IPv6 multicast address mapped to low-order 32 bits of MAC address. Remember, source addresses are always a unicast. RFC 7042 Historical note: It was the custom during IPv6 design to use "3” for unknown or example values, and 3333 Coyote Hill Road, Palo Alto, California, is the address of PARC (Palo Alto Research Center, formerly "Xerox PARC”). Ethernet was initially developed at Xerox PARC Destination IPv6 address: All IPv6 Routers Multicast Address (RS) D-MAC IPv6 Header Data FCS Corresponding Destination MAC Address (RS) D-IPv6 Ethernet Header
31
31 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada 2 2 2001:DB8:CAFE:1::/64 1 1 R1 Dst: 33:33:00:00:00:02 Src: 00:21:9b:d9:c6:44 RS Dst: 33:33:00:00:00:01 Src: 00:03:6b:e9:d4:80 RA To: FF02::1 (All IPv6 devices) From: FE80::1 (Link-local address) ICMPv6 RA Message To: FF02::2 (All IPv6 Routers) From: FE80::50A5:8A35:A5BB:66E1 (Link- local address) ICMPv6 RS Message Ethernet But how does this help anything? Because I will filter on multicast MAC addresses!
32
32 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Besides its own MAC address, the Ethernet NIC will accept multicast addresses created from: Any assigned multicast address such as All-IPv6-Devices. Any solicited node multicasts… what? A host NIC would not accept frames looking for an IPv6 router using the Destination MAC address 33:33:00:00:00:02 Unicast AddressesEthernet MAC Ethernet NICN/A 00-21-9b-d9-c6-44 Multicast (All-IPv6-Devices) FF02::133-33-00-00-00-01 PC Processes the following IPv6 and Ethernet MAC Addresses * Ethernet MAC addresses such as broadcasts and those associated with other protocols are not shown.
33
33 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada ICMPv6: Neighbor Discovery and Address Resolution (ARP in IPv4)
34
34 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada IPv6 Addressing Multicast Unicast Anycast AssignedSolicited Node FF00::/8 FF02::1:FF00:0000/104 ICMPv6 Neighbor Discovery Neighbor Solicitation ICMPv6 Neighbor Discovery Router Solicitation Router Advertisement Dynamically obtaining an IPv6 address Address resolution: IPv6 equivalent of ARP
35
35 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada IP to data link(MAC) address mapping: IPv4 addresses use ARP IPv6 addressing use ICMPv6 Neighbor Discovery messages Neighbor Solicitation Neighbor Advertisement Devices store this mapping in their Neighbor Cache PC1 PC2 ARP Request Neighbor Advertisement 1 1 2 2 Neighbor Solicitation 1 1 ARP Reply 2 2 Know IPv4, what is the MAC? My IPv4! Here is the MAC? Know IPv6, what is the MAC? My IPv6! Here is the MAC? ICMPv6 Neighbor Discovery Neighbor Solicitation Neighbor Advertisement ARP Cache Neighbor Cache 3 3 3 3
36
36 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada ARP Request/Reply Ethernet ICMPv6: Neighbor Solicitation/Advertisement IPv6 Header Ethernet IPv4: ARP over Ethernet IPv6: ICMPv6 over IPv6 over Ethernet PC1 PC2 ARP Request Neighbor Advertisement 1 1 2 2 Neighbor Solicitation 1 1 ARP Reply 2 2 Know IPv4, what is the MAC? My IPv4! Here is the MAC? Know IPv6, what is the MAC? My IPv6! Here is the MAC? ARP Request: Broadcast NS: Multicast NS: Solicited Node Multicast
37
37 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada What is a solicited node multicast address? A layer 3 multicast address with link-local scope “FF02” (within the subnet/VLAN). There is a solicited node multicast address for every IPv6 unicast (or anycast) address including: Global Unicast Address (GUA) Link-local Address Used in Neighbor Solicitation messages during: Address Resolution (ARP for IPv4) Duplicate Address Detection (DAD) Unicast AddressesSolicited Node Multicast Global Unicast2001:DB8:CAFE:1::20FF02::1:FF00:20 Link-local unicastFE80::1111:2222:3333:444 4 FF02::1:FF33:4444 PC2
38
38 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada PC2 How is created? There is a direct relationship between the unicast/anycast address its solicited node multicast address. The solicited node multicast address formed by: Prefix FF02:0:0:0:0:1:FF00::/104 (FF02::1:FFxx:xxxx) Append the low-order 24 bits of the address (unicast or anycast Like other multicast addresses, solicited node multicast addresses are also mapped to an Ethernet MAC address. (next) Unicast AddressesSolicited Node Multicast Global Unicast2001:DB8:CAFE:1::20FF02::1:FF00:20 Link-local unicastFE80::1111:2222:3333:444 4 FF02::1:FF33:4444
39
39 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Interface ID FF020000 0001FF Global Routing Prefix 104 bits 24 bits PC2’s Global Unicast Address PC2’s IPv6 Solicited-Node Multicast Address Copy PC2’s IPv6 global unicast address: 2001:DB8:CAFE:1::200 PC2’s IPv6 solicited-node multicast address: FF02::1:FF00:200 PC2’s mapped Ethernet multicast address : 33-33-FF-00-02-00 Subnet ID 2001:0DB8:CAFE00010000:0000:0000:0200 FF-00-02-00 Copy 33-33 Solicited-node Multicast address mapped to Ethernet destination MAC address Ability to filter at the NIC IPv6 Multicast Low-order 32 bits of IPv6 multicast address mapped to low-order 32 bits of MAC address.
40
40 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Although rare, solicited node multicast addresses may not be unique. Possible to have multiple devices with the same solicited node multicast address (and same Ethernet multicast) if the low-order 24 bits match High-order 40 bits of Interface ID may differ. But that is ok... Upper layer protocols like ICMPv6 contain target address (coming) Unicast AddressesSolicited Node Multicast PCA Global Unicast2001:DB8:CAFE:1:AAAA::200FF02::1:FF00:200 PCB Global Unicast2001:DB8:CAFE:1:BBBB::200FF02::1:FF00:200 Interface IDGlobal Routing Prefix 104 bits 24 bits Subnet ID 2001:0DB8:CAFE0001AAAA:0000:0000:0200 2001:0DB8:CAFE0001BBBB:0000:0000:0200 Same for both
41
41 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada So, why are solicited node multicasts better than broadcasts? Multicasts can be mapped to MAC addresses and Ethernet NICs (hardware or drivers) can filter these frames. Why is that a good thing? Unicast AddressesSolicited Node MulticastEthernet MAC Global Unicast2001:DB8:CAFE:1::200FF02::1:FF00:20033-33-FF-00-02-00 Link-localFE80::1111:2222:3333:4444FF02::1:FF33:444433-33-FF-33-44-44 PC2
42
42 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Ethernet Broadcast IPv4/IPv6 Multicast IGMP/MLD Snooping Ethernet Broadcast Destination MAC Address: Broadcast Data must be passed to upper layer for processing. IPv4 or IPv6 Multicast IP multicast packets can be filtered by the switch, only sending packets to members of that group IPv4 - IGMP (Internet Group Management Protocol) IPv6 - MLD (Multicast Listener Discovery) However, Solicited Node Multicasts are forwarded out all ports because of the potentially huge forwarding tables needed to to store these addresses. (For now.) But wait….
43
43 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada ARP Requests: Layer 2 broadcasts: Ethernet broadcasts are sent to all devices. Flood the entire broadcast domain (subnet/VLAN). Ethernet NIC must process the frame. Any filtering is done by a higher layer protocol such as ARP. Solicited Node Multicasts: Layer 2 and Layer 3 multicasts: Although solicited node multicasts are forwarded out all ports by the switch, …. Layer 2 multicast allows frames to be filtered by the NIC and not have send data to an upper layer protocol for inspection. Target IPv4 Address
44
44 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Besides its own MAC address, the Ethernet NIC will accept multicast addresses created from the: Solicited node multicast (global unicast address) Solicited node multicast (link-local address) Any assigned multicast address such as All-IPv6-Devices. Unicast AddressesSolicited Node MulticastEthernet MAC Ethernet NICN/A 00-1B-24-04-A2-1E Global Unicast2001:DB8:CAFE:1::200FF02::1:FF00:20033-33-FF-00-02-00 Link-localFE80::1111:2222:3333:4444FF02::1:FF33:444433-33-FF-33-44-44 Multicast (All-IPv6-Devices) FF02::1N/A33-33-00-00-00-01 PC2 Processes the following IPv6 and Ethernet MAC Addresses * Ethernet MAC addresses such as broadcasts and those associated with other protocols are not shown.
45
45 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada ipv6 unicast-routing 2001:DB8:CAFE:1::100/64 PC1 R1 PC2 2001:0DB8:CAFE:0001::/64 2001:DB8:CAFE:1::200/64 FF02::1:FF00:200 (Solicited Node Multicast) MAC Address 00-21-9B-D9-C6-44 MAC Address 00-1B-24-04-A2-1E PC1> ping 2001:DB8:CAFE:1::200 Neighbor Cache Neighbor Solicitation 3 3 Neighbor Advertisement 4 4 1 1 2 2 5 5 ICMPv6: Neighbor Solicitation/Advertisement IPv6 Header Ethernet
46
46 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Neighbor Solicitation from PC1 (ARP Request) Ethernet II, Src: 00:21:9b:d9:c6:44, Dst: 33:33:ff:00:02:00 Internet Protocol Version 6 0110.... = Version: 6.... 0000 0000.................... = Traffic class: 0x00000000............ 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: 2001:db8:cafe:1::100 Destination: ff02::1:ff00:200 Internet Control Message Protocol v6 Type: 135 (Neighbor solicitation) Code: 0 Checksum: 0xbbab [correct] Reserved: 0 (Should always be zero) Target: 2001:db8:cafe:1::200 ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: 00:21:9b:d9:c6:44 Global unicast address of PC1 Solicited-node multicast address of PC2 Neighbor Solicitation message Target IPv6 address, needing MAC address (if two devices have the same solicited node address, this resolves the isse) Next header is an ICMPv6 header MAC address of the sender, PC1 Mapped multicast address for PC2 * For Target’s Neighbor Cache
47
47 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Neighbor Advertisement from PC2 (ARP Reply) Ethernet II, Src: 00:1b:24:04:a2:1e, Dst: 00:21:9b:d9:c6:44 Internet Protocol Version 6 0110.... = Version: 6.... 0000 0000.................... = Traffic class: 0x00000000............ 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: 2001:db8:cafe:1::200 Destination: 2001:db8:cafe:1::100 Internet Control Message Protocol v6 Type: 136 (Neighbor advertisement) Code: 0 Checksum: 0x1b4d [correct] Flags: 0x60000000 Target: 2001:db8:cafe:1::200 ICMPv6 Option (Target link-layer address) Type: Target link-layer address (2) Length: 8 Link-layer address: 00:1b:24:04:a2:1e Next header is an ICMPv6 header Unicast MAC address of PC2 Global unicast address of PC2 Global unicast address of PC1 Neighbor Advertisement message MAC address of the sender, PC2 IPv6 address of the sender, PC2 * From previous Neighbor Solicitation
48
48 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada R1# show ipv6 interface fastethernet 0/0 FastEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::FE99:47FF:FE75:C3E0 Global unicast address(es): 2001:DB8:CAFE:1::1, subnet is 2001:DB8:CAFE:1::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FF75:C3E0 All-IPv6 devices on this link All-IPv6 routers on this link: IPv6 routing enabled Solicited-node multicast address Global Unicast Member of these Multicast Groups FF02 – “2” means link-local scope Solicited-node multicast address link-local
49
49 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada PC2 Global Unicast - 2001:DB8:CAFE:1::200 Link-local - FE80::1111:2222:3333:4444 Hopefully no Neighbor Advertisement Hopefully no Neighbor Advertisement Neighbor Solicitation Duplicate Address Detection (DAD) is used to guarantee that an IPv6 unicast address is unique on the link. A device will send a Neighbor Solicitation for its own unicast address (static or dynamic). After a period of time, if a NA is not received, then the address is deemed unique. Once required, RFC was updated to where it is only recommended - /64 Interface ID!
50
50 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada IPv6 multicast renames Internet Group Management Protocol (IGMP) to Multicast Listener Discovery Protocol (MLD). MLD version 1 is similar to IGMP version 2 MLD version 2 is similar to IGMP version 3 MLD snooping is used to prevent Ethernet switches from flooding multicast frames out of all switch-ports, which would be similar to a broadcast. With MLD multicast addresses are only sent on the ports that lead to stations that have subscribed to receive that traffic Note: Solicited node multicasts which are sent out all switch ports. By default, unknown unicast and multicast traffic are flooded to all Layer 2 ports in a VLAN. Switch(config)# ipv6 mld snooping
51
51 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Neighbor Cache – Maps IPv6 addresses with Ethernet MAC addresses Similar to ARP Cache for IPv4 5 States (2 noticeable and 3 transitory): Reachable: Packets have recently been received providing confirmation that this device is reachable. Stale: A certain time period has elapsed since a packet has been received from this address. Transitory States: INCOMPLETE, DELAY, PROBE PC1 Neighbor Cache IPv6 Address MAC Address 2001:DB8:ACAD:1::10 0021.9bd9.c644 Neighbor Cache IPv6 Address MAC Address 2001:DB8:ACAD:1::10 0021.9bd9.c644 IPv6 - 2001:DB8:ACAD:1::10 MAC - 0021.9bd9.c644 Neighbor Advertisement
52
52 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada R1# show ipv6 neighbors IPv6 Address Age Link-layer Addr State Interface FE80::50A5:8A35:A5BB:66E1 16 0021.9bd9.c644 STALE Fa0/0 2001:DB8:ACAD:1::10 16 0021.9bd9.c644 STALE Fa0/0 R1# ping 2001:db8:aaaa:1::100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:AAAA:1::100, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms R1# show ipv6 neighbors IPv6 Address Age Link-layer Addr State Interface FE80::50A5:8A35:A5BB:66E1 16 0021.9bd9.c644 STALE Fa0/0 2001:DB8:ACAD:1::10 0 0021.9bd9.c644 REACH Fa0/0 R1# Windows: netsh interface ipv6 show neighbor Linux/MAC: ip neighbor show
53
53 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada No Entry Exists Incomplete Reachable Stale – no action required (Requires resolution again) Delay (Resolution pending) Probe (Reresolution in progress) Neighbor Solicitation (NS) sent NA received Reachable Time exceeded (timeout) Or Unsolicited NA received Packet sent Packet returned 5 sec NS sent and NA received 3 NS sent with no NA returned Neighbor Solicitation (NS) = ARP Request Neighbor Advertisement (NA) = ARP Reply 3 NS sent with no NA returned Neighbor Cache (“ARP Cache”)
54
54 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Overview of IPv6 Security Features Learning from IPv4
55
55 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Much has been learned from IPv4 Similar features available for IPv6 Other features specific to IPv6 Overview of features similar to CCNP Details and more information… Somewhat dated
56
“I’ll wait until I start running IPv6 on my network Windows Vista or later, Mac OSX, Linux already running IPv6 Potential man-in-the-middle or DoS attack R1 RA Rogue RA RS IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 I need an IPv6 prefix Here is an IPv6 prefix and gateway
57
57 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada IPv6 Router Advertisement (RA) guard blocks unwanted or rogue RA guard messages. A switch port in host mode blocks all Router Advertisement and router redirect messages R1 RA Switch(config)# ipv6 nd raguard policy HOST device-role host Switch(config-nd-raguard)# device-role host Switch(config)# ipv6 nd raguard policy ROUTER Switch(config-nd-raguard)# device-role router Switch(config)# ipv6 nd raguard attach-policy HOST vlan 100 Switch(config)# interface FastEthernet0/0 Switch(config-if)# ipv6 nd raguard attach-policy ROUTER Fa0/0 RS VLAN 100
58
58 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada DHCPv6 guard blocks DHCP REPLY and ADVERTISEMENT messages that originate from unauthorized DHCPv6 servers and relay agents. Various phases, so check latest Cisco documentation. R1 REPLY Fa0/0 Rogue DHCPv6 Server DHCPv6 Server SOLICIT
59
59 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada 2001:db8::/64 2001:db8::1 2001:db8::2 2001:db8::3 NS: 2001:db8::1 NS: 2001:db8::2 NS: 2001:db8::3 NS: 2001:db8::1 NS: 2001:db8::2 NS: 2001:db8::3 NS: 2001:db8::1 NS: 2001:db8::2 NS: 2001:db8::3 Aggressive scanning of potentially billions and billions of bogus Neighbor Solicitation messages can cause router and switch CPU/memory failures. Can cause a local router DoS attack. I will send, billions of packets to your network forcing you to send out and cache billions of Neighbor Solicitation messages.
60
60 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Built-in rate limiter with options to tune it Since 15.1(3)T: ipv6 nd cache interface-limit Priority given to refresh existing entries vs. discovering new ones (RFC 6583) Other related features can be used such as Destination Guard Use a /127 on point-to-point links (RFC 6164) Reserve a /64 for easier management (/48 gives you 65,536 subnets!) Internet edge/presence: Ingress ACL permitting traffic to specific IPv6 addresses only (within your stateful DHCPv6 range)
61
61 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Reserve an entire /64 for each point-to-point link, but only use two of the addresses Makes your addressing plan easier. Configure each interface as a /127: “even and even+1” combination /127 gives you two addresses – IPv6 lets you use the all 0’s and all 1’s addresses! Recommend that you don’t use the first two addresses ::0 and ::1 so not to confuse the first address with the network address (both are “::”) R1 R2 2001:DB8:CAFE:F001::/127 R2(config)# interface serial 0/0/0 R2(config-if)# ipv6 add 2001:db8:cafe:f001::1/127 R1(config)# interface serial 0/0/0 R1(config-if)# ipv6 add 2001:db8:cafe:f001::/127 R1(config)# interface serial 0/0/0 R1(config-if)# ipv6 add 2001:db8:cafe:f001::a/127 R2(config)# interface serial 0/0/0 R2(config-if)# ipv6 add 2001:db8:cafe:f001::b/127 2001:DB8:CAFE:F001::/64 Reserved
62
62 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada The IPv6 Snooping and FHS feature provides security and scalability by bundling several Layer 2 IPv6 first-hop security (FHS) features, including: IPv6 neighbor discovery inspection IPv6 device tracking IPv6 address glean IPv6 binding table recovery Secure Neighbor Discovery (SeND) is a protocol that enhances NDP with three additional capabilities: Address ownership proof – Based upon Cryptographically Generated Addresses (CGAs) Message protection Router authorization Note: But not in Windows Vista, 2008 and 7, Mac OS/X, iOS, Android - Crypto means slower… Other GOOD NEWS: Private VLAN works with IPv6 Port security works with IPv6 IEEE 801.X works with IPv6
63
63 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Discard route – Discarding any packets received by the router to a destination not covered by a more specific interface prefix. Others routes for customers and ISPs: http://www.team- cymru.org/ReadingRoom/Templates/IPv6Routers/xsp-recommendations.html
64
64 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Getting IPv6: PA versus PI Address Space Using IPv6: Happy Eyeballs ICMPv6 Dynamic Address Allocation RS and RA Message details Ethernet Multicast Addresses for IPv6 Address Resolution Comparison with ARP Solicited Node Multicast NS and NA Message details Neighbor Cache details Securing IPv6 RA Guard DHCPv6 Guard Neighbor Cache Exhaustion Mitigation /127 for point-to-point addresses Other stuff for IPv6 security
65
65 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Rick Graziani - graziani@cabrillo.edugraziani@cabrillo.edu PowerPoints for CCNA, CCNP, IPv6 www.cabrillo.edu/~rgraziani Username = cisco Password = perlman Shameless plug! Quality time with my two nieces…
66
66 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Rick Graziani - graziani@cabrillo.edugraziani@cabrillo.edu www.cabrillo.edu/~rgraziani Username = cisco Password = perlman
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.