[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"

Jim Small jim.small at cdw.com
Fri Aug 24 04:10:02 CEST 2012


Hi Dennis,

>   S<snip>That said, in the space I work in Cisco and Microsoft have done
> IMHO a pretty good job addressing the issues.
> 
> I respectfully disagree about Cisco (MS too, but not knowledgeable enough
> to comment on Microsoft).  Recently-purchased Cisco Access-layer switches
> (3560) do NOT support RA guard.  Unless it has been implemented in past 6
> mos, it was only the chassis type switches (6500 & 4500) supporting RA
> guard.

You're right - that sucks.  You can do Port ACLs as shown here:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/whitepaper_c11-602135.html


> The very latest code for the nexus 7K still does not support dhcpv6 relay.
>  From what I read, dhcpv6 is still solidifying, so perhaps understandable.

I didn't realize that - that also sucks.  I will make a point of harping on this.


>  The lack of RA guard on the mid-range switches is really disappointing.
>  Here, students in the dorms don't need to jack into a 6500 to get to
> facebook/youtube/gmail (and we don't have the budget for it), but it would
> be nice to prevent them from mis-configuring something and advertising
> themselves as the router.
> 
> On Thu, Aug 23, 2012 at 2:28 PM, Fernando Gont
> <fgont at si6networks.com>wrote:
> 
> > On 08/23/2012 12:42 PM, Owen DeLong wrote:
> >
> > > The reality, however, is that snooping doesn't solve the problem, it
> > > just tells you that it is happening.
> >
> > ?? -- It blocks it.
> >
> > So, as I understand it DAI (Dynamic Arp Inspection) provides the blocking
> of arp-spoofing MIM attacks; dhcp snooping does the tracking and does
> block
> dhcp replies from non-allowed ports.  Hmmm, so as I think about it, RA
> Guard will prevent a node from advertising itself as a router, in the same
> way that DHCP Snooping prevents an unauthorized node from answering
> dhcp
> requests.  Will RA Guard stop a malicious end-point from spoofing the
> actual router's mac addr or ipv6 addr?

There are more components for IPv6.  The closest equivalent to DAI is NDP inspection.  There is also DHCPv6 Snooping.  For an overview check out these references:
http://www.cisco.com/web/about/security/intelligence/ipv6_first_hop.html
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/aag_c45-707354.pdf


> Started out thinking I knew something, now am confused ;-(.
> 
> Or perhaps the Neighbor Discovery process itself prevents that?  Or do we
> need to do something like DAI, DNDI?  Most of the MIM tools (I am thinking
> Cain and Abel & ettercap) send out gratuitous arps.  Is this kind of thing
> possible with IPV6 Neighbor Disovery?

All the IPv4 equivalents are needed.  Some additional inspections are also brought to bear.  If you use all the first hop security features the level of security is actually better than IPv4.  That said, as you pointed out this isn't available on all platforms.  And realistically not many people will use these features.  They're great features, but a lot of protocols and applications mis-behave and trying to tweak security protocols to allow poorly behaved protocols and applications is often a losing battle...

--Jim





More information about the Ipv6hackers mailing list