By Craig Mills, HP Networking
I think at this point we have all moved beyond the “why do we need IPv6?” to more a question of “how do I do this right?.” One of the major concerns with IPv6 isn’t so much performance but security. When a new protocol is deployed there are bound to be new security issues that aren’t addressed by existing solutions.
When the words IPv6 and security are used together I get visions of firewalls, IPS/IDS appliances and gateways. All of these are a very significant part of any security solution but they are generally leveraged against external threats. IPv6 does introduce some new external security issues, mainly tunnels of all sorts. The threats are fairly similar to IPv4. However the local network security for IPv6 has some new twists. IPv6 has some of the same issues as IPv4 such as DHCP snooping and has added some new ones—namely Neighbor Discovery attacks.
IPv6 uses ICMP messages for distribution of information on and about the local network. The assignment of IPv6 addresses uses ICMP, as does assignment of default routers, and the discovery of the Ethernet address of your neighbor. These ICMP messages replace Address Resolution Protocol (ARP) on IPv4 networks, as well as provide for StateLess Address Auto-Configuration (SLAAC).
What you need to know now about IPv6 subnet security
- DHCP snooping. While DHCP plays a reduced roll in IPv6 networks, many host attributes are configured via SLAAC, it does still pose a security risk. The same IPv4 solutions will work for IPv6 networks namely, DHCP snooping.
- RA–guard. Router Advertisements (RA) are sent out periodically by IPv6 routers, and also in response to Router Solicitation messages. The RA ICMP message can have several pieces of information for the configuration of a new host; address of the network (first part of the hosts IPv6 address), the Default router’s address, DNS servers, etc. If a host is allowed to send out RA messages on the local network then all of the hosts could change their DNS or default router to the malicious sender of the RAs. This is a new man-in-the-middle attack just for IPv6. RAs use a specific ICMP message type and can be blocked by a network device with sufficient knowledge of IPv6. What this means is that a local switch which is not able to filter ICMP type 134 (RA) from being forwarded only from router ports will leave the hosts on that subnet vulnerable.
- ND snooping. This is a mechanism to ensure that the IPv6 address used on the local network as the source for a packet corresponds to the Ethernet address used as the source. This ensures that malicious neighbor Discovery messages will not inject erroneous entries into neighbor tables. These tables can be used to determine if future ND packets are valid or malicious.
- SEND. A few network equipment vendors support Secure Neighbor Discovery. However the administrative overhead associated with deploying SEND, along with the lack of OS support from both Microsoft and Apple means that a real world SEND solution will be unavailable for the foreseeable future.
Dig deeper on IPv6 deployment
The deployment of IPv6 on a local network does create additional feature requirements to ensure a secure environment for all hosts. Without the widespread adoption of SEND in hosts OS’s some security can be gained by implementing both snooping and IPv6 filters for invalid ND and RA packets. These security features are currently the best solution to providing a secure IPv6 local network.
Here are some useful sources for more information:
>> HP Networking ND Detection
>> HP Networking DHCPv6 Snooping
>> RFC: Neighbor Discovery for IP version 6 (IPv6)
>> Experience HP's entire portfolio of enterprise business products, solutions and services by attending HP Discover Las Vegas June 6-10.
