IPv6 Routing Security
IPv6 has a number of new routing, protocols, capabilities, issues and safeguards.
Neighbor Discovery Protocol
NDP is new and integral to IPv6, see RFC 4861. It defines five main ICMPv6
packet types to do inverse neighbor discovery: Router Solicitation, Router
Advertisement, Neighbor Solicitation, Neighbor Advertisement, and Redirect, see
RFC 3122. NDP provides:
- Router discovery: hosts can locate routers on attached links.
- Prefix discovery: hosts can discover prefixes on-link for attached links.
- Parameter discovery: hosts can find link parameters (e.g. MTU).
- Address autoconfiguration: stateless configuration of network interfaces.
- Address resolution: mapping between IP and link-layer addresses.
- Next-hop determination: hosts find next-hop routers for a destination.
- Neighbor unreachability detection (NUD).
- Duplicate address detection (DAD).
- Redirect: router can inform a node about better first-hop routers.
- Recursive DNS Server (RDNSS) and DNS Search List (DNSSL) assignment via router advertisement (RA) options.
NDP has weaknesses – if spoofed, it can redirect to a non-existent router,
redirect traffic to wrong hosts, allow denial of service from attackers
on-link, advertise non-existent routers, advertise but not route, deprecate
prefixes, block autoconfiguration by spoofing DAD responses, or spoof
'neighbour unreachable' responses. RFC 4861 advises the use of Secure Neighbor
Discovery (SEND).
Secure Neighbor Discovery
Secure Neighbor Discovery secures NDP. It is fairly complex so is most useful
in high-value networks, see RFC 3971. SEND works in a similar way to SSL –
certificates are held and verified via a trust anchor. It adds NDP messages to
handle certificate checks. SEND uses CGA (cryptographically generated
addresses) to secure endpoints.
Cryptographically Generated Addresses
CGA was developed for SEND, see RFC 3972. For IPv6 addresses, the interface
identifier is generated by computing a cryptographic one-way hash function from
public key and auxiliary parameters. CGAs are not certified, so attackers can
create new CGAs from any subnet prefix and public key, but they can't forge a
CGA created by someone else. Protection works without a certification authority
or any security infrastructure – it only need an address and an algorithm, so
is also useful as a privacy tool.
Neighbor Discovery Flood
ND Flood is denial of service from off-link attackers, which is not addressed
by SEND. ND Flood fills routers with incomplete ND entries. It is similar to
SYN floods but worse, because in IPv6 one subnet has so many possible hosts.
Attackers do not send the ND packets themselves, they trigger them by sending
to non-existent addresses – the connection attempts are real, but malicious.
Solutions to ND Flood: block access to inappropriate subnets, use smaller
subnets on router links. It requires firewall and router awareness, rate
limiting, fast flushing of incomplete entries, etc. The issue needs vendors to
address the problem.
Router Advertisements
Rogue router advertisements may arise from unauthorised routers, or spoofed RA
from other hosts. They are not necessarily malicious – they are sometimes
unintentional or a result of misconfiguration. Communication is interrupted
because hosts have incorrect information about where to route packets. The
problem is usually local to a subnet – WANs are unlikely to be relying on RA.
Host-level filters help, as they accept RA only from known routers, but that
requires filters on all hosts.
RA-Guard
RA-Guard is a lighter-weight protocol than SEND, but it understands and
complements SEND. RA-Guard sits in switches between routers and hosts, and acts
as an 'authorisation proxy'. RA-Guard drops bad RAs before they reach hosts,
and only needs certificates on routers and switches, not all hosts. Stateless
RA-Guard uses static information configured into switch. Stateful RA-Guard
collects information about acceptable RAs.
DHCPv6 Servers
Rogue DHCPv6 servers are unauthorised devices providing fake IP addresses,
default gateways, or DNS servers. They may be the result of unintentional
misconfiguration, or installed to sniff traffic, redirect it to virus servers,
perform man-in-the-middle attacks, etc.
DHCPv6-Shield
Similar in concept to RA-Guard, DHCPv6-Shield is a layer-2 device that filters
DHCPv6 messages. If the messages are not received on a specified configured
port they are discarded.
BGPSEC
BGPSEC (Border Gateway Protocol Security) is an extension to BGP to improve
security for routing information exchange. Resource Public Key Infrastructure
(RPKI) certificates provide a binding between cryptographic keys to verify
digital signatures and Autonomous System (AS) numbers & IP address prefixes.
RPKI also specifies a Route Origination Authorisation (ROA), which determines
if a route came from an AS authorised to originate it. BGPSEC also adds a
BGPSEC router certificate to verify the validity of the AS Path in update
messages. BGPSEC can be negotiated separately for IPv6 and IPv4.