660 likes | 828 Views
Regional Cisco Networking Academy Conference 2014. Giving you the knowledge and confidence to teach IPv6. Getting and using IPv6 ICMPv6 : A Closer Look Securing IPv6 Rick Graziani CS/CIS Instructor Cabrillo College. Who am I?. Rick Graziani - graziani@cabrillo.edu
E N D
Regional Cisco Networking Academy Conference 2014 Giving you the knowledge and confidence to teach IPv6 Getting and using IPv6 ICMPv6: A Closer Look Securing IPv6 Rick Graziani CS/CIS Instructor Cabrillo College
Who am I? • Rick Graziani - graziani@cabrillo.edu • CS/CIS instructor at Cabrillo College, Santa Cruz, California • Cisco Networking Academy instructor since 1997 • Run native IPv6 at Cabrillo College and home • Curriculum Development Team for Cisco Networking Academy • When not working, hopefully I’m surfing.
“I understand IPv4, but how does it work for IPv6?” CCNP ROUTE SWITCH TSHOOT Address allocation (DHCP) Address resolution (ARP) Solicited Node Multicast Mitigating attacks IPv6 Basics Routing IPv6 ICMPv6 ND CCNA
Topics • Securing IPv6 • RA Guard • DHCPv6 Guard • Neighbor Cache Exhaustion Mitigation • /127 for point-to-point addresses • Other stuff for IPv6 security • Tomorrow: Flavors of DHCPv6 • SLAAC – IPv6 Addressing without DHCPv6 • Stateless DHCPv6 – I have my address but need some other stuff • Stateful DHCPv6 – Just like DHCPv4 (only different) • DHCPv6-PD (Prefix Delegation) – IPv6 Prefix for the “home” • Getting and Using IPv6: • Getting IPv6: PA versus PI Address Space • Using IPv6: Happy Eyeballs • ICMPv6 • Dynamic Address Allocation • RS and RA Message details • Ethernet Multicast Addresses for IPv6 • Address Resolution • Comparison with ARP • Solicited Node Multicast • NS and NA Message details • Neighbor Cache details
Global Routing Prefixes Comcast is giving me a /64 at home Subnet ID Interface ID Global Routing Prefix /56 /32 /48 /64 /23 *RIR *ISP Prefix *Site Prefix Possible Home Site Prefix Subnet Prefix * This is a minimum allocation. The prefix-length may be less if it can be justified.
PA versus PI Address Space https://www.arin.net/fees/fee_schedule.html • Provider Aggregatable(PA) Address Space - Address space that is typically assigned by an ISP to a customer. • Change provider, must get new address space • Customer must do prefix renumbering (Helpful IETF RFCs) • Provider Independent (PI) Address Space – Address space that is assigned by the RIR. • Remains assigned to the customer regardless of provider • No prefix renumbering needed if change providers /32 /48 Subnets Interface ID Global Routing Prefix
PA versus PI Address Space • Provider Aggregatable(PA) Address Space (/48) • PA if you are single homed • Provider Independent (PI) Address Space (/32) • Great for organizations who want to multihome to different ISPs • Check with the upstream ISP whether they will route it or not • Especially when the PI prefix is not local in the region (ARIN, APNIC, …) – can have asymmetric routing issues • ftp://ftp.ripe.net/ripe/docs/ripe-127.txt • http://blog.ipspace.net/2014/01/pa-pi-or-ula-ipv6-address-space-it.html Static IGP BGP ISP-A US BGP Static CPE ISP-B Europe
RFC6555 Happy Eyeballs: Success with Dual-Stack Hosts • The dual-stack code may get two addresses back from DNS… • Which one does it use? • In order to use applications over IPv6, it is necessary that users enjoy nearly identical performance as compared to IPv4. IPv4 IPv6
RFC6555 Happy Eyeballs: Success with Dual-Stack Hosts www.facebook.com Query AAAA record? www.facebook.com Query A record? www.facebook.com Connect to: 2a03:2880:f016:401:face:b00c:01:1 Connect to: 31.13.77.65 GET HTTP/1.1 www.facebook.com
Happy Eyeballs in a nutshell • In reality it depends on how the OS and application wants to handle it. Attempt IPv6 lookup and connect User: “www.example.com” Retrieve and display First come, first served Attempt IPv4 lookup and connect 300ms TIME
Internet Control Message Protocol (ICMPv6) IPv6 Next Header Value: 58 decimal or 3A hexadecimal • Described in RFC 4443 • Much more robust than ICMP for IPv4 • Contains new functionality and improvements. • More than just “messaging” but “how IPv6 conducts business”. • General message similar to ICMP for IPv4 • Also uses Type and Code fields like in ICMPv4. ICMPv6 Message Body ICMPv6 Header Next Header 58 IPv6 Header IPv6 Data
Neighbor Discovery Protocol Uses ICMPv6 • ICMPv6 informational messages used by Neighbor Discovery (RFC 4861): • Router Solicitation Message • Router Advertisement Message • Used with dynamic configuration of IPv6 addresses • Uses assigned multicast addresses • Neighbor Solicitation Message • Neighbor Advertisement Message • Used with neighbor discovery (IPv4 ARP) • Uses solicited node multicast address and assigned multicast • Redirect Message (Similar to ICMPv4) Router-Device Messaging Device-Device Messaging
IPv6 Multicast and Neighbor Discovery IPv6 Addressing Anycast Multicast Unicast Dynamically obtaining an IPv6 address Address resolution: IPv6 equivalent of ARP Assigned Solicited Node FF00::/8 FF02::1:FF00:0000/104 ICMPv6 Neighbor Discovery Neighbor Solicitation ICMPv6 Neighbor Discovery Router Solicitation Router Advertisement
IPv4 Dynamic Addresses DHCP Server
With IPv6 it begins with the Router Advertisement To all IPv6 routers: I need IPv6 address information • The Router Advertisement (RA) tells hosts how it will receive IPv6 Address Information. • Sent periodically by an IPv6 router or… • … when the router receives a Router Solicitation message from a host. ICMPv6 Router Solicitation DHCPv6 Server To all IPv6 devices: Let me tell you how to do this … ICMPv6 Router Advertisement ICMPv6 Neighbor Discovery Router Solicitation Router Advertisement
A Router Must Be Enabled as an “IPv6 Router” ICMPv6 Router Advertisement Router Advertisement/Solicitation Messages • Part of ICMPv6 (Internet Control Message Protocol for IPv6) • Router Advertisements are sent by an “IPv6 router” – ipv6 unicast-routing command • Forwards IPv6 Packets • Can be enabled for IPv6 static and dynamic routing • Sends ICMPv6 Router Advertisements • Note: Routers can be configured with IPv6 addresses without being an IPv6 router R1(config)# ipv6 unicast-routing DHCPv6 Server
SLAAC (Stateless Address Autoconfiguration) • Option 1 and 2: Stateless Address Autconfiguration– DHCPv6 Server does not maintain state of addresses • Option 3: Stateful Address Configuration – Address received from DHCPv6 Server DHCPv6 R1(config)# ipv6 unicast-routing DHCPv6 Server Option 1: SLAAC (Default on Cisco routers) “I’m everything you need (Prefix, Prefix-length, Default Gateway)” Option 2: SLAAC + Stateless DHCPv6 for DNS address “Here is my information but you need to get other information such as DNS addresses from a DHCPv6 server.” Option 3: All addressing except default gateway – DHCPv6 “I can’t help you. Ask a DHCPv6 server for all your information.” RA
Router Advertisement – Option 1 SLAAC 2001:DB8:CAFE:1::/64 R1 1 2 RS To: FF02::2 (All IPv6 Routers) From: FE80::50A5:8A35:A5BB:66E1 (Link-local address) ICMPv6 RS Message To: FF02::1 (All IPv6 devices) From: FE80::1 (Link-local address) ICMPv6 RA Message Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64 RA
Router Solicitation (RS) from PC1 Ethernet II, Src: 00:21:9b:d9:c6:44, Dst: 33:33:00:00:00:02 Internet Protocol Version 6 0110 .... = Version: 6 [Traffic class and Flowlabel not shown] Payload length: 16 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::50a5:8a35:a5bb:66e1 Destination: ff02::2 Internet Control Message Protocol v6 Type: 133 (Router solicitation) Code: 0 Checksum: 0x3277 [correct] ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: 00:21:9b:d9:c6:44 Ethernet multicast MAC address – Maps to “all IPv6 routers” Next header is an ICMPv6 header Link-local address of PC1 All-IPv6-routers multicast address Router Solicitation message MAC address of PC1 but RA is sent as all-IPv6-host multicast
R1(config)# ipv6 unicast-routing R1# show ipv6 interface fastethernet 0/0 FastEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::1 Global unicastaddress(es): 2001:DB8:CAFE:1::1, subnet is 2001:DB8:CAFE:1::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 MTU is 1500 bytes <output omitted for brevity> ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses. R1# All-routers multicast group
Router Advertisement (RA) from Router R1 Ethernet II, Src: 00:03:6b:e9:d4:80, Dst: 33:33:00:00:00:01 Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 64 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::1 Destination: ff02::1 Ethernet multicast MAC address – Maps to “All-IPv6 devices” Next Header is an ICMPv6 header Link-local address of R1. Added to the Default Router List and is the address hosts will use as their default gateway All-IPv6 devices multicast
Internet Control Message Protocol v6 Type: 134 (Router advertisement) Code: 0 Cur hop limit: 64 Flags: 0x00 ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: 00:03:6b:e9:d4:80 ICMPv6 Option (MTU) Type: MTU (5) Length: 8 MTU: 1500 ICMPv6 Option (Prefix information) Type: Prefix information (3) Length: 32 Prefix Length: 64 Prefix: 2001:db8:cafe:1:: Router Advertisement from Router R1 – some fields omitted Recommended Hop Limit value for hosts M and O flags indicate that no information is available via DHCPv6 Router R1’s MAC address MTU of the link. Prefix-length (/64) to be used for autoconfiguration. Prefix of this network to be used for autoconfiguration
M and O Flags Internet Control Message Protocol v6 Type: 134 (Router advertisement) Code: 0 Cur hop limit: 64 Flags: 0x00 <output omitted for brevity? • M Flag:Managed Address Configurationflag • Tells the host whether to use the configuration information in this Router Advertisement (SLAAC by default) or to get all of its information from a stateful DHCPv6 server. • O Flag:Other Configurationflag • When SLAAC is being used (using the RA), it tells the host whether more information (like DNS) is available from a stateless DHCPv6 server. Router Advertisement message M and O flags: Both 0, no additional information from DHCPv6 server
Mapping IPv6 Multicast Address to an Ethernet MAC Address Ethernet Header IPv6 Header D-MAC D-IPv6 Data FCS • 48-bit MAC addresses in the range from 33-33-00-00-00-00 to 33-33-FF-FF-FF-FF are used for IPv6 multicast. • Low-order 32 bits of IPv6 multicast address mapped to low-order 32 bits of MAC address. • Remember, source addresses are always a unicast. • RFC 7042Historical note: It was the custom during IPv6 design to use "3” for unknown or example values, and 3333 Coyote Hill Road, Palo Alto, California, is the address of PARC (Palo Alto Research Center, formerly "Xerox PARC”). Ethernet was initially developed at Xerox PARC Destination IPv6 address: All IPv6 Routers Multicast Address (RS) FF02:0000:0000:0000:0000:0000:0000:0002 Corresponding Destination MAC Address (RS) 33:33:00:00:00:02
Ethernet MAC Addresses in RS and RA Messages 2001:DB8:CAFE:1::/64 R1 Because I will filter on multicast MAC addresses! But how does this help anything? Ethernet 1 Dst: 33:33:00:00:00:02 Src: 00:21:9b:d9:c6:44 RS Ethernet 2 To: FF02::2(All IPv6 Routers) From: FE80::50A5:8A35:A5BB:66E1 (Link-local address) ICMPv6 RS Message RA Dst: 33:33:00:00:00:01 Src: 00:03:6b:e9:d4:80 To: FF02::1(All IPv6 devices) From: FE80::1(Link-local address) ICMPv6 RA Message
PC Processes the following IPv6 and Ethernet MAC Addresses • Besides its own MAC address, the Ethernet NIC will accept multicast addresses created from: • Any assigned multicast address such as All-IPv6-Devices. • Any solicited node multicasts… what? • A host NIC would not accept frames looking for an IPv6 router using the Destination MAC address 33:33:00:00:00:02 * Ethernet MAC addresses such as broadcasts and those associated with other protocols are not shown.
ICMPv6: Neighbor Discovery and Address Resolution (ARP in IPv4)
IPv6 Multicast and Neighbor Discovery IPv6 Addressing Anycast Multicast Unicast Dynamically obtaining an IPv6 address Address resolution: IPv6 equivalent of ARP Assigned Solicited Node FF00::/8 FF02::1:FF00:0000/104 ICMPv6 Neighbor Discovery Neighbor Solicitation ICMPv6 Neighbor Discovery Router Solicitation Router Advertisement
Know IPv4, what is the MAC? Address Resolution: IP to MAC Mapping My IPv4! Here is the MAC? 2 1 ARP Reply PC1 ARP Request PC2 ARP Cache IP to data link(MAC) address mapping: • IPv4 addresses use ARP • IPv6 addressing use ICMPv6 Neighbor Discovery messages • Neighbor Solicitation • Neighbor Advertisement • Devices store this mapping in their Neighbor Cache 3 1 2 My IPv6! Here is the MAC? Neighbor Solicitation Neighbor Advertisement NeighborCache Know IPv6, what is the MAC? 3 ICMPv6 Neighbor Discovery Neighbor Solicitation Neighbor Advertisement
Address Resolution: IP to MAC Mapping IPv4: ARP over Ethernet Ethernet ARP Request/Reply ARP Request: Broadcast Know IPv4, what is the MAC? My IPv4! Here is the MAC? 2 1 ARP Reply PC1 ARP Request PC2 1 2 Know IPv6, what is the MAC? My IPv6! Here is the MAC? Neighbor Solicitation Neighbor Advertisement IPv6: ICMPv6 over IPv6 over Ethernet Ethernet ICMPv6: Neighbor Solicitation/Advertisement IPv6 Header NS: Multicast NS: Solicited Node Multicast
Solicited Node Multicast PC2 What is a solicited node multicast address? • A layer 3 multicast address with link-local scope “FF02” (within the subnet/VLAN). • There is a solicited node multicast address for every IPv6 unicast (or anycast) address including: • Global Unicast Address (GUA) • Link-local Address • Used in Neighbor Solicitation messages during: • Address Resolution (ARP for IPv4) • Duplicate Address Detection (DAD)
Solicited Node Multicast PC2 How is created? • There is a direct relationship between the unicast/anycast address its solicited node multicast address. • The solicited node multicast address formed by: • Prefix FF02:0:0:0:0:1:FF00::/104 (FF02::1:FFxx:xxxx) • Append the low-order 24 bits of the address (unicast or anycast • Like other multicast addresses, solicited node multicast addresses are also mapped to an Ethernet MAC address. (next)
Solicited Node Multicast Example PC2’s Global Unicast Address Global Routing Prefix Interface ID Subnet ID 24 bits 104 bits 2001:0DB8:CAFE 0001 0000:0000:00 00:0200 Copy PC2’s IPv6 Solicited-Node Multicast Address Ability to filter at the NIC FF02 0000 0000 0000 0000 0001 FF 00:0200 Solicited-node Multicast address mapped to Ethernet destination MAC address Copy IPv6 Multicast Low-order 32 bits of IPv6 multicast address mapped to low-order 32 bits of MAC address. FF-00-02-00 33-33 PC2’s IPv6 global unicast address: 2001:DB8:CAFE:1::200 PC2’s IPv6 solicited-node multicast address: FF02::1:FF00:200 PC2’s mapped Ethernet multicast address : 33-33-FF-00-02-00
Same for both • Although rare, solicited node multicast addresses may not be unique. • Possible to have multiple devices with the same solicited node multicast address (and same Ethernet multicast) if the low-order 24 bits match • High-order 40 bits of Interface ID may differ. • But that is ok... Upper layer protocols like ICMPv6 contain target address (coming) Global Routing Prefix Interface ID Subnet ID 24 bits 104 bits 2001:0DB8:CAFE 0001 AAAA:0000:00 00:0200 2001:0DB8:CAFE 0001 BBBB:0000:00 00:0200
PC2 • So, why are solicited node multicasts better than broadcasts? • Multicasts can be mapped to MAC addresses and Ethernet NICs (hardware or drivers) can filter these frames. • Why is that a good thing?
Advantages of Multicast Ethernet Broadcast • Destination MAC Address: Broadcast • Data must be passed to upper layer for processing. IPv4 or IPv6 Multicast • IP multicast packets can be filtered by the switch, only sending packets to members of that group • IPv4 - IGMP (Internet Group Management Protocol) • IPv6 - MLD (Multicast Listener Discovery) • However, Solicited Node Multicasts are forwarded out all ports because of the potentially huge forwarding tables needed to to store these addresses. (For now.) But wait…. Ethernet Broadcast IPv4/IPv6 Multicast IGMP/MLD Snooping
Solicited Node Multicasts are mapped to Ethernet! ARP Requests: Layer 2 broadcasts: • Ethernet broadcasts are sent to all devices. • Flood the entire broadcast domain (subnet/VLAN). • Ethernet NIC must process the frame. • Any filtering is done by a higher layer protocol such as ARP. Target IPv4 Address Solicited Node Multicasts: Layer 2 and Layer 3 multicasts: • Although solicited node multicasts are forwarded out all ports by the switch, …. • Layer 2 multicast allows frames to be filtered by the NIC and not have send data to an upper layer protocol for inspection.
PC2 Processes the following IPv6 and Ethernet MAC Addresses • Besides its own MAC address, the Ethernet NIC will accept multicast addresses created from the: • Solicited node multicast (global unicast address) • Solicited node multicast (link-local address) • Any assigned multicast address such as All-IPv6-Devices. * Ethernet MAC addresses such as broadcasts and those associated with other protocols are not shown.
Back to Address Resolution (ARP in IPv4) R1 2001:0DB8:CAFE:0001::/64 ipv6 unicast-routing 1 PC1> ping 2001:DB8:CAFE:1::200 2 5 MAC Address 00-1B-24-04-A2-1E PC2 PC1 Neighbor Cache <empty until step 5> MAC Address 00-21-9B-D9-C6-44 2001:DB8:CAFE:1::200/64 FF02::1:FF00:200 (Solicited Node Multicast) 2001:DB8:CAFE:1::100/64 3 Neighbor Solicitation 4 Neighbor Advertisement Ethernet ICMPv6: Neighbor Solicitation/Advertisement IPv6 Header
Neighbor Solicitation from PC1 (ARP Request) * For Target’s Neighbor Cache Ethernet II, Src: 00:21:9b:d9:c6:44, Dst: 33:33:ff:00:02:00 Internet Protocol Version 6 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: 2001:db8:cafe:1::100 Destination: ff02::1:ff00:200 Internet Control Message Protocol v6 Type: 135 (Neighbor solicitation) Code: 0 Checksum: 0xbbab [correct] Reserved: 0 (Should always be zero) Target: 2001:db8:cafe:1::200 ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: 00:21:9b:d9:c6:44 Mapped multicast address for PC2 Next header is an ICMPv6 header Global unicast address of PC1 Solicited-node multicast address of PC2 Neighbor Solicitation message Target IPv6 address, needing MAC address (if two devices have the same solicited node address, this resolves the isse) MAC address of the sender, PC1
Neighbor Advertisement from PC2 (ARP Reply) * From previous Neighbor Solicitation Ethernet II, Src: 00:1b:24:04:a2:1e, Dst: 00:21:9b:d9:c6:44 Internet Protocol Version 6 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: 2001:db8:cafe:1::200 Destination: 2001:db8:cafe:1::100 Internet Control Message Protocol v6 Type: 136 (Neighbor advertisement) Code: 0 Checksum: 0x1b4d [correct] Flags: 0x60000000 Target: 2001:db8:cafe:1::200 ICMPv6 Option (Target link-layer address) Type: Target link-layer address (2) Length: 8 Link-layer address: 00:1b:24:04:a2:1e Unicast MAC address of PC2 Next header is an ICMPv6 header Global unicast address of PC2 Global unicast address of PC1 Neighbor Advertisement message IPv6 address of the sender, PC2 MAC address of the sender, PC2
Multicast Groups of a Router R1# show ipv6 interface fastethernet 0/0 FastEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::FE99:47FF:FE75:C3E0 Global unicastaddress(es): 2001:DB8:CAFE:1::1, subnet is 2001:DB8:CAFE:1::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FF75:C3E0 <output omitted for brevity> Member of these Multicast Groups All-IPv6 devices on this link All-IPv6 routers on this link: IPv6 routing enabled Solicited-node multicast address Global Unicast Solicited-node multicast address link-local • FF02 – “2” means link-local scope
Duplicate Address Detection (DAD) Global Unicast - 2001:DB8:CAFE:1::200 Link-local - FE80::1111:2222:3333:4444 PC2 Neighbor Solicitation Hopefully no Neighbor Advertisement • Duplicate Address Detection (DAD) is used to guarantee that an IPv6 unicast address is unique on the link. • A device will send a Neighbor Solicitation for its own unicast address (static or dynamic). • After a period of time, if a NA is not received, then the address is deemed unique. • Once required, RFC was updated to where it is only recommended - /64 Interface ID!
Neighbor Cache (IPv4 ARP Cache) Neighbor Advertisement • Neighbor Cache – Maps IPv6 addresses with Ethernet MAC addresses • Similar to ARP Cache for IPv4 • 5 States (2 noticeable and 3 transitory): • Reachable: Packets have recently been received providing confirmation that this device is reachable. • Stale: A certain time period has elapsed since a packet has been received from this address. • Transitory States: INCOMPLETE, DELAY, PROBE Neighbor Cache IPv6 AddressMAC Address 2001:DB8:ACAD:1::10 0021.9bd9.c644 PC1 IPv6 - 2001:DB8:ACAD:1::10 MAC - 0021.9bd9.c644
Windows: netsh interface ipv6 show neighbor Linux/MAC: ip neighbor show Neighbor Cache R1# show ipv6 neighbors IPv6 Address Age Link-layer Addr State Interface FE80::50A5:8A35:A5BB:66E1 16 0021.9bd9.c644 STALE Fa0/0 2001:DB8:ACAD:1::10 16 0021.9bd9.c644 STALE Fa0/0 R1# ping 2001:db8:aaaa:1::100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:AAAA:1::100, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms R1# show ipv6 neighbors IPv6 Address Age Link-layer Addr State Interface FE80::50A5:8A35:A5BB:66E1 16 0021.9bd9.c644 STALE Fa0/0 2001:DB8:ACAD:1::10 0 0021.9bd9.c644 REACH Fa0/0 R1#