Tag Archives: 5.2c

5.2.c Implement and troubleshoot IPv6 first hop security

5.2.c [i] RA guard

The IPv6 RA Guard feature provides support for allowing the network administrator to block or reject unwanted or rogue router advertisement (RA) guard messages that arrive at the network device platform . RAs are used by devices to announce themselves on the link. The IPv6 RA Guard feature analyzes these RAs and filters out RAs that are sent by unauthorized devices. In host mode, all RA and router redirect messages are disallowed on the port. The RA guard feature compares configuration information on the Layer 2 (L2) device with the information found in the received RA frame. Once the L2 device has validated the content of the RA frame and router redirect frame against the configuration, it forwards the RA to its unicast or multicast destination. If the RA frame content is not validated, the RA is dropped. You can use show ipv6 snooping command to get details of both RA guard and ND inspection features.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5347-5353).  . Kindle Edition.

http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/15-2s/ip6-ra-guard.html

 

5.2.c Implement and troubleshoot IPv6 first hop security

5.2.c [ii] DHCP guard

The DHCPv6 Guard feature blocks reply and advertisement messages that come from unauthorized DHCP servers and relay agents. Packets are classified into one of the three DHCP type messages. All client messages are always switched regardless of device role. DHCP server messages are only processed further if the device role is set to server. Further processing of server messages includes DHCP server advertisements (for source validation and server preference) and DHCP server replies (for permitted prefixes).

If the device is configured as a DHCP server, all the messages need to be switched, regardless of the device role configuration.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5357-5362).  . Kindle Edition.

http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/15-2s/ip6-dhcpv6-guard.html#topichead2

5.2.c Implement and troubleshoot IPv6 first hop security

5.2.c [iii] Binding table

A database table of IPv6 neighbors connected to the device is created from information sources such as NDP snooping. This database, or binding table, is used by various IPv6 guard features to validate the link-layer address (LLA), the IPv4 or IPv6 address, and the prefix binding of the neighbors to prevent spoofing and redirect attacks.

The IPv6 first-hop security binding table recovery mechanism enables the binding table to recover in the event of a device reboot. The recovery mechanism will block any data traffic sourced from an unknown source, that is a source not already specified in the binding table and previously learnt via NDP or Dynamic Host Configuration Protocol (DHCP) gleaning. The IPv6 First-Hop Security Binding Table Recovery Mechanism feature recovers the missing binding table entries when the resolution for a destination address fails in the destination guard. Upon a failure, a binding table entry is recovered by querying the DHCP server or the destination host depending on the configuration.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5369-5374).  . Kindle Edition.

http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/15-2s/ip6-fhs-bind-table.html

 

5.2.c Implement and troubleshoot IPv6 first hop security

5.2.c [iv] Device tracking

The IPv6 Device Tracking feature provides IPv6 host liveness tracking so that a neighbor table can be immediately updated when an IPv6 host disappears. The feature tracks the liveness of the neighbors connected through the Layer 2 device on a regular basis in order to revoke network access privileges as they become inactive.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5378-5380).  . Kindle Edition.

http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6_fhsec/configuration/15-sy/ip6-dev-track.html

5.2.c Implement and troubleshoot IPv6 first hop security

5.2.c [v] ND inspection/snooping

IPv6 Neighbor Discovery (ND) inspection learns and secures bindings for stateless auto-configuration addresses in Layer 2 neighbor tables. IPv6 ND inspection analyzes neighbor discovery messages in order to build a trusted binding table database, and IPv6 neighbor discovery messages that do not have valid bindings are dropped. A neighbor discovery message is considered trustworthy if its IPv6-to-MAC mapping is verifiable.

This feature mitigates some of the inherent vulnerabilities for the neighbor discovery mechanism, such as attacks on duplicate address detection (DAD), address resolution, device discovery, and the neighbor cache.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5384-5389).  . Kindle Edition.

http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6_fhsec/configuration/15-sy/ip6-nd-inspect.html