Running IPv6 on a large L2 network

Fri Sep 5 13:12:33 CEST 2008

[I sent a reply yesterday that hasn't arrived yet. The moderator can
just delete it. I apologize for any duplicates.]

Jeroen Massar <jeroen at unfix.org> writes:

> Göran Weinholt wrote:
>> What I'd like is to prevent (or detect and rectify) things like
>> neighbor table poisoning and advertisements of bad routes. Something
>> like a list of all the ways IPv6 can be abused on an L2 network would
>> be very helpful.
>
> A *lot* of issues, mostly concerning RA and other ICMP messages though.
>
> One advantage for you though: a /64 is virtually unlimited address
> space. As you mention abuse though, you will want to install a tool like
>  NDPmon to at least record MAC<->IPv6 address relations, especially with
> RFC3041 in mind. You will also want to lock down ports based on MAC and
> other nasty tricks. Then again, you didn't specify how nasty the
> environment is; When I hear L2 and "security" though and "protection
> against X" I always think of 802.1x so that you at least authenticate
> the baddies and can track them easily based on something else than what
> they provide you. Of course you have at least a port number hopefully.

It's a student dorm network, so there is bound to be some people that
will try something just to see what will happen. In the future it's
not unlikely that viruses will try various mischief. I do have their
switch port number, but I still need to detect the mischief. 802.1x is
not very useful for our network.

>> As an example: if someone sets up radvd and announces the 2000::/3
>> prefix, all hosts on the LAN will have an on-link route for 2000::/3
>> (at least this is what happens in Linux).
>
> That is because Linux is broken then, it should only accept an RA'd
> prefix which is a /64. (I wonder how it would construct a full IP
> address from a /3 + 64bits of EUI-64 anyway...)

I forgot to write that I sent a /64 along with the /3 prefix. Linux
generates an address and route for the /64, but also adds a route for
the /3. Windows Vista also adds an on-link route for the /3.

>> This route is more specific than the default route
>
> Even if somebody simply sets up an RA'd block that would give a nice
> default route already, depending then on the host it will pick yours or
> another.

Yeah, but since I have a MAC<->port mapping I can just disconnect the
user that sent the RA. Neighbor unreachability detection will then
hopefully keep traffic to the real router working.

In the scenario I posted it doesn't matter if I disconnect the user
that sent the RA, the network will still be broken for other hosts
because of the bogus on-link route. To remove the route I might send
my own RA with the announced prefixes and a very low lifetime, but the
lowest lifetime allowed according to RFC4862 is two hours (ironically
changed recently to address a possible DoS...)

So right now if someone performs this attack here at the dorm, all I
can do is tell students to either remove the route manually or reboot
if they want IPv6 to work again. I guess this is similar to the
problems with rogue DHCP servers, but router advertisements affect
everyone at once so there is no time to disconnect the rouge radvd
before the damage is done.

> [..]
>> This still leaves the on-link route for the announced prefix. Is there
>> any way that I can tell hosts to throw away that route before it
>> expires?
>
> Needs to be configured on a per-host basis unfortunately unless you can
> do the filtering in the middle of your network.
>
> IP was meant for routing, not for switching...

I will keep my eye out for switches with IPv6 support then, especially
routing switches.

> Microsoft has a nice list though:
> http://technet.microsoft.com/en-us/library/bb726956.aspx

The audience for that page seems to be enterprises and maybe not
dorms, so not too interesting for us unfortunately.

Regards,

-- 
Network Administrator,
Chalmers Studentbostäder