Running IPv6 on a large L2 network

Göran Weinholt weinholt at csbnet.se
Thu Sep 4 16:47:39 CEST 2008


Hello IPv6 operators,

I'm wondering if anyone here has advice for how to manage IPv6 abuse
on a large L2 network. For IPv4 our HP ProCurve switches support IP
lockdown, ARP-protect etc which prevents most of the nastiness for
IPv4. The switches do not have similar functions for IPv6.

What I'd like is to prevent (or detect and rectify) things like
neighbor table poisoning and advertisements of bad routes. Something
like a list of all the ways IPv6 can be abused on an L2 network would
be very helpful.

As an example: if someone sets up radvd and announces the 2000::/3
prefix, all hosts on the LAN will have an on-link route for 2000::/3
(at least this is what happens in Linux). This route is more specific
than the default route, so now all traffic will go on-link. The
attacker can then answer neighbor solicitations for all addresses, and
forward the traffic to the real router (i.e. do a MITM attack).

Even if I disable the attacker's network connection, the route will
still be there on the hosts so a confederate can perform the actual
MITM attack. Even if I can find and disconnect the confederate, IPv6
will still be broken for all hosts until the 2000::/3 route expires.

But the more common IPv6 problem on our network is that someone
configures their Windows machine to "share" a network connection, and
Windows then helpfully starts announcing a 6to4 prefix. I wrote this
program to stop innocent hosts from using those addresses (written in
one day, probably only works on Linux, requires python-pcapy):

 http://staff.csbnet.se/~weinholt/tools/ipknuff

This still leaves the on-link route for the announced prefix. Is there
any way that I can tell hosts to throw away that route before it
expires?

Regards,

-- 
Göran Weinholt <weinholt at csbnet.se>
Network Administrator, 
Chalmers Studentbostäder



More information about the ipv6-ops mailing list