Running IPv6 on a large L2 network
Jeroen Massar
jeroen at unfix.org
Thu Sep 4 16:58:47 CEST 2008
Göran Weinholt wrote:
> Hello IPv6 operators,
>
> I'm wondering if anyone here has advice for how to manage IPv6 abuse
> on a large L2 network. For IPv4 our HP ProCurve switches support IP
> lockdown, ARP-protect etc which prevents most of the nastiness for
> IPv4. The switches do not have similar functions for IPv6.
>
> What I'd like is to prevent (or detect and rectify) things like
> neighbor table poisoning and advertisements of bad routes. Something
> like a list of all the ways IPv6 can be abused on an L2 network would
> be very helpful.
A *lot* of issues, mostly concerning RA and other ICMP messages though.
One advantage for you though: a /64 is virtually unlimited address
space. As you mention abuse though, you will want to install a tool like
NDPmon to at least record MAC<->IPv6 address relations, especially with
RFC3041 in mind. You will also want to lock down ports based on MAC and
other nasty tricks. Then again, you didn't specify how nasty the
environment is; When I hear L2 and "security" though and "protection
against X" I always think of 802.1x so that you at least authenticate
the baddies and can track them easily based on something else than what
they provide you. Of course you have at least a port number hopefully.
> As an example: if someone sets up radvd and announces the 2000::/3
> prefix, all hosts on the LAN will have an on-link route for 2000::/3
> (at least this is what happens in Linux).
That is because Linux is broken then, it should only accept an RA'd
prefix which is a /64. (I wonder how it would construct a full IP
address from a /3 + 64bits of EUI-64 anyway...)
> This route is more specific than the default route
Even if somebody simply sets up an RA'd block that would give a nice
default route already, depending then on the host it will pick yours or
another.
[..]
> This still leaves the on-link route for the announced prefix. Is there
> any way that I can tell hosts to throw away that route before it
> expires?
Needs to be configured on a per-host basis unfortunately unless you can
do the filtering in the middle of your network.
IP was meant for routing, not for switching...
Microsoft has a nice list though:
http://technet.microsoft.com/en-us/library/bb726956.aspx
Greets,
Jeroen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20080904/aeedddf8/attachment.sig>
More information about the ipv6-ops
mailing list