IPv6 Routing Security

IPv6 has a number of new routing, protocols, capabilities, issues and safeguards.

Neighbor Discovery Protocol

NDP is new and integral to IPv6, see RFC 4861. It defines five main ICMPv6 packet types to do inverse neighbor discovery: Router Solicitation, Router Advertisement, Neighbor Solicitation, Neighbor Advertisement, and Redirect, see RFC 3122. NDP provides:
  • Router discovery: hosts can locate routers on attached links.
  • Prefix discovery: hosts can discover prefixes on-link for attached links.
  • Parameter discovery: hosts can find link parameters (e.g. MTU).
  • Address autoconfiguration: stateless configuration of network interfaces.
  • Address resolution: mapping between IP and link-layer addresses.
  • Next-hop determination: hosts find next-hop routers for a destination.
  • Neighbor unreachability detection (NUD).
  • Duplicate address detection (DAD).
  • Redirect: router can inform a node about better first-hop routers.
  • Recursive DNS Server (RDNSS) and DNS Search List (DNSSL) assignment via router advertisement (RA) options.
NDP has weaknesses – if spoofed, it can redirect to a non-existent router, redirect traffic to wrong hosts, allow denial of service from attackers on-link, advertise non-existent routers, advertise but not route, deprecate prefixes, block autoconfiguration by spoofing DAD responses, or spoof 'neighbour unreachable' responses. RFC 4861 advises the use of Secure Neighbor Discovery (SEND).

Secure Neighbor Discovery
Secure Neighbor Discovery secures NDP. It is fairly complex so is most useful in high-value networks, see RFC 3971. SEND works in a similar way to SSL – certificates are held and verified via a trust anchor. It adds NDP messages to handle certificate checks. SEND uses CGA (cryptographically generated addresses) to secure endpoints.

Cryptographically Generated Addresses
CGA was developed for SEND, see RFC 3972. For IPv6 addresses, the interface identifier is generated by computing a cryptographic one-way hash function from public key and auxiliary parameters. CGAs are not certified, so attackers can create new CGAs from any subnet prefix and public key, but they can't forge a CGA created by someone else. Protection works without a certification authority or any security infrastructure – it only need an address and an algorithm, so is also useful as a privacy tool.

Neighbor Discovery Flood
ND Flood is denial of service from off-link attackers, which is not addressed by SEND. ND Flood fills routers with incomplete ND entries. It is similar to SYN floods but worse, because in IPv6 one subnet has so many possible hosts. Attackers do not send the ND packets themselves, they trigger them by sending to non-existent addresses – the connection attempts are real, but malicious. Solutions to ND Flood: block access to inappropriate subnets, use smaller subnets on router links. It requires firewall and router awareness, rate limiting, fast flushing of incomplete entries, etc. The issue needs vendors to address the problem.

Router Advertisements
Rogue router advertisements may arise from unauthorised routers, or spoofed RA from other hosts. They are not necessarily malicious – they are sometimes unintentional or a result of misconfiguration. Communication is interrupted because hosts have incorrect information about where to route packets. The problem is usually local to a subnet – WANs are unlikely to be relying on RA. Host-level filters help, as they accept RA only from known routers, but that requires filters on all hosts.

RA-Guard is a lighter-weight protocol than SEND, but it understands and complements SEND. RA-Guard sits in switches between routers and hosts, and acts as an 'authorisation proxy'. RA-Guard drops bad RAs before they reach hosts, and only needs certificates on routers and switches, not all hosts. Stateless RA-Guard uses static information configured into switch. Stateful RA-Guard collects information about acceptable RAs.

DHCPv6 Servers
Rogue DHCPv6 servers are unauthorised devices providing fake IP addresses, default gateways, or DNS servers. They may be the result of unintentional misconfiguration, or installed to sniff traffic, redirect it to virus servers, perform man-in-the-middle attacks, etc.

Similar in concept to RA-Guard, DHCPv6-Shield is a layer-2 device that filters DHCPv6 messages. If the messages are not received on a specified configured port they are discarded.

BGPSEC (Border Gateway Protocol Security) is an extension to BGP to improve security for routing information exchange. Resource Public Key Infrastructure (RPKI) certificates provide a binding between cryptographic keys to verify digital signatures and Autonomous System (AS) numbers & IP address prefixes. RPKI also specifies a Route Origination Authorisation (ROA), which determines if a route came from an AS authorised to originate it. BGPSEC also adds a BGPSEC router certificate to verify the validity of the AS Path in update messages. BGPSEC can be negotiated separately for IPv6 and IPv4.