IPv6 First Hop Security
Szummer Mihály
<>
Simonyi Károly Szakkollégium
The first IPv6 RFC has been around for more than 12 years, but it's only began to spread widely in the last 1-2 years. Because of this IPv6 features appeared (like the RA (Router Advertisement) Guard, the IPv6 Source and Destination Guards, the IPv6 Snooping and the DHCPv6 Guard), based on the already existing L2 IPv4 features (DAI, IPSG, DHCP Snooping).
With the help of IPv6 Snooping we can monitor the NDP and DHCPv6 packets and based on these build a database consisting ip-mac-interface-vlan pairs. Based on this database the IPv6 Source/Destination and NDP Inspection can filter malicious or incorrect IPv6 and ICMPv6 packets. With the RA and DHCPv6 Guard we can define policies (e.g. source, advertised prefix, etc.) and based on these filter different RA and DHCPv6 messages.
The previously mentioned features can helps us to mitigate different MITM (Man-in-the-middle) attacks, the possibility of IP address spoofing, network scanning methods and finally to avoid network outages as a result of a misconfigured network equipment.
In my presentation I would like to shortly summarize the L2 IPv4 security features, and based on and compared to these the new IPv6 FHS features in theory and also in practice on the SUP7L-E and 2960S platform.