Securing and Optimizing IPv6 Gateways

One piece of deploying IPv6 that doesn't seem to get much press is how to optimize and secure the local gateway. This is a conversation that's been had about IPv4 ad nauseam but rarely even talked about with v6. We know that in v4 that we should turn of proxy-arp and turn of ip redirects, some people even deploy unicast reverse path forwarding but do these commands still have an equivalent in the IPv6 world?

One of the first and easiest commands to get out of the way is that since IPv6 does away with ARP entirely, we can't possible have a concept of proxy ARP!

Disabling IP redirects in IPv4 is standard practice. IPv6 does indeed have redirect packets and we need to turn these off just like we needed to do it for IPv4. IP redirects could impact the security of your local subnet. Luckily, the command is extremely similar to the IPv4 command.

Next, using unicast reverse path forwarding (uRPF) we can help prevent your network from sourcing spoofed DDOS packets or at the very least prevent unfortunate routing loops. This command is very similar to the IPv4 one as well. I've covered this topic more in depth in a different article.

Those commands are useful for helping to secure the local gateway but the following commands will help you scale your subnets up in the number of end devices while keeping the unnecessary all-hosts multicast traffic to a minimum.

First up is to turn on gleaning on the gateway. By default, Cisco devices ignore unsolicited neighbor advertisements. Gleaning will change that behavior and add addresses to the IPv6 neighbors table from any ND NA packet it receives.

Secondly, by default, a Cisco device will respond to a router solicitation packet with a packet to the all-hosts multicast address. This may not seem like a big deal until you have a couple of hundred devices or several thousand devices on a segment that are constantly receiving unnecessary router advertisements. This command turns those responses into unicast packets directly to the address that sent the solicitation packet.

These unicast responses are very important when you're discussing wireless segments where constant unsolicited router advertisements can prevent wireless devices from fully falling asleep when connected to wireless and can negatively impact their battery life. Better yet, if you're running Cisco Wireless Controllers, you can disable non-unicast responses in the controller.