Using RA Guard to block man-in-the-middle attacks in IPv6

Securing the local segment is both one of the toughest parts of networking to get right and also one of the most vulnerable portions of the network. Get it wrong and all of your users’ traffic could be sniffed by a malicious device. IPv6 client address configuration moves away from how DHCPv4 works but still carries the same vulnerabilities as before.

Before we go further, you must understand how the IPv6 autoconfiguration process works. An IPv6 clients can initiate the process in one of two ways, either by receiving a periodic ICMP Neighbor Discover Router Advertisement packet or by sending out an ICMP Neighbor Discover Router Solicitation packet which will be responded to by the aforementioned ICMP ND RA packet. This router advertisement packet will contain a couple of things but the two key pieces of information that we're worried about are the Source Address and Prefix Information. A misconfigured device could advertise its own link-local address as the source address to perform a man-in-the-middle attack, or incorrect prefix information to perform a denial-of-service attack. This attack is effective against networks running SLAAC and DHCPv6 because both rely on the ICMP ND RA packet to advertise the default gateway for a particular LAN segment.

To combat this vulnerability, Cisco has implemented a feature called RA Guard. To put it simply, RA Guard is configured on switches to block router advertisements from untrusted ports. This is used similarly to DHCP Snooping in IPv4 deployments. The process of implementing RA Guard it to create a policy and then apply it inbound on an interface.

To deploy RA Guard, you need to first create an RA Guard policy globally where you set the device type.

ipv6 nd raguard policy RAGUARD_ROUTER
  trusted-port
  device-role router

Next step in deployment is to attach this policy to an uplink interface.

interface tengigabitethernet1/0/1
  ipv6 nd raguard attach-policy RAGUARD_ROUTER

On access-ports, we'll create a host RA Guard policy and attach it to the interfaces via the interface range command.

ipv6 nd raguard policy RAGUARD_HOST
  device-role host
!
interface range gigabitethernet1/0/1-48
  ipv6 nd raguard attach-policy RAGUARD_HOST

Use the "Show ipv6 nd ragaurd policy" command to verify that the policies are applied correctly.

And of course, if you have any other questions regarding the specifics of this feature, refer to Cisco’s documentation on RA Guard

Ryan Harris

I’m Ryan and I’m a Senior Network Engineer for BlueAlly (formerly NetCraftsmen) in North Carolina doing routing, switching, and security. I’m very interested in IPv6 adoption, SD-Access, and Network Optimization. Multi-vendor with the majority of my work being with Cisco and Palo Alto.

Previous
Previous

Configuring IPv6 on a Palo Alto firewalls with commodity Internet

Next
Next

Introduction to SD-Access Fusion Routers