Skip Links

Network World

Eric Vyncke

Mitigating Rogue RA with Port ACL

A rogue RA is a misconfigured device or a malicious user sending wrong Router Advertisements

By Eric Vyncke on Thu, 06/18/09 - 9:40am.
Newsletter Signup

The most common security issue, that I have found in IPv6 networks, is the rogue RA.

Rogue RA is a misconfigured device or a malicious user sending wrong Router Advertisements to all attached hosts. Those hosts will then use information contained in this rogue RA to autoconfigure themselves: of course with wrong prefix or wrong gateway information. This attack leads to either denial of service (wrong prefix) or to traffic interception (wrong gateway), in essence, this is very similar to the rogue DHCP server in IPv4.

While Cisco is developping a complete solution to this problem (notably with Secure Neighbor Discovery available since early 2009), a simple trick can also do it on platforms supporting port ACL (PACL). A PACL is an ACL which is applied on the physical port rather than on the 'interface vlan'.

The configuration below is such a PACL to prevent both the rogue RA and the rogue DHCPv6 attacks.

Quote:

ipv6 access-list ACCESS_PORT
remark Block all traffic DHCP server -> client
deny udp any eq 547 any eq 546
remark Block Router Advertisements
deny icmp any any router-advertisement
permit any any
interface gigabitethernet 1/0/1
switchport
ipv6 traffic-filter ACCESS_PORT in

Note: another way to mitigate this attack is to increase the priority of the official router with the command:

Quote:

ipv6 nd router-preference high

Post new comment

The content of this field is kept private and will not be shown publicly.
  • You can use BBCode tags in the text.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <p> <strong> <i> <br /> <br> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Welcome, visitor. Register Log in
About IPv6 Security
Eric Vyncke works as a Distinguished Consulting Engineer for Cisco. Eric wrote the security section of Networks: Internet, Telephony, Multimedia: Convergences and Complementarities (Springler Verlag, 2003), and has a Master Degree in Computer Science Engineering from the University of Liège. Eric has also co-authored several books on LAN security including his latest, IPv6 Security. IPv6 Security has been selected as the Cisco Subnet June book giveaway. Entry forms for the monthly book giveaway can be found on the Cisco Subnet home page. Read a chapter excerpt of IPv6 Security hosted exclusively by Cisco Subnet.