Mitigating Rogue RA with Port ACL

A rogue RA is a misconfigured device or a malicious user sending wrong Router Advertisements

The most common security issue, that I have found in IPv6 networks, is the rogue RA. [b]Rogue RA[/b] is a misconfigured device or a malicious user sending wrong Router Advertisements to all attached hosts. Those hosts will then use information contained in this rogue RA to autoconfigure themselves: of course with wrong prefix or wrong gateway information. This attack leads to either denial of service (wrong prefix) or to traffic interception (wrong gateway), in essence, this is very similar to the rogue DHCP server in IPv4. While Cisco is developping a complete solution to this problem (notably with Secure Neighbor Discovery available since early 2009), a simple trick can also do it on platforms supporting port ACL (PACL). A PACL is an ACL which is applied on the physical port rather than on the 'interface vlan'. The configuration below is such a PACL to prevent both the rogue RA and the rogue DHCPv6 attacks. [quote] ipv6 access-list ACCESS_PORT remark Block all traffic DHCP server -> client deny udp any eq 547 any eq 546 remark Block Router Advertisements deny icmp any any router-advertisement permit any any interface gigabitethernet 1/0/1 switchport ipv6 traffic-filter ACCESS_PORT in [/quote] Note: another way to mitigate this attack is to increase the priority of the official router with the command: [quote] ipv6 nd router-preference high [/quote]

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.