Contents
Introduction
Malicious Use of Type 0 Routing Headers
IPv6 Header Formats
IPv6 Header
IPv6 Extension Header: Routing Header
IPv6 Type 0 Routing Header
Countermeasures for IPv6 Type 0 Routing Headers
Disabling Processing of Type 0 Routing Header Packets
Filtering Routing Header Packets Using Access Lists
Filtering Type 0 Routing Header Packets Using Access Lists
Control Plane Policing
Spoofing Protection Using IPv6 Unicast Reverse Path Forwarding
Cisco ASA, PIX, and Firewall Services Module Firewalls
Troubleshooting Countermeasures for IPv6 Type 0 Routing Headers
Filtering Routing Header Packets Using Access Lists
Filtering Type 0 Routing Header Packets Using Access Lists
Control Plane Policing
Spoofing Protection Using IPv6 Unicast RPF
Cisco ASA, PIX, and FWSM Firewalls
References
Introduction
The protocol specification for Internet Protocol version 6 (IPv6) was originally defined in RFC 1883 and then obsoleted by RFC 2460. These RFCs also define IPv6 extension headers that contain optional Internet-layer information encoded in separate headers. These headers may be inserted between the IPv6 header and the upper-layer header in an IPv6 packet. This document will focus on the IPv6 extension header Type 0 Routing header, which is used by an IPv6 source to list one or more intermediate nodes to be "visited" on the way to a packet's destination. The IPv6 Type 0 Routing header is similar in function to the IPv4 (RFC 791) Loose Source and Record Route IP options. The IPv6 Routing header is identified by a Next Header (NH) value of 43 in the immediately preceding header. This document will advise how to disable the processing of IPv6 packets with a Type 0 Routing header on devices that are running Cisco IOS Software and how to filter such packets using Cisco IOS Software or Cisco IOS XR Software.
Malicious Use of Type 0 Routing Headers
Attackers can maliciously use IPv6 Type 0 Routing headers to bypass packet filters (IPv6 access-list policies) or anycast addressing and routing. These headers can also be used to perform reflected denial of service (DoS) attacks, spoofing, double spoofing, and amplification attacks (ping-pong attacks that can cause link saturation and potential performance issues through added CPU processing).
IPv6 Header Formats
IPv6 Header
The following diagram provides the format of the IPv6 header. The field descriptions from RFC 2460 are below it.
| Field | Description |
|---|---|
| Version | 4-bit Internet Protocol version number = 6. |
| Traffic Class | 8-bit traffic class field. |
| Flow Label | 20-bit flow label. |
| Payload Length | 16-bit unsigned integer. Length of the IPv6 payload, i.e., the rest of the packet following this IPv6 header, in octets. (Note that any extension headers present are considered part of the payload, i.e., included in the length count.) |
| Next Header | 8-bit selector. Identifies the type of header immediately following the IPv6 header. Uses the same values as the IPv4 Protocol field [RFC-1700 et seq.]. |
| Hop Limit | 8-bit unsigned integer. Decremented by 1 by each node that forwards the packet. The packet is discarded if Hop Limit is decremented to zero. |
| Source Address | 128-bit address of the originator of the packet. |
| Destination Address | 128-bit address of the intended recipient of the packet (possibly not the ultimate recipient, if a Routing header is present). |
IPv6 Extension Header: Routing Header
The following diagram provides the format of the IPv6 extension header Routing header. The field descriptions from RFC 2460 are below it.
| Field | Description |
|---|---|
| Next Header | 8-bit selector. Identifies the type of header immediately following the Routing header. Uses the same values as the IPv4 Protocol field [RFC-1700 et seq.]. |
| Hdr Ext Len | 8-bit unsigned integer. Length of the Routing header in 8-octet units, not including the first 8 octets. |
| Routing Type | 8-bit identifier of a particular Routing header variant. |
| Segments Left | 8-bit unsigned integer. Number of route segments remaining, i.e., number of explicitly listed intermediate nodes still to be visited before reaching the final destination. |
| type-specific data | Variable-length field, of format determined by the Routing Type, and of length such that the complete Routing header is an integer multiple of 8 octets long. |
IPv6 Type 0 Routing Header
The following diagram provides the format of the IPv6 Type 0 Routing header. The field descriptions from RFC 2460 are below it.
| Field | Description |
|---|---|
| Next Header | 8-bit selector. Identifies the type of header immediately following the Routing header. Uses the same values as the IPv4 Protocol field [RFC-1700 et seq.]. |
| Hdr Ext Len | 8-bit unsigned integer. Length of the Routing header in 8-octet units, not including the first 8 octets. For the Type 0 Routing header, Hdr Ext Len is equal to two times the number of addresses in the header. |
| Routing Type | 0. |
| Segments Left | 8-bit unsigned integer. Number of route segments remaining, i.e., number of explicitly listed intermediate nodes still to be visited before reaching the final destination. |
| Reserved | 32-bit reserved field. Initialized to zero for transmission; ignored on reception. |
| Address[1..n] | Vector of 128-bit addresses, numbered 1 to n. |
Countermeasures for IPv6 Type 0 Routing Headers
Disabling Processing of Type 0 Routing Header Packets
Cisco IOS Software provides the ability to disable the processing of IPv6 packets with Type 0 Routing headers. Starting with Cisco IOS Software releases 12.2(15)T and 12.0(32)S, administrators can enable the no ipv6 source-route command from global configuration mode to prevent hosts from performing source routing using IPv6-enabled IOS devices. Prior to these Cisco IOS Software releases, the processing of IPv6 Type 0 Routing headers was enabled.
Note: When the no ipv6 source-route command is configured and the IOS device receives a packet with a Type 0 Routing header present, the IOS device drops the packet and sends an IPv6 Internet Control Message Protocol (ICMP) "destination unreachable" message back to the source and logs an appropriate debug message. Generating these messages could have the undesired effect of increasing CPU utilization on the device. In Cisco IOS Software, IPv6 ICMP unreachable message generation is limited to one packet every 100 milliseconds and 10 tokens by default. IPv6 ICMP unreachable message generation can be disabled using the interface configuration command no ipv6 unreachables. The rate at which the router generates all IPv6 ICMP error messages can be limited using the ipv6 icmp error-interval interval-in-ms [bucketsize] command from global configuration mode.
Filtering Routing Header Packets Using Access Lists
Cisco IOS Software provides the ability to filter IPv6 Routing headers starting with Cisco IOS Software releases 12.2(13)T, 12.0(23)S, and Cisco IOS XR Software release 2.0 using the IPv6 access list routing keyword. However, filtering for IPv6 Routing headers will filter on all IPv6 Routing header types (0 through 255). If Mobile IPv6 (MIPv6) is in use or may be deployed in the future, using the IPv6 access lists routing keyword is not recommended. Additional filtering for explicit IPv6 Type 0 Routing headers will be shown below.
The following example access control list (ACL) policy shows how to filter and deny all unauthorized IPv6 Routing header Type 0 through 255 packets sent to specific IPv6 addresses configured on an IPv6-enabled IOS device or IPv6 link-local addresses and then deny all other unauthorized IPv6 Routing header type packets sent to the IPv6 prefix assigned to infrastructure devices.
Note: Cisco IOS Software releases prior to 12.4(2)T and Cisco IOS XR Software releases prior to 3.4.2 do not have the ability to filter on specific IPv6 Routing header type values using IPv6 ACLs. IOS releases prior to 12.4(2)T can filter only IPv6 packets with the presence of a Routing header in the IPv6 header chain. In Cisco IOS Software release 12.4(2)T, a new keyword ofrouting-type added the ability to filter on the presence of specific IPv6 Routing header type values.
Caution: If MIPv6 is deployed within the infrastructure, the following ACL policies may disrupt and/or break its operations. Therefore, a workaround does not exist for MIPv6.
Cisco IOS Software
!-- If device is running Cisco IOS Software release prior to 12.4(2)T !-- Deny all IPv6 extension header Routing header Type 0
through 255 !-- packets sent to IPv6 addresses configured on interfaces of the IPv6- !-- enabled device (management, loopback,
access links, and network/user !-- segments) or IPv6 link-local addresses. !
ipv6 access-list DENY-IPv6-ALL-RH-TYPES
deny ipv6 any host 2001:DB8::0:1:0:1111 routing
deny ipv6 any host 2001:DB8::0:2:0:2222 routing
deny ipv6 any host 2001:DB8::0:3:0:3333 routing
deny ipv6 any host 2001:DB8::0:4:0:4444 routing
deny ipv6 any host FE80::218:74FF:FEB5:A41B routing
deny ipv6 any host FE80::218:74FF:FEB5:A41A routing
deny ipv6 any host FE80::218:74FF:FEB5:A419 routing
! !-- The following IPv6 addresses are configured on loopback interfaces !-- for management and BGP peering using /128
prefixes.
deny ipv6 any host 2001:DB8::0:F:0:FFFF routing
deny ipv6 any host 2001:DB8::0:F:0:F00D routing
! !-- Deny all other IPv6 Type 0 Routing header traffic sent to the IPv6 !-- prefix used in the configuration of network
infrastructure devices.
deny ipv6 any 2001:DB8::/32 routing
! !-- Permit/deny all other IPv6 Layer 3 and Layer 4 traffic in accordance !-- with existing security policies and
configurations. ! !-- Apply IPv6 ACL to interface(s) in the ingress direction.
interface GigabitEthernet0/0
ipv6 address 2001:DB8::0:1:0:1111/96
ipv6 enable
ipv6 traffic-filter DENY-IPv6-ALL-RH-TYPES in
!
Cisco IOS XR Software
!-- If device is running Cisco IOS XR Software release 2.0 through 3.4.2 !-- Deny all IPv6 extension header Routing header
Type 0 through 255 !-- packets sent to IPv6 addresses configured on interfaces of the IPv6- !-- enabled device (management,
loopback, access links, and network/user !-- segments) or IPv6 link-local addresses. !
ipv6 access-list DENY-IPv6-ALL-RH-TYPES
deny ipv6 any host 2001:DB8::0:1:0:1111 routing
deny ipv6 any host 2001:DB8::0:2:0:2222 routing
deny ipv6 any host 2001:DB8::0:3:0:3333 routing
deny ipv6 any host 2001:DB8::0:4:0:4444 routing
deny ipv6 any host FE80::218:74FF:FEB5:A41B routing
deny ipv6 any host FE80::218:74FF:FEB5:A41A routing
deny ipv6 any host FE80::218:74FF:FEB5:A419 routing
! !-- The following IPv6 addresses are configured on loopback interfaces !-- for management and BGP peering using /128
prefixes.
deny ipv6 any host 2001:DB8::0:F:0:FFFF routing
deny ipv6 any host 2001:DB8::0:F:0:F00D routing
! !-- Deny all other IPv6 Type 0 Routing header traffic sent to the IPv6 !-- prefix used in the configuration of network
infrastructure devices.
deny ipv6 any 2001:DB8::/32 routing
! !-- Permit/deny all other IPv6 Layer 3 and Layer 4 traffic in accordance !-- with existing security policies and
configurations. ! !-- Apply IPv6 ACL to interface(s) in the ingress direction.
interface GigabitEthernet 0/0/0/1
ipv6 address 2001:DB8::0:1:0:1111/96
ipv6 enable
ipv6 access-group DENY-IPv6-ALL-RH-TYPES ingress
!
Note: When filtering with an interface access list, Cisco IOS Software and Cisco IOS XR Software will elicit the transmission of an ICMP "destination unreachable" message back to the source of the filtered traffic and log an appropriate debug message. Generating these messages could have the undesired effect of increasing CPU utilization on the device. In Cisco IOS Software and Cisco IOS XR Software, IPv6 ICMP unreachable message generation is limited to one packet every 100 milliseconds and 10 tokens by default. IPv6 ICMP unreachable message generation can be disabled using the interface configuration command no ipv6 unreachables. The rate at which the router generates all IPv6 ICMP error messages can be limited using the ipv6 icmp error-interval interval-in-ms [bucketsize] command from global configuration mode.
Filtering Type 0 Routing Header Packets Using Access Lists
Cisco IOS Software provides the ability to filter on specific IPv6 Routing header types (0 through 255) starting with Cisco IOS release 12.4(2)T using the IPv6 access list routing-type rh-type-value keyword. Explicitly filtering for IPv6 Type 0 Routing headers allows for access lists to deny packets with an IPv6 Type 0 Routing header without impacting the operations of other IPv6 services that use IPv6 Routing headers (for example, MIPv6 uses Type 2 Routing headers). Cisco IOS XR Software does not have the ability to filter on specific IPv6 Routing header types as of release 3.4.2. See "Filtering Routing Header Packets Using Access Lists" for information about filtering IPv6 Routing header packets on Cisco IOS XR Software.
The following example ACL policy shows how to explicitly filter and deny unauthorized IPv6 Type 0 Routing header packets sent to any IPv6 interface (configured, link-local) on an IPv6-enabled IOS device and how to filter and deny such packets transiting through the IPv6-enabled IOS device:
!-- If device is running Cisco IOS Software release 12.4(2)T or later !-- Deny all IPv6 extension header Type 0 Routing header
packets sent !-- to any IPv6 address configured on interfaces of the IPv6-enabled !-- device (management, loopback,
access links, and network/user segments), !-- IPv6 link-local addresses, or for IPv6 packets transiting through the !--
IPv6-enabled router that are targeting other IPv6-enabled devices !-- within the network infrastructure. !
ipv6 access-list DENY-IPv6-TYPE0-RH
deny ipv6 any any routing-type 0
! !-- Permit/deny all other IPv6 Layer 3 and Layer 4 traffic in accordance !-- with existing security policies and
configurations. ! !-- Apply IPv6 ACL to interface(s) in the ingress direction.
interface GigabitEthernet0/0
ipv6 address 2001:DB8::0:1:0:1111/96
ipv6 enable
ipv6 traffic-filter DENY-IPv6-TYPE0-RH in
!
The following example ACL policy shows how to filter and deny unauthorized IPv6 Type 0 Routing header packets sent to specific IPv6 addresses configured on an IPv6-enabled IOS device and specific IPv6 link-local addresses and then deny all other unauthorized IPv6 Type 0 Routing header packets sent to the IPv6 prefix assigned to infrastructure devices:
!-- If device is running Cisco IOS Software release 12.4(2)T or later !-- Deny all IPv6 extension header Type 0 Routing header
packets sent !-- to IPv6 addresses configured on interfaces of the IPv6-enabled device !-- (management, loopback, access links,
and network/user segments) or !-- or IPv6 link-local addresses. !
ipv6 access-list DENY-IPv6-TYPE0-RH
deny ipv6 any host 2001:DB8::0:1:0:1111 routing-type 0
deny ipv6 any host 2001:DB8::0:2:0:2222 routing-type 0
deny ipv6 any host 2001:DB8::0:3:0:3333 routing-type 0
deny ipv6 any host 2001:DB8::0:4:0:4444 routing-type 0
deny ipv6 any host FE80::218:74FF:FEB5:A41B routing-type 0
deny ipv6 any host FE80::218:74FF:FEB5:A41A routing-type 0
deny ipv6 any host FE80::218:74FF:FEB5:A419 routing-type 0
! !-- The following IPv6 addresses are configured on loopback interfaces !-- for management and BGP peering using /128
prefixes.
deny ipv6 any host 2001:DB8::0:F:0:FFFF routing-type 0
deny ipv6 any host 2001:DB8::0:F:0:F00D routing-type 0
! !-- Deny all other IPv6 Type 0 Routing header traffic sent to the IPv6 !-- prefix used in the configuration of network
infrastructure devices.
deny ipv6 any 2001:DB8::/32 routing-type 0
! !-- Permit/deny all other IPv6 Layer 3 and Layer 4 traffic in accordance !-- with existing security policies and
configurations. ! !-- Apply IPv6 ACL to interface(s) in the ingress direction.
interface GigabitEthernet0/0
ipv6 address 2001:DB8::0:1:0:1111/96
ipv6 enable
ipv6 traffic-filter DENY-IPv6-TYPE0-RH in
!
Note: When filtering with an interface access list, Cisco IOS Software will elicit the transmission of an ICMP "destination unreachable" message back to the source of the filtered traffic and log an appropriate debug message. Generating these messages could have the undesired effect of increasing CPU utilization on the device. In Cisco IOS Software and Cisco IOS XR Software, IPv6 ICMP unreachable message generation is limited to one packet every 100 milliseconds and 10 tokens by default. IPv6 ICMP unreachable message generation can be disabled using the interface configuration command no ipv6 unreachables. The rate at which the router generates all IPv6 ICMP error messages can be limited using the ipv6 icmp error-interval interval-in-ms [bucketsize] command from global configuration mode.
Control Plane Policing
Administrators can use Control Plane Policing (CoPP) to block untrusted IPv6 Type 0 Routing header packets to an IPv6-enabled device. Cisco IOS Software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP may be configured on a device to protect the management and control planes to minimize the risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic sent to infrastructure devices in accordance with existing security policies and configurations. The following example can be adapted to a specific network. This example assumes that IPv6 packets sent to the IPv6 addresses configured on an IPv6-enabled device are to be fully restricted from receiving any IPv6 Type 0 Routing header packets.
Note: In the following example, the routing-type IPv6 access lists keyword will match only packets with an IPv6 Type 0 Routing header present. It is possible to use the routing IPv6 access list keyword to match all IPv6 Routing header types (0 through 255). However, doing so may impact current operations or future deployments of MIPv6. If MIPv6 is in use or may be deployed in the future, using the IPv6 access lists routing keyword is not recommended.
!-- Permit all IPv6 Type 0 Routing header packets sent to any IPv6 address !-- configured on interfaces of the affected device
(management, loopback, !-- access links, and network/user segments) or IPv6 link-local addresses. !-- This traffic will be
policed by the CoPP feature. !
ipv6 access-list DROP-IPv6-RH0
permit ipv6 any any routing-type 0
! !-- Permit/deny all other IPv6 Layer 3 and Layer 4 traffic in accordance !-- with existing security policies and
configurations for traffic that !-- is authorized to be sent to infrastructure devices on the management !-- and control planes.
! !-- Create a class map where the defined IPv6 access-list that permits all !-- IPv6 Type 0 Routing header packets will be
applied. This class map will !-- be applied to a policy map used to police traffic via the CoPP feature. !
class-map match-all drop-IPv6-RH0-class
match access-group name DROP-IPv6-RH0
! !-- Create a policy map where the defined class map will be applied. This !-- policy map will be applied to the control plane
of the IPv6-enabled !-- device for traffic to be policed by the CoPP feature. !
policy-map DROP-UNAUTHORIZED-INFRA-TRAFFIC
class drop-IPv6-RH0-class
drop
! !-- Apply the defined policy map to the control plane of the device for !-- traffic sent to the management and control planes
to be policed by the !-- CoPP feature. !
control-plane
service-policy input DROP-UNAUTHORIZED-INFRA-TRAFFIC
!
In the preceding CoPP example, the access control list entry (ACE) that matches packets with an IPv6 Type 0 Routing header using the permit action causes the policy map drop function to discard those packets, whereas packets that match the deny action (not shown) are not affected by the policy map drop function.
Note that in Cisco IOS Software releases 12.2S and 12.0S, the policy map syntax is different.
Note: Cisco IOS Software 12.2S and 12.0S currently allow only the ability to filter on all IPv6 Routing header types (0 through 255) using the routing keyword for IPv6 extended access lists. If this capability is used and MIPv6 is deployed at a later time, MIPv6 will not function properly because it will be dropped by the CoPP policy.
!
policy-map DROP-UNAUTHORIZED-INFRA-TRAFFIC
class drop-IPv6-RH-class
police 32000 1500 1500 conform-action drop exceed-action drop
!
Additional information about the configuration and use of the CoPP feature is at Control Plane Policing Implementation Best Practices and Control Plane Policing for Cisco IOS Release 12.2S.
Spoofing Protection Using IPv6 Unicast Reverse Path Forwarding
Protection mechanisms for spoofing exist through the proper deployment and configuration of Unicast Reverse Path Forwarding (Unicast RPF) for IPv6. Unicast RPF for IPv6 can detect and drop (discard) IPv6 packets that lack a verifiable IPv6 source addresses. Administrators should not rely on Unicast RPF for IPv6 to provide 100 percent protection because spoofed packets may still enter the network through a Unicast RPF-enabled interface for which there is a return route to the IPv6 source address within the packet or may be allowed by Unicast RPF access lists. Additional information about Unicast RPF for IPv6 is available at Unicast RPF for IPv6 on the Cisco 12000 Series. Configuration information for ipv6 verify unicast reverse-path and ipv6 verify unicast source reachable-via [rx|any] (where rx = Unicast RPF strict mode and any = Unicast RPF loose mode) is available at Cisco IOS IPv6 Command Reference. ACLs that prevent spoofing coupled with Unicast RPF for IPv6 provide an added layer of threat mitigation against spoofed packets with a Type 0 Routing header present. The Unicast RPF for IPv6 feature requires Cisco Express Forwarding.
!-- Enable Unicast RPF for IPv6 on IPv6-enabled interfaces. !
interface GigabitEthernet0/0
ipv6 address 2001:DB8::0:1:0:1111/96
ipv6 enable
ipv6 verify unicast reverse-path
-or-
ipv6 verify unicast source reachable-via [rx|any]
ipv6 flow ingress
!
Cisco ASA, PIX, and Firewall Services Module Firewalls
The Cisco ASA 5500 Series Adaptive Security Appliance (ASA), the Cisco PIX 500 Series Security Appliance, and the Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers will not process and will drop IPv6 Type 0 Routing header packets by default. These firewall products do not have the ability to filter on IPv6 Routing headers or explicit IPv6 Routing header types; however, IPv6 access lists can be used to explicitly deny unauthorized or permit authorized IPv6 traffic based on source and destination IPv6 addresses, the source and destination port numbers, and the protocol number for the traffic administrators want to filter.
The following example ACL policy shows how to explicitly filter and deny unauthorized IPv6 packets sent to specific IPv6-enabled hosts that are behind the firewall, and permits only authorized BGP traffic on TCP port 179 from trusted hosts used for BGP peering over IPv6:
Caution: If MIPv6 is deployed within the infrastructure, the following ACL policies may disrupt and/or break its operations. Therefore, a workaround does not exist for MIPv6.
!-- Deny all unauthorized IPv6 traffic to specific IPv6 devices that are !-- behind the firewall.
ipv6 access-list DENY-IPv6-ALL-RH-TYPES remark -- Deny IPv6 traffic sent to
specific IPv6 enabled hosts behind the firewall --
ipv6 access-list DENY-IPv6-ALL-RH-TYPES deny ip any host 2001:DB8::0:1:0:1111
ipv6 access-list DENY-IPv6-ALL-RH-TYPES deny ip any host 2001:DB8::0:2:0:2222
ipv6 access-list DENY-IPv6-ALL-RH-TYPES deny ip any host 2001:DB8::0:3:0:3333
ipv6 access-list DENY-IPv6-ALL-RH-TYPES deny ip any host 2001:DB8::0:4:0:4444
! !-- Permit authorized IPv6 packets for traffic between IPv6 BGP peers on !-- TCP port 179.
ipv6 access-list DENY-IPv6-ALL-RH-TYPES permit tcp host 2001:DB8::f:0:f:f00d
host 2001:DB8::0:f:0:ffff eq bgp
ipv6 access-list DENY-IPv6-ALL-RH-TYPES permit tcp host 2001:DB8::f:0:f:ffff
host 2001:DB8::0:f:0:f00d eq bgp
! !-- Permit/deny all other IPv6 Layer 3 and Layer 4 traffic in accordance !-- with existing security policies and
configurations. ! !-- Apply IPv6 ACL to the outside interface in the ingress direction.
access-group DENY-IPv6-ALL-RH-TYPES in interface outside
!
Troubleshooting Countermeasures for IPv6 Type 0 Routing Headers
Filtering Routing Header Packets Using Access Lists
Cisco IOS Software
After the IPv6 access list is applied to an interface in the ingress direction, administrators can use the show ipv6 access-list command to identify the number of IPv6 packets that are being filtered with any Routing header type (0 through 255). Filtered packets should be investigated to determine whether they are being used maliciously. Example output for show ipv6 access-list DENY-IPv6-ALL-RH-TYPES follows:
ios-router#show ipv6 access-list DENY-IPv6-ALL-RH-TYPES
IPv6 access list DENY-IPv6-ALL-RH-TYPES
deny ipv6 any host 2001:DB8::0:1:0:1111 routing sequence 10
deny ipv6 any host 2001:DB8::0:2:0:2222 routing (17 matches) sequence 20
deny ipv6 any host 2001:DB8::0:3:0:3333 routing sequence 30
deny ipv6 any host 2001:DB8::0:4:0:4444 routing sequence 40
deny ipv6 any host FE80::218:74FF:FEB5:A41B routing sequence 50
deny ipv6 any host FE80::218:74FF:FEB5:A41A routing sequence 60
deny ipv6 any host FE80::218:74FF:FEB5:A419 routing sequence 70
deny ipv6 any host 2001:DB8::0:F:0:FFFF routing (29 matches) sequence 80
deny ipv6 any host 2001:DB8::0:F:0:F00D routing (77 matches) sequence 90
deny ipv6 any 2001:DB8::/32 routing (137 matches) sequence 100
-- ACL Policy Truncated --
-- Permit/deny all other IPv6 Layer 3 and Layer 4 --
-- traffic in accordance with existing security --
-- policies and configurations. --
ios-router#
In the preceding example, the access list DENY-IPv6-ALL-RH-TYPES, which is applied in the ingress direction on interface GigabitEthernet0/0, denied 17 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 20, 29 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 80, 77 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 90, and 137 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID100.
Cisco IOS XR Software
After the IPv6 access list is applied to an interface in the ingress direction, administrators can use the show access-lists ipv6 command to identify the number of IPv6 packets that are being filtered in hardware or software for any Routing header type (0 through 255). Filtered packets should be investigated to determine whether they are being used maliciously. Example output forshow access-list ipv6 DENY-IPv6-ALL-RH-TYPES hardware ingress location 0/3/CPU0 (packets denied in hardware) and show access-lists ipv6 DENY-IPv6-ALL-RH-TYPES (packets denied in software) follows:
RP/0/0/CPU0:iosxr-router#show access-lists ipv6 DENY-IPv6-ALL-RH-TYPES hardware ingress location 0/3/CPU0
ipv6 access-list DENY-IPv6-ALL-RH-TYPES
10 deny ipv6 any host 2001:DB8::0:1:0:1111 routing
20 deny ipv6 any host 2001:DB8::0:2:0:2222 routing (69 hw matches)
30 deny ipv6 any host 2001:DB8::0:3:0:3333 routing
40 deny ipv6 any host 2001:DB8::0:4:0:4444 routing
50 deny ipv6 any host FE80::218:74FF:FEB5:A41B routing
60 deny ipv6 any host FE80::218:74FF:FEB5:A41A routing
70 deny ipv6 any host FE80::218:74FF:FEB5:A419 routing
80 deny ipv6 any host 2001:DB8::0:F:0:FFFF routing (17 hw matches)
90 deny ipv6 any host 2001:DB8::0:F:0:F00D routing (54 hw matches)
100 deny ipv6 any 2001:DB8::/32 routing (185 hw matches)
-- ACL Policy Truncated --
-- Permit/deny all other IPv6 Layer 3 and Layer 4 --
-- traffic in accordance with existing security --
-- policies and configurations. --
RP/0/0/CPU0:iosxr-router#
In the preceding example, the access list DENY-IPv6-ALL-RH-TYPES, which is applied in the ingress direction on interface GigabitEthernet0/0/0/1, denied 69 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 20 in hardware, 17 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 80 in hardware, 54 IPv6 Routing Header (Type 0 through 255) packets on ACE sequence ID 90 in hardware, and 185 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 100 in hardware.
RP/0/0/CPU0:iosxr-router#show access-lists ipv6 DENY-IPv6-ALL-RH-TYPES
ipv6 access-list DENY-IPv6-ALL-RH-TYPES
10 deny ipv6 any host 2001:DB8::0:1:0:1111 routing
20 deny ipv6 any host 2001:DB8::0:2:0:2222 routing (3 matches)
30 deny ipv6 any host 2001:DB8::0:3:0:3333 routing
40 deny ipv6 any host 2001:DB8::0:4:0:4444 routing
50 deny ipv6 any host FE80::218:74FF:FEB5:A41B routing
60 deny ipv6 any host FE80::218:74FF:FEB5:A41A routing
70 deny ipv6 any host FE80::218:74FF:FEB5:A419 routing
80 deny ipv6 any host 2001:DB8::0:F:0:FFFF routing (2 matches)
90 deny ipv6 any host 2001:DB8::0:F:0:F00D routing (5 matches)
100 deny ipv6 any 2001:DB8::/32 routing (3 matches)
-- ACL Policy Truncated --
-- Permit/deny all other IPv6 Layer 3 and Layer 4 --
-- traffic in accordance with existing security --
-- policies and configurations. --
RP/0/0/CPU0:iosxr-router#
In the preceding example, the access list DENY-IPv6-ALL-RH-TYPES, which is applied in the ingress direction on interface GigabitEthernet0/0/0/1, denied 3 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 20 in software, 2 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 80 in software, 5 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 90 in software, and 3 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 100 in software.
Filtering Type 0 Routing Header Packets Using Access Lists
After the IPv6 access list is applied to an interface in the ingress direction, the show ipv6 access-list command can be used to identify the number of IPv6 Type 0 Routing header packets being filtered. Filtered packets should be investigated to determine whether they are being used maliciously. Example output for show ipv6 access-list DENY-IPv6-TYPE0-RH follows :
ios-router#show ipv6 access-list DENY-IPv6-TYPE0-RH
IPv6 access list DENY-IPv6-TYPE0-RH
deny ipv6 any any routing-type 0 (156 matches) sequence 10
-- ACL Policy Truncated --
-- Permit/deny all other IPv6 Layer 3 and Layer 4 --
-- traffic in accordance with existing security --
-- policies and configurations. --
ios-router#
In the preceding example, the access list DENY-IPv6-TYPE0-RH, which is applied in the ingress direction on interface GigabitEthernet0/0, denied 156 IPv6 Type 0 Routing header packets on ACE sequence ID 10.
ios-router#show ipv6 access-list DENY-IPv6-TYPE0-RH
IPv6 access list DENY-IPv6-TYPE0-RH
deny ipv6 any host 2001:DB8::0:1:0:1111 routing-type 0 (9 matches) sequence 10
deny ipv6 any host 2001:DB8::0:2:0:2222 routing-type 0 sequence 20
deny ipv6 any host 2001:DB8::0:3:0:3333 routing-type 0 sequence 30
deny ipv6 any host 2001:DB8::0:4:0:4444 routing-type 0 (127 matches) sequence 40
deny ipv6 any host FE80::218:74FF:FEB5:A41B routing-type 0 sequence 50
deny ipv6 any host FE80::218:74FF:FEB5:A41A routing-type 0 sequence 60
deny ipv6 any host FE80::218:74FF:FEB5:A419 routing-type 0 sequence 70
deny ipv6 any host 2001:DB8::0:F:0:FFFF routing-type 0 sequence 80
deny ipv6 any host 2001:DB8::0:F:0:F00D routing-type 0 sequence 90
deny ipv6 any 2001:DB8::/32 routing-type 0 (173 matches) sequence 100
-- ACL Policy Truncated --
-- Permit/deny all other IPv6 Layer 3 and Layer 4 --
-- traffic in accordance with existing security --
-- policies and configurations. --
ios-router#
In the preceding example, access list DENY-IPv6-TYPE0-RH, which is applied in the ingress direction on interface GigabitEthernet0/0, denied 9 IPv6 Type 0 Routing header packets on ACE sequence ID 10, 127 IPv6 Type 0 Routing header packets on ACE sequence ID 40, and 173 IPv6 Type 0 Routing header packets on ACE sequence ID 100.
Control Plane Policing
With Control Plane Policing (CoPP), after the policy map is applied to the control plane, administrators can use the show policy-map control-plane and show ipv6 access-list commands to identify the number of packets that have been sent to the management and control planes and dropped by the CoPP policy. Packets dropped by CoPP should be investigated to determine whether they are being used maliciously.
Example output for show policy-map control-plane and show ipv6 access-list DROP-IPv6-RH0 follows:
ios-router#show policy-map control-plane
Control Plane
Service-policy input: DROP-UNAUTHORIZED-INFRA-TRAFFIC
Class-map: drop-IPv6-RH0-class (match-all)
41 packets, 14846 bytes
5 minute offered rate 3000 bps, drop rate 3000 bps
Match: access-group name DROP-IPv6-RH0
drop
Class-map: class-default (match-any)
1804 packets, 144288 bytes
5 minute offered rate 4000 bps, drop rate 0 bps
Match: any
ios-router#
ios-router#show ipv6 access-list DROP-IPv6-RH0
IPv6 access list DROP-IPv6-RH0
permit ipv6 any any routing-type 0 (41 matches) sequence 10
ios-router#
In the preceding example, the CoPP policy dropped 41 (total) IPv6 packets with a Type 0 Routing header by using the access control list DROP-IPv6-RH0, which is associated with CoPP.
Spoofing Protection Using IPv6 Unicast RPF
With Unicast RPF for IPv6 properly deployed and configured throughout the network infrastructure, administrators can use the show ipv6 interface, show cef drop, show cef interface type slot/port internal, and show ipv6 traffic commands to identify the number of IPv6 packets that Unicast RPF for IPv6 has dropped.
Note: The show command | begin regexp and show command | include regexp command modifiers are used in the following examples to minimize the amount of output that administrators need to parse to view the desired information. Additional information about command modifiers is available in the show command sections of the Cisco IOS Configuration Fundamentals Command Reference.
Note: show cef interface type slot/port internal is a hidden command that must be fully entered at the command-line interface. Command completion is not available for it.
ios-router#
ios-router#show ipv6 interface GigabitEthernet 0/0 | begin Unicast RPF
Unicast RPF
Process Switching:
0 verification drops
0 suppressed verification drops
CEF Switching:
12 verification drops
0 suppressed verification drops
Inbound access list infrastructure-acl-policy
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
ios-router#
ios-router#show cef drop
IPv6 CEF Drop Statistics
Slot Encap_fail Unresolved Unsupported No_route No_adj
RP 51 0 0 12 0
ios-router#
ios-router#show cef interface GigabitEthernet 0/0 internal | begin IPv6 unicast RPF
IPv6 unicast RPF: acl=None, drop=12, sdrop=0
IPv6: enabled 1 unreachable TRUE redirect TRUE mtu 1500 flags 0x0
Switching mode is CEF
Input features: Ingress-Netflow RPF ACL
Output features: Post-Ingress-Netflow Egress-Netflow
Inbound access list: infrastructure-acl-policy
ios-router#
ios-router#show ipv6 traffic | inc RPF
12 unicast RPF drop, 0 suppressed RPF drop
ios-router#
In the preceding examples, Unicast RPF for IPv6 has dropped 12 IPv6 packets received on interface GigabitEthernet0/0 due to the inability to verify the source address of the IPv6 packets within the Cisco Express Forwarding Forwarding Information Base.
Cisco ASA, PIX, and FWSM Firewalls
After the IPv6 access list is applied to an interface in the ingress direction, administrators can use the show ipv6 access-list command to identify the number of IPv6 packets being filtered. Filtered packets should be investigated to determine whether they are being used maliciously. Example output for show ipv6 access-list DENY-IPv6-ALL-RH-TYPES follows:
firewall# show ipv6 access-list DENY-IPv6-ALL-RH-TYPES
ipv6 access-list DENY-IPv6-ALL-RH-TYPES; 6 elements
ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 1 remark -- Deny IPv6 traffic sent to
specific IPv6 enabled hosts behind the firewall --
ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 2 deny ip any host 2001:db8::1:0:1111 (hitcnt=69)
ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 3 deny ip any host 2001:db8::2:0:2222 (hitcnt=0)
ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 4 deny ip any host 2001:db8::3:0:3333 (hitcnt=37)
ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 5 deny ip any host 2001:db8::4:0:4444 (hitcnt=18)
ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 6 permit tcp host 2001:db8::f:0:f:f00d host
2001:db8::f:0:ffff eq bgp (hitcnt=11)
ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 7 permit tcp host 2001:db8::f:0:f:ffff host
2001:db8::f:0:f00d eq bgp (hitcnt=9)
firewall#
In the preceding example, access list DENY-IPv6-ALL-RH-TYPES denied a total of 124 unauthorized IPv6 packets on line 2, line 4, and line 5 for hosts behind the IPv6-enabled firewall, and permitted a total of 20 authorized IPv6 packets on line 6 and line 7 from known trusted hosts for BGP on TCP port 179. IPv6 access list DENY-IPv6-ALL-RH-TYPES is applied in the ingress direction on interface outside.
References
RFC 1883 Internet Protocol, Version 6 (IPv6) Specification (obsoleted)
http://tools.ietf.org/html/rfc1883
RFC 2460 Internet Protocol, Version 6 (IPv6) Specification (current)
http://tools.ietf.org/html/rfc2460
IPv6 Routing Headers Security, presented at CanSecWest 2007 by Philippe Biondi and Arnaud Ebalard
http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
The IPv6 Type 0 Routing Header Issue
http://www.natisbad.org/
Scapy (Philippe Biondi) and Scapy6 (IPv6 extension for Scapy, Guillaume Valadon and Arnaud Ebalard)
http://www.secdev.org/projects/scapy/ and http://www.natisbad.org/scapy/
IPv6 Ping Pong, May 2007, by Geoff Huston
http://www.potaroo.net/ispcol/2007-05/6pong.txt or http://ispcolumn.isoc.org/2007-05/6pong.txt
Experts Scramble to Quash IPv6 Flaw, 2007-05-09 (May 9, 2007), by Robert Lemos, SecurityFocus
http://www.securityfocus.com/news/11463
IPv6 Protocol Type 0 Route Header Denial of Service Vulnerability
http://www.securityfocus.com/bid/23615/
Deprecation of Type 0 Routing Headers in IPv6
http://tools.ietf.org/html/draft-jabley-ipv6-rh0-is-evil-00
Security of IPv6 Routing Header and Home Address Option
http://tools.ietf.org/html/draft-savola-ipv6-rh-ha-security-00
Note About Routing Header Processing on IPv6 Hosts
http://tools.ietf.org/html/draft-savola-ipv6-rh-hosts-00
IPv6 Type 0 Routing Header Processing
http://tools.ietf.org/html/draft-savola-ipv6-rtheader-00
Deprecation of Type 0 Routing Headers in IPv6
http://tools.ietf.org/html/draft-ietf-ipv6-deprecate-rh0-00
Firewalling Considerations for IPv6
http://tools.ietf.org/html/draft-savola-v6ops-firewalling-00
Detecting Loops in the IPv6 Routing Header Type 0
http://tools.ietf.org/html/draft-manral-ipv6-detecting-loops-rh-00
IPv6 Transition/Co-existence Security Considerations
http://tools.ietf.org/html/draft-ietf-v6ops-security-overview-00
IPv6 Home Page on Cisco.com
http://www.cisco.com/go/ipv6
IPv6 Extension Headers Review and Considerations
http://www.cisco.com/en/US/tech/tk872/technologies_white_paper0900aecd8054d37d.shtml
Cisco IOS IPv6 Command Reference
http://www.cisco.com/c/en/us/td/docs/ios/ipv6/command/reference/ipv6_book.html
Cisco IOS IPv6 Configuration Library
http://www.cisco.com/c/en/us/td/docs/ios/ipv6/configuration/guide/ip6-config_lib.html
Unicast RPF for IPv6 on the Cisco 12000 Series
http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00803e9789.html
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.