IPv6 Type 0 Routing Headers

Introduction

The protocol specification for Internet Protocol version 6 (IPv6) was originally defined in RFC 1883 and then obsoleted by RFC 2460. These RFCs also define IPv6 extension headers that contain optional Internet-layer information encoded in separate headers. These headers may be inserted between the IPv6 header and the upper-layer header in an IPv6 packet. This document will focus on the IPv6 extension header Type 0 Routing header, which is used by an IPv6 source to list one or more intermediate nodes to be "visited" on the way to a packet's destination. The IPv6 Type 0 Routing header is similar in function to the IPv4 (RFC 791) Loose Source and Record Route IP options. The IPv6 Routing header is identified by a Next Header (NH) value of 43 in the immediately preceding header. This document will advise how to disable the processing of IPv6 packets with a Type 0 Routing header on devices that are running Cisco IOS Software and how to filter such packets using Cisco IOS Software or Cisco IOS XR Software.

Malicious Use of Type 0 Routing Headers

Attackers can maliciously use IPv6 Type 0 Routing headers to bypass packet filters (IPv6 access-list policies) or anycast addressing and routing. These headers can also be used to perform reflected denial of service (DoS) attacks, spoofing, double spoofing, and amplification attacks (ping-pong attacks that can cause link saturation and potential performance issues through added CPU processing).

IPv6 Header Formats

IPv6 Header

The following diagram provides the format of the IPv6 header. The field descriptions from RFC 2460 are below it.

IPv6 header format diagram

 

Field Description
Version 4-bit Internet Protocol version number = 6.
Traffic Class 8-bit traffic class field.
Flow Label 20-bit flow label.
Payload Length 16-bit unsigned integer. Length of the IPv6 payload, i.e., the rest of the packet following this IPv6 header, in octets. (Note that any extension headers present are considered part of the payload, i.e., included in the length count.)
Next Header 8-bit selector. Identifies the type of header immediately following the IPv6 header. Uses the same values as the IPv4 Protocol field [RFC-1700 et seq.].
Hop Limit 8-bit unsigned integer. Decremented by 1 by each node that forwards the packet. The packet is discarded if Hop Limit is decremented to zero.
Source Address 128-bit address of the originator of the packet.
Destination Address 128-bit address of the intended recipient of the packet (possibly not the ultimate recipient, if a Routing header is present).

 

IPv6 Extension Header: Routing Header

The following diagram provides the format of the IPv6 extension header Routing header. The field descriptions from RFC 2460 are below it.

IPv6 header format diagram

Field Description
Next Header 8-bit selector. Identifies the type of header immediately following the Routing header. Uses the same values as the IPv4 Protocol field [RFC-1700 et seq.].
Hdr Ext Len 8-bit unsigned integer. Length of the Routing header in 8-octet units, not including the first 8 octets.
Routing Type 8-bit identifier of a particular Routing header variant.
Segments Left8-bit unsigned integer. Number of route segments remaining, i.e., number of explicitly listed intermediate nodes still to be visited before reaching the final destination.
type-specific data Variable-length field, of format determined by the Routing Type, and of length such that the complete Routing header is an integer multiple of 8 octets long.

 

IPv6 Type 0 Routing Header

The following diagram provides the format of the IPv6 Type 0 Routing header. The field descriptions from RFC 2460 are below it.

IPv6 header format diagram

Field Description
Next Header 8-bit selector. Identifies the type of header immediately following the Routing header. Uses the same values as the IPv4 Protocol field [RFC-1700 et seq.].
Hdr Ext Len 8-bit unsigned integer. Length of the Routing header in 8-octet units, not including the first 8 octets. For the Type 0 Routing header, Hdr Ext Len is equal to two times the number of addresses in the header.
Routing Type 0.
Segments Left 8-bit unsigned integer. Number of route segments remaining, i.e., number of explicitly listed intermediate nodes still to be visited before reaching the final destination.
Reserved 32-bit reserved field. Initialized to zero for transmission; ignored on reception.
Address[1..n] Vector of 128-bit addresses, numbered 1 to n.

 

Countermeasures for IPv6 Type 0 Routing Headers

Disabling Processing of Type 0 Routing Header Packets

Cisco IOS Software provides the ability to disable the processing of IPv6 packets with Type 0 Routing headers. Starting with Cisco IOS Software releases 12.2(15)T and 12.0(32)S, administrators can enable the no ipv6 source-route command from global configuration mode to prevent hosts from performing source routing using IPv6-enabled IOS devices. Prior to these Cisco IOS Software releases, the processing of IPv6 Type 0 Routing headers was enabled.

Note: When the no ipv6 source-route command is configured and the IOS device receives a packet with a Type 0 Routing header present, the IOS device drops the packet and sends an IPv6 Internet Control Message Protocol (ICMP) "destination unreachable" message back to the source and logs an appropriate debug message. Generating these messages could have the undesired effect of increasing CPU utilization on the device. In Cisco IOS Software, IPv6 ICMP unreachable message generation is limited to one packet every 100 milliseconds and 10 tokens by default. IPv6 ICMP unreachable message generation can be disabled using the interface configuration command no ipv6 unreachables. The rate at which the router generates all IPv6 ICMP error messages can be limited using the ipv6 icmp error-interval interval-in-ms [bucketsize] command from global configuration mode.

Filtering Routing Header Packets Using Access Lists

Cisco IOS Software provides the ability to filter IPv6 Routing headers starting with Cisco IOS Software releases 12.2(13)T, 12.0(23)S, and Cisco IOS XR Software release 2.0 using the IPv6 access list routing keyword. However, filtering for IPv6 Routing headers will filter on all IPv6 Routing header types (0 through 255). If Mobile IPv6 (MIPv6) is in use or may be deployed in the future, using the IPv6 access lists routing keyword is not recommended. Additional filtering for explicit IPv6 Type 0 Routing headers will be shown below.

The following example access control list (ACL) policy shows how to filter and deny all unauthorized IPv6 Routing header Type 0 through 255 packets sent to specific IPv6 addresses configured on an IPv6-enabled IOS device or IPv6 link-local addresses and then deny all other unauthorized IPv6 Routing header type packets sent to the IPv6 prefix assigned to infrastructure devices.

Note: Cisco IOS Software releases prior to 12.4(2)T and Cisco IOS XR Software releases prior to 3.4.2 do not have the ability to filter on specific IPv6 Routing header type values using IPv6 ACLs. IOS releases prior to 12.4(2)T can filter only IPv6 packets with the presence of a Routing header in the IPv6 header chain. In Cisco IOS Software release 12.4(2)T, a new keyword of routing-type added the ability to filter on the presence of specific IPv6 Routing header type values.

caution Caution: If MIPv6 is deployed within the infrastructure, the following ACL policies may disrupt and/or break its operations. Therefore, a workaround does not exist for MIPv6.

Cisco IOS Software

!-- If device is running Cisco IOS Software release prior to 12.4(2)T
!-- Deny all IPv6 extension header Routing header Type 0 through 255
!-- packets sent to IPv6 addresses configured on interfaces of the IPv6-
!-- enabled device (management, loopback, access links, and network/user
!-- segments) or IPv6 link-local addresses.
!
ipv6 access-list DENY-IPv6-ALL-RH-TYPES
  deny ipv6 any host 2001:DB8::0:1:0:1111 routing
  deny ipv6 any host 2001:DB8::0:2:0:2222 routing
  deny ipv6 any host 2001:DB8::0:3:0:3333 routing
  deny ipv6 any host 2001:DB8::0:4:0:4444 routing
  deny ipv6 any host FE80::218:74FF:FEB5:A41B routing
  deny ipv6 any host FE80::218:74FF:FEB5:A41A routing
  deny ipv6 any host FE80::218:74FF:FEB5:A419 routing
  !
  !-- The following IPv6 addresses are configured on loopback interfaces
  !-- for management and BGP peering using /128 prefixes.
  deny ipv6 any host 2001:DB8::0:F:0:FFFF routing
  deny ipv6 any host 2001:DB8::0:F:0:F00D routing
  !
  !-- Deny all other IPv6 Type 0 Routing header traffic sent to the IPv6
  !-- prefix used in the configuration of network infrastructure devices.
  deny ipv6 any 2001:DB8::/32 routing
  !
!-- Permit/deny all other IPv6 Layer 3 and Layer 4 traffic in accordance
!-- with existing security policies and configurations.
!
!-- Apply IPv6 ACL to interface(s) in the ingress direction.
interface GigabitEthernet0/0
 ipv6 address 2001:DB8::0:1:0:1111/96
 ipv6 enable
 ipv6 traffic-filter DENY-IPv6-ALL-RH-TYPES in
!

Cisco IOS XR Software

!-- If device is running Cisco IOS XR Software release 2.0 through 3.4.2
!-- Deny all IPv6 extension header Routing header Type 0 through 255
!-- packets sent to IPv6 addresses configured on interfaces of the IPv6-
!-- enabled device (management, loopback, access links, and network/user
!-- segments) or IPv6 link-local addresses.
!
ipv6 access-list DENY-IPv6-ALL-RH-TYPES
  deny ipv6 any host 2001:DB8::0:1:0:1111 routing
  deny ipv6 any host 2001:DB8::0:2:0:2222 routing
  deny ipv6 any host 2001:DB8::0:3:0:3333 routing
  deny ipv6 any host 2001:DB8::0:4:0:4444 routing
  deny ipv6 any host FE80::218:74FF:FEB5:A41B routing
  deny ipv6 any host FE80::218:74FF:FEB5:A41A routing
  deny ipv6 any host FE80::218:74FF:FEB5:A419 routing
  !
  !-- The following IPv6 addresses are configured on loopback interfaces
  !-- for management and BGP peering using /128 prefixes.
  deny ipv6 any host 2001:DB8::0:F:0:FFFF routing
  deny ipv6 any host 2001:DB8::0:F:0:F00D routing
  !
  !-- Deny all other IPv6 Type 0 Routing header traffic sent to the IPv6
  !-- prefix used in the configuration of network infrastructure devices.
  deny ipv6 any 2001:DB8::/32 routing
  !
!-- Permit/deny all other IPv6 Layer 3 and Layer 4 traffic in accordance
!-- with existing security policies and configurations.
!
!-- Apply IPv6 ACL to interface(s) in the ingress direction.
interface GigabitEthernet 0/0/0/1
 ipv6 address 2001:DB8::0:1:0:1111/96
 ipv6 enable
 ipv6 access-group DENY-IPv6-ALL-RH-TYPES ingress
!

Note: When filtering with an interface access list, Cisco IOS Software and Cisco IOS XR Software will elicit the transmission of an ICMP "destination unreachable" message back to the source of the filtered traffic and log an appropriate debug message. Generating these messages could have the undesired effect of increasing CPU utilization on the device. In Cisco IOS Software and Cisco IOS XR Software, IPv6 ICMP unreachable message generation is limited to one packet every 100 milliseconds and 10 tokens by default. IPv6 ICMP unreachable message generation can be disabled using the interface configuration command no ipv6 unreachables. The rate at which the router generates all IPv6 ICMP error messages can be limited using the ipv6 icmp error-interval interval-in-ms [bucketsize] command from global configuration mode.

Filtering Type 0 Routing Header Packets Using Access Lists

Cisco IOS Software provides the ability to filter on specific IPv6 Routing header types (0 through 255) starting with Cisco IOS release 12.4(2)T using the IPv6 access list routing-type rh-type-value keyword. Explicitly filtering for IPv6 Type 0 Routing headers allows for access lists to deny packets with an IPv6 Type 0 Routing header without impacting the operations of other IPv6 services that use IPv6 Routing headers (for example, MIPv6 uses Type 2 Routing headers). Cisco IOS XR Software does not have the ability to filter on specific IPv6 Routing header types as of release 3.4.2. See "Filtering Routing Header Packets Using Access Lists" for information about filtering IPv6 Routing header packets on Cisco IOS XR Software.

The following example ACL policy shows how to explicitly filter and deny unauthorized IPv6 Type 0 Routing header packets sent to any IPv6 interface (configured, link-local) on an IPv6-enabled IOS device and how to filter and deny such packets transiting through the IPv6-enabled IOS device:

!-- If device is running Cisco IOS Software release 12.4(2)T or later
!-- Deny all IPv6 extension header Type 0 Routing header packets sent
!-- to any IPv6 address configured on interfaces of the IPv6-enabled
!-- device (management, loopback, access links, and network/user segments),
!-- IPv6 link-local addresses, or for IPv6 packets transiting through the
!-- IPv6-enabled router that are targeting other IPv6-enabled devices
!-- within the network infrastructure.
!
ipv6 access-list DENY-IPv6-TYPE0-RH
  deny ipv6 any any routing-type 0
  !
!-- Permit/deny all other IPv6 Layer 3 and Layer 4 traffic in accordance
!-- with existing security policies and configurations.
!
!-- Apply IPv6 ACL to interface(s) in the ingress direction.
interface GigabitEthernet0/0
 ipv6 address 2001:DB8::0:1:0:1111/96
 ipv6 enable
 ipv6 traffic-filter DENY-IPv6-TYPE0-RH in
!

The following example ACL policy shows how to filter and deny unauthorized IPv6 Type 0 Routing header packets sent to specific IPv6 addresses configured on an IPv6-enabled IOS device and specific IPv6 link-local addresses and then deny all other unauthorized IPv6 Type 0 Routing header packets sent to the IPv6 prefix assigned to infrastructure devices:

!-- If device is running Cisco IOS Software release 12.4(2)T or later
!-- Deny all IPv6 extension header Type 0 Routing header packets sent
!-- to IPv6 addresses configured on interfaces of the IPv6-enabled device
!-- (management, loopback, access links, and network/user segments) or
!-- or IPv6 link-local addresses.
!
ipv6 access-list DENY-IPv6-TYPE0-RH
  deny ipv6 any host 2001:DB8::0:1:0:1111 routing-type 0
  deny ipv6 any host 2001:DB8::0:2:0:2222 routing-type 0
  deny ipv6 any host 2001:DB8::0:3:0:3333 routing-type 0
  deny ipv6 any host 2001:DB8::0:4:0:4444 routing-type 0
  deny ipv6 any host FE80::218:74FF:FEB5:A41B routing-type 0
  deny ipv6 any host FE80::218:74FF:FEB5:A41A routing-type 0
  deny ipv6 any host FE80::218:74FF:FEB5:A419 routing-type 0
  !
  !-- The following IPv6 addresses are configured on loopback interfaces
  !-- for management and BGP peering using /128 prefixes.
  deny ipv6 any host 2001:DB8::0:F:0:FFFF routing-type 0
  deny ipv6 any host 2001:DB8::0:F:0:F00D routing-type 0
  !
  !-- Deny all other IPv6 Type 0 Routing header traffic sent to the IPv6
  !-- prefix used in the configuration of network infrastructure devices.
  deny ipv6 any 2001:DB8::/32 routing-type 0
  !
!-- Permit/deny all other IPv6 Layer 3 and Layer 4 traffic in accordance
!-- with existing security policies and configurations.
!
!-- Apply IPv6 ACL to interface(s) in the ingress direction.
interface GigabitEthernet0/0
 ipv6 address 2001:DB8::0:1:0:1111/96
 ipv6 enable
 ipv6 traffic-filter DENY-IPv6-TYPE0-RH in
!

Note: When filtering with an interface access list, Cisco IOS Software will elicit the transmission of an ICMP "destination unreachable" message back to the source of the filtered traffic and log an appropriate debug message. Generating these messages could have the undesired effect of increasing CPU utilization on the device. In Cisco IOS Software and Cisco IOS XR Software, IPv6 ICMP unreachable message generation is limited to one packet every 100 milliseconds and 10 tokens by default. IPv6 ICMP unreachable message generation can be disabled using the interface configuration command no ipv6 unreachables. The rate at which the router generates all IPv6 ICMP error messages can be limited using the ipv6 icmp error-interval interval-in-ms [bucketsize] command from global configuration mode.

Control Plane Policing

Administrators can use Control Plane Policing (CoPP) to block untrusted IPv6 Type 0 Routing header packets to an IPv6-enabled device. Cisco IOS Software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP may be configured on a device to protect the management and control planes to minimize the risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic sent to infrastructure devices in accordance with existing security policies and configurations. The following example can be adapted to a specific network. This example assumes that IPv6 packets sent to the IPv6 addresses configured on an IPv6-enabled device are to be fully restricted from receiving any IPv6 Type 0 Routing header packets.

Note: In the following example, the routing-type IPv6 access lists keyword will match only packets with an IPv6 Type 0 Routing header present. It is possible to use the routing IPv6 access list keyword to match all IPv6 Routing header types (0 through 255). However, doing so may impact current operations or future deployments of MIPv6. If MIPv6 is in use or may be deployed in the future, using the IPv6 access lists routing keyword is not recommended.

!-- Permit all IPv6 Type 0 Routing header packets sent to any IPv6 address
!-- configured on interfaces of the affected device (management, loopback, 
!-- access links, and network/user segments) or IPv6 link-local addresses.
!-- This traffic will be policed by the CoPP feature.
!
ipv6 access-list DROP-IPv6-RH0
  permit ipv6 any any routing-type 0
!
!-- Permit/deny all other IPv6 Layer 3 and Layer 4 traffic in accordance
!-- with existing security policies and configurations for traffic that
!-- is authorized to be sent to infrastructure devices on the management
!-- and control planes.
!
!-- Create a class map where the defined IPv6 access-list that permits all
!-- IPv6 Type 0 Routing header packets will be applied. This class map will
!-- be applied to a policy map used to police traffic via the CoPP feature.
!
class-map match-all drop-IPv6-RH0-class
  match access-group name DROP-IPv6-RH0
!
!-- Create a policy map where the defined class map will be applied. This
!-- policy map will be applied to the control plane of the IPv6-enabled
!-- device for traffic to be policed by the CoPP feature.
!
policy-map DROP-UNAUTHORIZED-INFRA-TRAFFIC
  class drop-IPv6-RH0-class
    drop
!
!-- Apply the defined policy map to the control plane of the device for
!-- traffic sent to the management and control planes to be policed by the
!-- CoPP feature.
!
control-plane
  service-policy input DROP-UNAUTHORIZED-INFRA-TRAFFIC
!

In the preceding CoPP example, the access control list entry (ACE) that matches packets with an IPv6 Type 0 Routing header using the permit action causes the policy map drop function to discard those packets, whereas packets that match the deny action (not shown) are not affected by the policy map drop function.

Note that in Cisco IOS Software releases 12.2S and 12.0S, the policy map syntax is different.

Note: Cisco IOS Software 12.2S and 12.0S currently allow only the ability to filter on all IPv6 Routing header types (0 through 255) using the routing keyword for IPv6 extended access lists. If this capability is used and MIPv6 is deployed at a later time, MIPv6 will not function properly because it will be dropped by the CoPP policy.

!
policy-map DROP-UNAUTHORIZED-INFRA-TRAFFIC
  class drop-IPv6-RH-class
    police 32000 1500 1500 conform-action drop exceed-action drop
!

Additional information about the configuration and use of the CoPP feature is at Deploying Control Plane Policing and Control Plane Policing for Cisco IOS Release 12.2S.

Spoofing Protection Using IPv6 Unicast Reverse Path Forwarding

Protection mechanisms for spoofing exist through the proper deployment and configuration of Unicast Reverse Path Forwarding (Unicast RPF) for IPv6. Unicast RPF for IPv6 can detect and drop (discard) IPv6 packets that lack a verifiable IPv6 source addresses. Administrators should not rely on Unicast RPF for IPv6 to provide 100 percent protection because spoofed packets may still enter the network through a Unicast RPF-enabled interface for which there is a return route to the IPv6 source address within the packet or may be allowed by Unicast RPF access lists. Additional information about Unicast RPF for IPv6 is available at Unicast RPF for IPv6 on the Cisco 12000 Series. Configuration information for ipv6 verify unicast reverse-path and ipv6 verify unicast source reachable-via [rx|any] (where rx = Unicast RPF strict mode and any = Unicast RPF loose mode) is available at Cisco IOS 12.3 IPv6 Command Reference. ACLs that prevent spoofing coupled with Unicast RPF for IPv6 provide an added layer of threat mitigation against spoofed packets with a Type 0 Routing header present. The Unicast RPF for IPv6 feature requires Cisco Express Forwarding.

!-- Enable Unicast RPF for IPv6 on IPv6-enabled interfaces.
!
interface GigabitEthernet0/0
 ipv6 address 2001:DB8::0:1:0:1111/96
 ipv6 enable
 ipv6 verify unicast reverse-path
    -or-
 ipv6 verify unicast source reachable-via [rx|any]
 ipv6 flow ingress
!

Cisco ASA, PIX, and Firewall Services Module Firewalls

The Cisco ASA 5500 Series Adaptive Security Appliance (ASA), the Cisco PIX 500 Series Security Appliance, and the Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers will not process and will drop IPv6 Type 0 Routing header packets by default. These firewall products do not have the ability to filter on IPv6 Routing headers or explicit IPv6 Routing header types; however, IPv6 access lists can be used to explicitly deny unauthorized or permit authorized IPv6 traffic based on source and destination IPv6 addresses, the source and destination port numbers, and the protocol number for the traffic administrators want to filter.

The following example ACL policy shows how to explicitly filter and deny unauthorized IPv6 packets sent to specific IPv6-enabled hosts that are behind the firewall, and permits only authorized BGP traffic on TCP port 179 from trusted hosts used for BGP peering over IPv6:

caution Caution: If MIPv6 is deployed within the infrastructure, the following ACL policies may disrupt and/or break its operations. Therefore, a workaround does not exist for MIPv6.

!-- Deny all unauthorized IPv6 traffic to specific IPv6 devices that are
!-- behind the firewall.
ipv6 access-list DENY-IPv6-ALL-RH-TYPES remark -- Deny IPv6 traffic sent to
   specific IPv6 enabled hosts behind the firewall --
ipv6 access-list DENY-IPv6-ALL-RH-TYPES deny ip any host 2001:DB8::0:1:0:1111
ipv6 access-list DENY-IPv6-ALL-RH-TYPES deny ip any host 2001:DB8::0:2:0:2222
ipv6 access-list DENY-IPv6-ALL-RH-TYPES deny ip any host 2001:DB8::0:3:0:3333
ipv6 access-list DENY-IPv6-ALL-RH-TYPES deny ip any host 2001:DB8::0:4:0:4444
!
!-- Permit authorized IPv6 packets for traffic between IPv6 BGP peers on
!-- TCP port 179.
ipv6 access-list DENY-IPv6-ALL-RH-TYPES permit tcp host 2001:DB8::f:0:f:f00d
   host 2001:DB8::0:f:0:ffff eq bgp
ipv6 access-list DENY-IPv6-ALL-RH-TYPES permit tcp host 2001:DB8::f:0:f:ffff
   host 2001:DB8::0:f:0:f00d eq bgp
!
!-- Permit/deny all other IPv6 Layer 3 and Layer 4 traffic in accordance
!-- with existing security policies and configurations.
!
!-- Apply IPv6 ACL to the outside interface in the ingress direction.
access-group DENY-IPv6-ALL-RH-TYPES in interface outside
!

Troubleshooting Countermeasures for IPv6 Type 0 Routing Headers

Filtering Routing Header Packets Using Access Lists

Cisco IOS Software

After the IPv6 access list is applied to an interface in the ingress direction, administrators can use the show ipv6 access-list command to identify the number of IPv6 packets that are being filtered with any Routing header type (0 through 255). Filtered packets should be investigated to determine whether they are being used maliciously. Example output for show ipv6 access-list DENY-IPv6-ALL-RH-TYPES follows:

ios-router#show ipv6 access-list DENY-IPv6-ALL-RH-TYPES
IPv6 access list DENY-IPv6-ALL-RH-TYPES
    deny ipv6 any host 2001:DB8::0:1:0:1111 routing sequence 10
    deny ipv6 any host 2001:DB8::0:2:0:2222 routing (17 matches) sequence 20
    deny ipv6 any host 2001:DB8::0:3:0:3333 routing sequence 30
    deny ipv6 any host 2001:DB8::0:4:0:4444 routing sequence 40
    deny ipv6 any host FE80::218:74FF:FEB5:A41B routing sequence 50
    deny ipv6 any host FE80::218:74FF:FEB5:A41A routing sequence 60
    deny ipv6 any host FE80::218:74FF:FEB5:A419 routing sequence 70
    deny ipv6 any host 2001:DB8::0:F:0:FFFF routing (29 matches) sequence 80
    deny ipv6 any host 2001:DB8::0:F:0:F00D routing (77 matches) sequence 90
    deny ipv6 any 2001:DB8::/32 routing (137 matches) sequence 100

    --             ACL Policy Truncated               --
    -- Permit/deny all other IPv6 Layer 3 and Layer 4 --
    -- traffic in accordance with existing security   --
    -- policies and configurations.                   --
ios-router#

In the preceding example, the access list DENY-IPv6-ALL-RH-TYPES, which is applied in the ingress direction on interface GigabitEthernet0/0, denied 17 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 20, 29 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 80, 77 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 90, and 137 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID100.

Cisco IOS XR Software

After the IPv6 access list is applied to an interface in the ingress direction, administrators can use the show access-lists ipv6 command to identify the number of IPv6 packets that are being filtered in hardware or software for any Routing header type (0 through 255). Filtered packets should be investigated to determine whether they are being used maliciously. Example output for show access-list ipv6 DENY-IPv6-ALL-RH-TYPES hardware ingress location 0/3/CPU0 (packets denied in hardware) and show access-lists ipv6 DENY-IPv6-ALL-RH-TYPES (packets denied in software) follows:

RP/0/0/CPU0:iosxr-router#show access-lists ipv6 DENY-IPv6-ALL-RH-TYPES hardware ingress location 0/3/CPU0
ipv6 access-list DENY-IPv6-ALL-RH-TYPES
 10 deny ipv6 any host 2001:DB8::0:1:0:1111 routing
 20 deny ipv6 any host 2001:DB8::0:2:0:2222 routing (69 hw matches)
 30 deny ipv6 any host 2001:DB8::0:3:0:3333 routing
 40 deny ipv6 any host 2001:DB8::0:4:0:4444 routing
 50 deny ipv6 any host FE80::218:74FF:FEB5:A41B routing
 60 deny ipv6 any host FE80::218:74FF:FEB5:A41A routing
 70 deny ipv6 any host FE80::218:74FF:FEB5:A419 routing
 80 deny ipv6 any host 2001:DB8::0:F:0:FFFF routing (17 hw matches)
 90 deny ipv6 any host 2001:DB8::0:F:0:F00D routing (54 hw matches)
 100 deny ipv6 any 2001:DB8::/32 routing (185 hw matches)

 --             ACL Policy Truncated               --
 -- Permit/deny all other IPv6 Layer 3 and Layer 4 --
 -- traffic in accordance with existing security   --
 -- policies and configurations.                   --
RP/0/0/CPU0:iosxr-router#

In the preceding example, the access list DENY-IPv6-ALL-RH-TYPES, which is applied in the ingress direction on interface GigabitEthernet0/0/0/1, denied 69 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 20 in hardware, 17 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 80 in hardware, 54 IPv6 Routing Header (Type 0 through 255) packets on ACE sequence ID 90 in hardware, and 185 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 100 in hardware.

RP/0/0/CPU0:iosxr-router#show access-lists ipv6 DENY-IPv6-ALL-RH-TYPES
ipv6 access-list DENY-IPv6-ALL-RH-TYPES
 10 deny ipv6 any host 2001:DB8::0:1:0:1111 routing
 20 deny ipv6 any host 2001:DB8::0:2:0:2222 routing (3 matches)
 30 deny ipv6 any host 2001:DB8::0:3:0:3333 routing
 40 deny ipv6 any host 2001:DB8::0:4:0:4444 routing
 50 deny ipv6 any host FE80::218:74FF:FEB5:A41B routing
 60 deny ipv6 any host FE80::218:74FF:FEB5:A41A routing
 70 deny ipv6 any host FE80::218:74FF:FEB5:A419 routing
 80 deny ipv6 any host 2001:DB8::0:F:0:FFFF routing (2 matches)
 90 deny ipv6 any host 2001:DB8::0:F:0:F00D routing (5 matches)
 100 deny ipv6 any 2001:DB8::/32 routing (3 matches)

 --             ACL Policy Truncated               --
 -- Permit/deny all other IPv6 Layer 3 and Layer 4 --
 -- traffic in accordance with existing security   --
 -- policies and configurations.                   --
RP/0/0/CPU0:iosxr-router#

In the preceding example, the access list DENY-IPv6-ALL-RH-TYPES, which is applied in the ingress direction on interface GigabitEthernet0/0/0/1, denied 3 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 20 in software, 2 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 80 in software, 5 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 90 in software, and 3 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 100 in software.

Filtering Type 0 Routing Header Packets Using Access Lists

After the IPv6 access list is applied to an interface in the ingress direction, the show ipv6 access-list command can be used to identify the number of IPv6 Type 0 Routing header packets being filtered. Filtered packets should be investigated to determine whether they are being used maliciously. Example output for show ipv6 access-list DENY-IPv6-TYPE0-RH follows :

ios-router#show ipv6 access-list DENY-IPv6-TYPE0-RH
IPv6 access list DENY-IPv6-TYPE0-RH
    deny ipv6 any any routing-type 0 (156 matches) sequence 10

    --             ACL Policy Truncated               --
    -- Permit/deny all other IPv6 Layer 3 and Layer 4 --
    -- traffic in accordance with existing security   --
    -- policies and configurations.                   --
ios-router#

In the preceding example, the access list DENY-IPv6-TYPE0-RH, which is applied in the ingress direction on interface GigabitEthernet0/0, denied 156 IPv6 Type 0 Routing header packets on ACE sequence ID 10.

ios-router#show ipv6 access-list DENY-IPv6-TYPE0-RH
IPv6 access list DENY-IPv6-TYPE0-RH
    deny ipv6 any host 2001:DB8::0:1:0:1111 routing-type 0 (9 matches) sequence 10
    deny ipv6 any host 2001:DB8::0:2:0:2222 routing-type 0 sequence 20
    deny ipv6 any host 2001:DB8::0:3:0:3333 routing-type 0 sequence 30
    deny ipv6 any host 2001:DB8::0:4:0:4444 routing-type 0 (127 matches) sequence 40
    deny ipv6 any host FE80::218:74FF:FEB5:A41B routing-type 0 sequence 50
    deny ipv6 any host FE80::218:74FF:FEB5:A41A routing-type 0 sequence 60
    deny ipv6 any host FE80::218:74FF:FEB5:A419 routing-type 0 sequence 70
    deny ipv6 any host 2001:DB8::0:F:0:FFFF routing-type 0 sequence 80
    deny ipv6 any host 2001:DB8::0:F:0:F00D routing-type 0 sequence 90
    deny ipv6 any 2001:DB8::/32 routing-type 0 (173 matches) sequence 100

    --             ACL Policy Truncated               --
    -- Permit/deny all other IPv6 Layer 3 and Layer 4 --
    -- traffic in accordance with existing security   --
    -- policies and configurations.                   --
ios-router#

In the preceding example, access list DENY-IPv6-TYPE0-RH, which is applied in the ingress direction on interface GigabitEthernet0/0, denied 9 IPv6 Type 0 Routing header packets on ACE sequence ID 10, 127 IPv6 Type 0 Routing header packets on ACE sequence ID 40, and 173 IPv6 Type 0 Routing header packets on ACE sequence ID 100.

Control Plane Policing

With Control Plane Policing (CoPP), after the policy map is applied to the control plane, administrators can use the show policy-map control-plane and show ipv6 access-list commands to identify the number of packets that have been sent to the management and control planes and dropped by the CoPP policy. Packets dropped by CoPP should be investigated to determine whether they are being used maliciously.

Example output for show policy-map control-plane and show ipv6 access-list DROP-IPv6-RH0 follows:

ios-router#show policy-map control-plane
 Control Plane

  Service-policy input: DROP-UNAUTHORIZED-INFRA-TRAFFIC

    Class-map: drop-IPv6-RH0-class (match-all)
      41 packets, 14846 bytes
      5 minute offered rate 3000 bps, drop rate 3000 bps
      Match: access-group name DROP-IPv6-RH0
      drop

    Class-map: class-default (match-any)
      1804 packets, 144288 bytes
      5 minute offered rate 4000 bps, drop rate 0 bps
      Match: any
ios-router#
ios-router#show ipv6 access-list DROP-IPv6-RH0
IPv6 access list DROP-IPv6-RH0
    permit ipv6 any any routing-type 0 (41 matches) sequence 10
ios-router#

In the preceding example, the CoPP policy dropped 41 (total) IPv6 packets with a Type 0 Routing header by using the access control list DROP-IPv6-RH0, which is associated with CoPP.

Spoofing Protection Using IPv6 Unicast RPF

With Unicast RPF for IPv6 properly deployed and configured throughout the network infrastructure, administrators can use the show ipv6 interface, show cef drop, show cef interface type slot/port internal, and show ipv6 traffic commands to identify the number of IPv6 packets that Unicast RPF for IPv6 has dropped.

Note: The show command | begin regexp and show command | include regexp command modifiers are used in the following examples to minimize the amount of output that administrators need to parse to view the desired information. Additional information about command modifiers is available in the "show command" sections of the Cisco IOS Configuration Fundamentals Command Reference.

Note: show cef interface type slot/port internal is a hidden command that must be fully entered at the command-line interface. Command completion is not available for it.

ios-router#
ios-router#show ipv6 interface GigabitEthernet 0/0 | begin Unicast RPF
  Unicast RPF
    Process Switching:
      0 verification drops
      0 suppressed verification drops
    CEF Switching:
      12 verification drops
      0 suppressed verification drops
  Inbound access list infrastructure-acl-policy
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  ND advertised reachable time is 0 milliseconds
  ND advertised retransmit interval is 0 milliseconds
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  ND advertised default router preference is Medium
  Hosts use stateless autoconfig for addresses.
ios-router#
ios-router#show cef drop
IPv6 CEF Drop Statistics
Slot  Encap_fail  Unresolved Unsupported    No_route      No_adj
RP            51           0           0          12           0
ios-router#
ios-router#show cef interface GigabitEthernet 0/0 internal | begin IPv6 unicast RPF
  IPv6 unicast RPF: acl=None, drop=12, sdrop=0
  IPv6: enabled 1 unreachable TRUE redirect TRUE mtu 1500 flags 0x0
        Switching mode is CEF
        Input features: Ingress-Netflow RPF ACL
        Output features: Post-Ingress-Netflow Egress-Netflow
        Inbound access list: infrastructure-acl-policy
ios-router#
ios-router#show ipv6 traffic | inc RPF
         12 unicast RPF drop, 0 suppressed RPF drop
ios-router#

In the preceding examples, Unicast RPF for IPv6 has dropped 12 IPv6 packets received on interface GigabitEthernet0/0 due to the inability to verify the source address of the IPv6 packets within the Cisco Express Forwarding Forwarding Information Base.

Cisco ASA, PIX, and FWSM Firewalls

After the IPv6 access list is applied to an interface in the ingress direction, administrators can use the show ipv6 access-list command to identify the number of IPv6 packets being filtered. Filtered packets should be investigated to determine whether they are being used maliciously. Example output for show ipv6 access-list DENY-IPv6-ALL-RH-TYPES follows:

firewall# show ipv6 access-list DENY-IPv6-ALL-RH-TYPES
ipv6 access-list DENY-IPv6-ALL-RH-TYPES; 6 elements
ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 1 remark -- Deny IPv6 traffic sent to
   specific IPv6 enabled hosts behind the firewall --
ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 2 deny ip any host 2001:db8::1:0:1111 (hitcnt=69)
ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 3 deny ip any host 2001:db8::2:0:2222 (hitcnt=0)
ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 4 deny ip any host 2001:db8::3:0:3333 (hitcnt=37)
ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 5 deny ip any host 2001:db8::4:0:4444 (hitcnt=18)
ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 6 permit tcp host 2001:db8::f:0:f:f00d host
   2001:db8::f:0:ffff eq bgp (hitcnt=11)
ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 7 permit tcp host 2001:db8::f:0:f:ffff host
   2001:db8::f:0:f00d eq bgp (hitcnt=9)
firewall#

In the preceding example, access list DENY-IPv6-ALL-RH-TYPES denied a total of 124 unauthorized IPv6 packets on line 2, line 4, and line 5 for hosts behind the IPv6-enabled firewall, and permitted a total of 20 authorized IPv6 packets on line 6 and line 7 from known trusted hosts for BGP on TCP port 179. IPv6 access list DENY-IPv6-ALL-RH-TYPES is applied in the ingress direction on interface outside.

References

RFC 1883 Internet Protocol, Version 6 (IPv6) Specification (obsoleted)
http://tools.ietf.org/html/rfc1883

RFC 2460 Internet Protocol, Version 6 (IPv6) Specification (current)
http://tools.ietf.org/html/rfc2460

IPv6 Routing Headers Security, presented at CanSecWest/core07 by Philippe Biondi and Arnaud Ebalard
http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf

The IPv6 Type 0 Routing Header Issue
http://www.natisbad.org/

Scapy (Philippe Biondi) and Scapy6 (IPv6 extension for Scapy, Guillaume Valadon and Arnaud Ebalard)
Scapy and Scapy6 (IPv6 extension for Scapy)

IPv6 Ping Pong, May 2007, by Geoff Huston
http://www.potaroo.net/ispcol/2007-05/6pong.txt or http://ispcolumn.isoc.org/2007-05/6pong.txt

Experts Scramble to Quash IPv6 Flaw, 2007-05-09 (May 9, 2007), by Robert Lemos, SecurityFocus
http://www.securityfocus.com/news/11463

Five Security Flaws in IPv6
http://www.darkreading.com/document.asp?doc_id=123506

IPv6 Protocol Type 0 Route Header Denial of Service Vulnerability
http://www.securityfocus.com/bid/23615/

Deprecation of Type 0 Routing Headers in IPv6
http://tools.ietf.org/html/draft-jabley-ipv6-rh0-is-evil-00

Security of IPv6 Routing Header and Home Address Option
http://tools.ietf.org/html/draft-savola-ipv6-rh-ha-security-00

Note About Routing Header Processing on IPv6 Hosts
http://tools.ietf.org/html/draft-savola-ipv6-rh-hosts-00

IPv6 Type 0 Routing Header Processing
http://tools.ietf.org/html/draft-savola-ipv6-rtheader-00

Deprecation of Type 0 Routing Headers in IPv6
http://tools.ietf.org/html/draft-ietf-ipv6-deprecate-rh0-00

Firewalling Considerations for IPv6
http://tools.ietf.org/html/draft-savola-v6ops-firewalling-00

Detecting Loops in the IPv6 Routing Header Type 0
http://tools.ietf.org/html/draft-manral-ipv6-detecting-loops-rh-00

IPv6 Transition/Co-existence Security Considerations
http://tools.ietf.org/html/draft-ietf-v6ops-security-overview-00

IPv6 Home Page on Cisco.com
http://www.cisco.com/go/ipv6

IPv6 Extension Headers Review and Considerations
http://www.cisco.com/en/US/tech/tk872/technologies_white_paper0900aecd8054d37d.shtml

Cisco IOS IPv6 Command Reference
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_book09186a00801d661a.html

Cisco IOS IPv6 Configuration Library
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_configuration_guide_book09186a00801d65f9.html

Unicast RPF for IPv6 on the Cisco 12000 Series
http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00803e9789.html


This document is part of the Cisco Security Intelligence Operations.

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top

Cisco Security Intelligence Operations