Contents
Introduction IntroductionThe protocol specification for Internet Protocol version 6 (IPv6) was originally defined in RFC 1883 and then obsoleted by RFC 2460. These RFCs also define IPv6 extension headers that contain optional Internet-layer information encoded in separate headers. These headers may be inserted between the IPv6 header and the upper-layer header in an IPv6 packet. This document will focus on the IPv6 extension header Type 0 Routing header, which is used by an IPv6 source to list one or more intermediate nodes to be "visited" on the way to a packet's destination. The IPv6 Type 0 Routing header is similar in function to the IPv4 (RFC 791) Loose Source and Record Route IP options. The IPv6 Routing header is identified by a Next Header (NH) value of 43 in the immediately preceding header. This document will advise how to disable the processing of IPv6 packets with a Type 0 Routing header on devices that are running Cisco IOS Software and how to filter such packets using Cisco IOS Software or Cisco IOS XR Software. Malicious Use of Type 0 Routing HeadersAttackers can maliciously use IPv6 Type 0 Routing headers to bypass packet filters (IPv6 access-list policies) or anycast addressing and routing. These headers can also be used to perform reflected denial of service (DoS) attacks, spoofing, double spoofing, and amplification attacks (ping-pong attacks that can cause link saturation and potential performance issues through added CPU processing). IPv6 Header FormatsIPv6 HeaderThe following diagram provides the format of the IPv6 header. The field descriptions from RFC 2460 are below it.
IPv6 Extension Header: Routing HeaderThe following diagram provides the format of the IPv6 extension header Routing header. The field descriptions from RFC 2460 are below it.
IPv6 Type 0 Routing HeaderThe following diagram provides the format of the IPv6 Type 0 Routing header. The field descriptions from RFC 2460 are below it.
Countermeasures for IPv6 Type 0 Routing HeadersDisabling Processing of Type 0 Routing Header PacketsCisco IOS Software provides the ability to disable the processing of IPv6 packets with Type 0 Routing headers. Starting with Cisco IOS Software releases 12.2(15)T and 12.0(32)S, administrators can enable the no ipv6 source-route command from global configuration mode to prevent hosts from performing source routing using IPv6-enabled IOS devices. Prior to these Cisco IOS Software releases, the processing of IPv6 Type 0 Routing headers was enabled. Note: When the no ipv6 source-route command is configured and the IOS device receives a packet with a Type 0 Routing header present, the IOS device drops the packet and sends an IPv6 Internet Control Message Protocol (ICMP) "destination unreachable" message back to the source and logs an appropriate debug message. Generating these messages could have the undesired effect of increasing CPU utilization on the device. In Cisco IOS Software, IPv6 ICMP unreachable message generation is limited to one packet every 100 milliseconds and 10 tokens by default. IPv6 ICMP unreachable message generation can be disabled using the interface configuration command no ipv6 unreachables. The rate at which the router generates all IPv6 ICMP error messages can be limited using the ipv6 icmp error-interval interval-in-ms [bucketsize] command from global configuration mode. Filtering Routing Header Packets Using Access ListsCisco IOS Software provides the ability to filter IPv6 Routing headers starting with Cisco IOS Software releases 12.2(13)T, 12.0(23)S, and Cisco IOS XR Software release 2.0 using the IPv6 access list routing keyword. However, filtering for IPv6 Routing headers will filter on all IPv6 Routing header types (0 through 255). If Mobile IPv6 (MIPv6) is in use or may be deployed in the future, using the IPv6 access lists routing keyword is not recommended. Additional filtering for explicit IPv6 Type 0 Routing headers will be shown below. The following example access control list (ACL) policy shows how to filter and deny all unauthorized IPv6 Routing header Type 0 through 255 packets sent to specific IPv6 addresses configured on an IPv6-enabled IOS device or IPv6 link-local addresses and then deny all other unauthorized IPv6 Routing header type packets sent to the IPv6 prefix assigned to infrastructure devices. Note: Cisco IOS Software releases prior to 12.4(2)T and Cisco IOS XR Software releases prior to 3.4.2 do not have the ability to filter on specific IPv6 Routing header type values using IPv6 ACLs. IOS releases prior to 12.4(2)T can filter only IPv6 packets with the presence of a Routing header in the IPv6 header chain. In Cisco IOS Software release 12.4(2)T, a new keyword of routing-type added the ability to filter on the presence of specific IPv6 Routing header type values.
Cisco IOS Software!-- If device is running Cisco IOS Software release prior to 12.4(2)T !-- Deny all IPv6 extension header Routing header Type 0 through 255 !-- packets sent to IPv6 addresses configured on interfaces of the IPv6- !-- enabled device (management, loopback, access links, and network/user !-- segments) or IPv6 link-local addresses. ! ipv6 access-list DENY-IPv6-ALL-RH-TYPES deny ipv6 any host 2001:DB8::0:1:0:1111 routing deny ipv6 any host 2001:DB8::0:2:0:2222 routing deny ipv6 any host 2001:DB8::0:3:0:3333 routing deny ipv6 any host 2001:DB8::0:4:0:4444 routing deny ipv6 any host FE80::218:74FF:FEB5:A41B routing deny ipv6 any host FE80::218:74FF:FEB5:A41A routing deny ipv6 any host FE80::218:74FF:FEB5:A419 routing ! !-- The following IPv6 addresses are configured on loopback interfaces !-- for management and BGP peering using /128 prefixes. deny ipv6 any host 2001:DB8::0:F:0:FFFF routing deny ipv6 any host 2001:DB8::0:F:0:F00D routing ! !-- Deny all other IPv6 Type 0 Routing header traffic sent to the IPv6 !-- prefix used in the configuration of network infrastructure devices. deny ipv6 any 2001:DB8::/32 routing ! !-- Permit/deny all other IPv6 Layer 3 and Layer 4 traffic in accordance !-- with existing security policies and configurations. ! !-- Apply IPv6 ACL to interface(s) in the ingress direction. interface GigabitEthernet0/0 ipv6 address 2001:DB8::0:1:0:1111/96 ipv6 enable ipv6 traffic-filter DENY-IPv6-ALL-RH-TYPES in ! Cisco IOS XR Software!-- If device is running Cisco IOS XR Software release 2.0 through 3.4.2 !-- Deny all IPv6 extension header Routing header Type 0 through 255 !-- packets sent to IPv6 addresses configured on interfaces of the IPv6- !-- enabled device (management, loopback, access links, and network/user !-- segments) or IPv6 link-local addresses. ! ipv6 access-list DENY-IPv6-ALL-RH-TYPES deny ipv6 any host 2001:DB8::0:1:0:1111 routing deny ipv6 any host 2001:DB8::0:2:0:2222 routing deny ipv6 any host 2001:DB8::0:3:0:3333 routing deny ipv6 any host 2001:DB8::0:4:0:4444 routing deny ipv6 any host FE80::218:74FF:FEB5:A41B routing deny ipv6 any host FE80::218:74FF:FEB5:A41A routing deny ipv6 any host FE80::218:74FF:FEB5:A419 routing ! !-- The following IPv6 addresses are configured on loopback interfaces !-- for management and BGP peering using /128 prefixes. deny ipv6 any host 2001:DB8::0:F:0:FFFF routing deny ipv6 any host 2001:DB8::0:F:0:F00D routing ! !-- Deny all other IPv6 Type 0 Routing header traffic sent to the IPv6 !-- prefix used in the configuration of network infrastructure devices. deny ipv6 any 2001:DB8::/32 routing ! !-- Permit/deny all other IPv6 Layer 3 and Layer 4 traffic in accordance !-- with existing security policies and configurations. ! !-- Apply IPv6 ACL to interface(s) in the ingress direction. interface GigabitEthernet 0/0/0/1 ipv6 address 2001:DB8::0:1:0:1111/96 ipv6 enable ipv6 access-group DENY-IPv6-ALL-RH-TYPES ingress ! Note: When filtering with an interface access list, Cisco IOS Software and Cisco IOS XR Software will elicit the transmission of an ICMP "destination unreachable" message back to the source of the filtered traffic and log an appropriate debug message. Generating these messages could have the undesired effect of increasing CPU utilization on the device. In Cisco IOS Software and Cisco IOS XR Software, IPv6 ICMP unreachable message generation is limited to one packet every 100 milliseconds and 10 tokens by default. IPv6 ICMP unreachable message generation can be disabled using the interface configuration command no ipv6 unreachables. The rate at which the router generates all IPv6 ICMP error messages can be limited using the ipv6 icmp error-interval interval-in-ms [bucketsize] command from global configuration mode. Filtering Type 0 Routing Header Packets Using Access ListsCisco IOS Software provides the ability to filter on specific IPv6 Routing header types (0 through 255) starting with Cisco IOS release 12.4(2)T using the IPv6 access list routing-type rh-type-value keyword. Explicitly filtering for IPv6 Type 0 Routing headers allows for access lists to deny packets with an IPv6 Type 0 Routing header without impacting the operations of other IPv6 services that use IPv6 Routing headers (for example, MIPv6 uses Type 2 Routing headers). Cisco IOS XR Software does not have the ability to filter on specific IPv6 Routing header types as of release 3.4.2. See "Filtering Routing Header Packets Using Access Lists" for information about filtering IPv6 Routing header packets on Cisco IOS XR Software. The following example ACL policy shows how to explicitly filter and deny unauthorized IPv6 Type 0 Routing header packets sent to any IPv6 interface (configured, link-local) on an IPv6-enabled IOS device and how to filter and deny such packets transiting through the IPv6-enabled IOS device: !-- If device is running Cisco IOS Software release 12.4(2)T or later !-- Deny all IPv6 extension header Type 0 Routing header packets sent !-- to any IPv6 address configured on interfaces of the IPv6-enabled !-- device (management, loopback, access links, and network/user segments), !-- IPv6 link-local addresses, or for IPv6 packets transiting through the !-- IPv6-enabled router that are targeting other IPv6-enabled devices !-- within the network infrastructure. ! ipv6 access-list DENY-IPv6-TYPE0-RH deny ipv6 any any routing-type 0 ! !-- Permit/deny all other IPv6 Layer 3 and Layer 4 traffic in accordance !-- with existing security policies and configurations. ! !-- Apply IPv6 ACL to interface(s) in the ingress direction. interface GigabitEthernet0/0 ipv6 address 2001:DB8::0:1:0:1111/96 ipv6 enable ipv6 traffic-filter DENY-IPv6-TYPE0-RH in ! The following example ACL policy shows how to filter and deny unauthorized IPv6 Type 0 Routing header packets sent to specific IPv6 addresses configured on an IPv6-enabled IOS device and specific IPv6 link-local addresses and then deny all other unauthorized IPv6 Type 0 Routing header packets sent to the IPv6 prefix assigned to infrastructure devices: !-- If device is running Cisco IOS Software release 12.4(2)T or later !-- Deny all IPv6 extension header Type 0 Routing header packets sent !-- to IPv6 addresses configured on interfaces of the IPv6-enabled device !-- (management, loopback, access links, and network/user segments) or !-- or IPv6 link-local addresses. ! ipv6 access-list DENY-IPv6-TYPE0-RH deny ipv6 any host 2001:DB8::0:1:0:1111 routing-type 0 deny ipv6 any host 2001:DB8::0:2:0:2222 routing-type 0 deny ipv6 any host 2001:DB8::0:3:0:3333 routing-type 0 deny ipv6 any host 2001:DB8::0:4:0:4444 routing-type 0 deny ipv6 any host FE80::218:74FF:FEB5:A41B routing-type 0 deny ipv6 any host FE80::218:74FF:FEB5:A41A routing-type 0 deny ipv6 any host FE80::218:74FF:FEB5:A419 routing-type 0 ! !-- The following IPv6 addresses are configured on loopback interfaces !-- for management and BGP peering using /128 prefixes. deny ipv6 any host 2001:DB8::0:F:0:FFFF routing-type 0 deny ipv6 any host 2001:DB8::0:F:0:F00D routing-type 0 ! !-- Deny all other IPv6 Type 0 Routing header traffic sent to the IPv6 !-- prefix used in the configuration of network infrastructure devices. deny ipv6 any 2001:DB8::/32 routing-type 0 ! !-- Permit/deny all other IPv6 Layer 3 and Layer 4 traffic in accordance !-- with existing security policies and configurations. ! !-- Apply IPv6 ACL to interface(s) in the ingress direction. interface GigabitEthernet0/0 ipv6 address 2001:DB8::0:1:0:1111/96 ipv6 enable ipv6 traffic-filter DENY-IPv6-TYPE0-RH in ! Note: When filtering with an interface access list, Cisco IOS Software will elicit the transmission of an ICMP "destination unreachable" message back to the source of the filtered traffic and log an appropriate debug message. Generating these messages could have the undesired effect of increasing CPU utilization on the device. In Cisco IOS Software and Cisco IOS XR Software, IPv6 ICMP unreachable message generation is limited to one packet every 100 milliseconds and 10 tokens by default. IPv6 ICMP unreachable message generation can be disabled using the interface configuration command no ipv6 unreachables. The rate at which the router generates all IPv6 ICMP error messages can be limited using the ipv6 icmp error-interval interval-in-ms [bucketsize] command from global configuration mode. Control Plane PolicingAdministrators can use Control Plane Policing (CoPP) to block untrusted IPv6 Type 0 Routing header packets to an IPv6-enabled device. Cisco IOS Software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP may be configured on a device to protect the management and control planes to minimize the risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic sent to infrastructure devices in accordance with existing security policies and configurations. The following example can be adapted to a specific network. This example assumes that IPv6 packets sent to the IPv6 addresses configured on an IPv6-enabled device are to be fully restricted from receiving any IPv6 Type 0 Routing header packets. Note: In the following example, the routing-type IPv6 access lists keyword will match only packets with an IPv6 Type 0 Routing header present. It is possible to use the routing IPv6 access list keyword to match all IPv6 Routing header types (0 through 255). However, doing so may impact current operations or future deployments of MIPv6. If MIPv6 is in use or may be deployed in the future, using the IPv6 access lists routing keyword is not recommended.
In the preceding CoPP example, the access control list entry (ACE) that matches packets with an IPv6 Type 0 Routing header using the permit action causes the policy map drop function to discard those packets, whereas packets that match the deny action (not shown) are not affected by the policy map drop function. Note that in Cisco IOS Software releases 12.2S and 12.0S, the policy map syntax is different. Note: Cisco IOS Software 12.2S and 12.0S currently allow only the ability to filter on all IPv6 Routing header types (0 through 255) using the routing keyword for IPv6 extended access lists. If this capability is used and MIPv6 is deployed at a later time, MIPv6 will not function properly because it will be dropped by the CoPP policy.
Additional information about the configuration and use of the CoPP feature is at Deploying Control Plane Policing and Control Plane Policing for Cisco IOS Release 12.2S. Spoofing Protection Using IPv6 Unicast Reverse Path ForwardingProtection mechanisms for spoofing exist through the proper deployment and configuration of Unicast Reverse Path Forwarding (Unicast RPF) for IPv6. Unicast RPF for IPv6 can detect and drop (discard) IPv6 packets that lack a verifiable IPv6 source addresses. Administrators should not rely on Unicast RPF for IPv6 to provide 100 percent protection because spoofed packets may still enter the network through a Unicast RPF-enabled interface for which there is a return route to the IPv6 source address within the packet or may be allowed by Unicast RPF access lists. Additional information about Unicast RPF for IPv6 is available at Unicast RPF for IPv6 on the Cisco 12000 Series. Configuration information for ipv6 verify unicast reverse-path and ipv6 verify unicast source reachable-via [rx|any] (where rx = Unicast RPF strict mode and any = Unicast RPF loose mode) is available at Cisco IOS 12.3 IPv6 Command Reference. ACLs that prevent spoofing coupled with Unicast RPF for IPv6 provide an added layer of threat mitigation against spoofed packets with a Type 0 Routing header present. The Unicast RPF for IPv6 feature requires Cisco Express Forwarding.
Cisco ASA, PIX, and Firewall Services Module FirewallsThe Cisco ASA 5500 Series Adaptive Security Appliance (ASA), the Cisco PIX 500 Series Security Appliance, and the Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers will not process and will drop IPv6 Type 0 Routing header packets by default. These firewall products do not have the ability to filter on IPv6 Routing headers or explicit IPv6 Routing header types; however, IPv6 access lists can be used to explicitly deny unauthorized or permit authorized IPv6 traffic based on source and destination IPv6 addresses, the source and destination port numbers, and the protocol number for the traffic administrators want to filter. The following example ACL policy shows how to explicitly filter and deny unauthorized IPv6 packets sent to specific IPv6-enabled hosts that are behind the firewall, and permits only authorized BGP traffic on TCP port 179 from trusted hosts used for BGP peering over IPv6:
!-- Deny all unauthorized IPv6 traffic to specific IPv6 devices that are !-- behind the firewall. ipv6 access-list DENY-IPv6-ALL-RH-TYPES remark -- Deny IPv6 traffic sent to specific IPv6 enabled hosts behind the firewall -- ipv6 access-list DENY-IPv6-ALL-RH-TYPES deny ip any host 2001:DB8::0:1:0:1111 ipv6 access-list DENY-IPv6-ALL-RH-TYPES deny ip any host 2001:DB8::0:2:0:2222 ipv6 access-list DENY-IPv6-ALL-RH-TYPES deny ip any host 2001:DB8::0:3:0:3333 ipv6 access-list DENY-IPv6-ALL-RH-TYPES deny ip any host 2001:DB8::0:4:0:4444 ! !-- Permit authorized IPv6 packets for traffic between IPv6 BGP peers on !-- TCP port 179. ipv6 access-list DENY-IPv6-ALL-RH-TYPES permit tcp host 2001:DB8::f:0:f:f00d host 2001:DB8::0:f:0:ffff eq bgp ipv6 access-list DENY-IPv6-ALL-RH-TYPES permit tcp host 2001:DB8::f:0:f:ffff host 2001:DB8::0:f:0:f00d eq bgp ! !-- Permit/deny all other IPv6 Layer 3 and Layer 4 traffic in accordance !-- with existing security policies and configurations. ! !-- Apply IPv6 ACL to the outside interface in the ingress direction. access-group DENY-IPv6-ALL-RH-TYPES in interface outside ! Troubleshooting Countermeasures for IPv6 Type 0 Routing HeadersFiltering Routing Header Packets Using Access ListsCisco IOS SoftwareAfter the IPv6 access list is applied to an interface in the ingress direction, administrators can use the show ipv6 access-list command to identify the number of IPv6 packets that are being filtered with any Routing header type (0 through 255). Filtered packets should be investigated to determine whether they are being used maliciously. Example output for show ipv6 access-list DENY-IPv6-ALL-RH-TYPES follows:
In the preceding example, the access list DENY-IPv6-ALL-RH-TYPES, which is applied in the ingress direction on interface GigabitEthernet0/0, denied 17 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 20, 29 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 80, 77 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 90, and 137 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID100. Cisco IOS XR SoftwareAfter the IPv6 access list is applied to an interface in the ingress direction, administrators can use the show access-lists ipv6 command to identify the number of IPv6 packets that are being filtered in hardware or software for any Routing header type (0 through 255). Filtered packets should be investigated to determine whether they are being used maliciously. Example output for show access-list ipv6 DENY-IPv6-ALL-RH-TYPES hardware ingress location 0/3/CPU0 (packets denied in hardware) and show access-lists ipv6 DENY-IPv6-ALL-RH-TYPES (packets denied in software) follows: RP/0/0/CPU0:iosxr-router#show access-lists ipv6 DENY-IPv6-ALL-RH-TYPES hardware ingress location 0/3/CPU0 ipv6 access-list DENY-IPv6-ALL-RH-TYPES 10 deny ipv6 any host 2001:DB8::0:1:0:1111 routing 20 deny ipv6 any host 2001:DB8::0:2:0:2222 routing (69 hw matches) 30 deny ipv6 any host 2001:DB8::0:3:0:3333 routing 40 deny ipv6 any host 2001:DB8::0:4:0:4444 routing 50 deny ipv6 any host FE80::218:74FF:FEB5:A41B routing 60 deny ipv6 any host FE80::218:74FF:FEB5:A41A routing 70 deny ipv6 any host FE80::218:74FF:FEB5:A419 routing 80 deny ipv6 any host 2001:DB8::0:F:0:FFFF routing (17 hw matches) 90 deny ipv6 any host 2001:DB8::0:F:0:F00D routing (54 hw matches) 100 deny ipv6 any 2001:DB8::/32 routing (185 hw matches) -- ACL Policy Truncated -- -- Permit/deny all other IPv6 Layer 3 and Layer 4 -- -- traffic in accordance with existing security -- -- policies and configurations. -- RP/0/0/CPU0:iosxr-router# In the preceding example, the access list DENY-IPv6-ALL-RH-TYPES, which is applied in the ingress direction on interface GigabitEthernet0/0/0/1, denied 69 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 20 in hardware, 17 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 80 in hardware, 54 IPv6 Routing Header (Type 0 through 255) packets on ACE sequence ID 90 in hardware, and 185 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 100 in hardware. RP/0/0/CPU0:iosxr-router#show access-lists ipv6 DENY-IPv6-ALL-RH-TYPES ipv6 access-list DENY-IPv6-ALL-RH-TYPES 10 deny ipv6 any host 2001:DB8::0:1:0:1111 routing 20 deny ipv6 any host 2001:DB8::0:2:0:2222 routing (3 matches) 30 deny ipv6 any host 2001:DB8::0:3:0:3333 routing 40 deny ipv6 any host 2001:DB8::0:4:0:4444 routing 50 deny ipv6 any host FE80::218:74FF:FEB5:A41B routing 60 deny ipv6 any host FE80::218:74FF:FEB5:A41A routing 70 deny ipv6 any host FE80::218:74FF:FEB5:A419 routing 80 deny ipv6 any host 2001:DB8::0:F:0:FFFF routing (2 matches) 90 deny ipv6 any host 2001:DB8::0:F:0:F00D routing (5 matches) 100 deny ipv6 any 2001:DB8::/32 routing (3 matches) -- ACL Policy Truncated -- -- Permit/deny all other IPv6 Layer 3 and Layer 4 -- -- traffic in accordance with existing security -- -- policies and configurations. -- RP/0/0/CPU0:iosxr-router# In the preceding example, the access list DENY-IPv6-ALL-RH-TYPES, which is applied in the ingress direction on interface GigabitEthernet0/0/0/1, denied 3 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 20 in software, 2 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 80 in software, 5 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 90 in software, and 3 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 100 in software. Filtering Type 0 Routing Header Packets Using Access ListsAfter the IPv6 access list is applied to an interface in the ingress direction, the show ipv6 access-list command can be used to identify the number of IPv6 Type 0 Routing header packets being filtered. Filtered packets should be investigated to determine whether they are being used maliciously. Example output for show ipv6 access-list DENY-IPv6-TYPE0-RH follows :
In the preceding example, the access list DENY-IPv6-TYPE0-RH, which is applied in the ingress direction on interface GigabitEthernet0/0, denied 156 IPv6 Type 0 Routing header packets on ACE sequence ID 10.
In the preceding example, access list DENY-IPv6-TYPE0-RH, which is applied in the ingress direction on interface GigabitEthernet0/0, denied 9 IPv6 Type 0 Routing header packets on ACE sequence ID 10, 127 IPv6 Type 0 Routing header packets on ACE sequence ID 40, and 173 IPv6 Type 0 Routing header packets on ACE sequence ID 100. Control Plane PolicingWith Control Plane Policing (CoPP), after the policy map is applied to the control plane, administrators can use the show policy-map control-plane and show ipv6 access-list commands to identify the number of packets that have been sent to the management and control planes and dropped by the CoPP policy. Packets dropped by CoPP should be investigated to determine whether they are being used maliciously. Example output for show policy-map control-plane and show ipv6 access-list DROP-IPv6-RH0 follows:
In the preceding example, the CoPP policy dropped 41 (total) IPv6 packets with a Type 0 Routing header by using the access control list DROP-IPv6-RH0, which is associated with CoPP. Spoofing Protection Using IPv6 Unicast RPFWith Unicast RPF for IPv6 properly deployed and configured throughout the network infrastructure, administrators can use the show ipv6 interface, show cef drop, show cef interface type slot/port internal, and show ipv6 traffic commands to identify the number of IPv6 packets that Unicast RPF for IPv6 has dropped. Note: The show command | begin regexp and show command | include regexp command modifiers are used in the following examples to minimize the amount of output that administrators need to parse to view the desired information. Additional information about command modifiers is available in the "show command" sections of the Cisco IOS Configuration Fundamentals Command Reference. Note: show cef interface type slot/port internal is a hidden command that must be fully entered at the command-line interface. Command completion is not available for it.
In the preceding examples, Unicast RPF for IPv6 has dropped 12 IPv6 packets received on interface GigabitEthernet0/0 due to the inability to verify the source address of the IPv6 packets within the Cisco Express Forwarding Forwarding Information Base. Cisco ASA, PIX, and FWSM FirewallsAfter the IPv6 access list is applied to an interface in the ingress direction, administrators can use the show ipv6 access-list command to identify the number of IPv6 packets being filtered. Filtered packets should be investigated to determine whether they are being used maliciously. Example output for show ipv6 access-list DENY-IPv6-ALL-RH-TYPES follows: firewall# show ipv6 access-list DENY-IPv6-ALL-RH-TYPES ipv6 access-list DENY-IPv6-ALL-RH-TYPES; 6 elements ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 1 remark -- Deny IPv6 traffic sent to specific IPv6 enabled hosts behind the firewall -- ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 2 deny ip any host 2001:db8::1:0:1111 (hitcnt=69) ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 3 deny ip any host 2001:db8::2:0:2222 (hitcnt=0) ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 4 deny ip any host 2001:db8::3:0:3333 (hitcnt=37) ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 5 deny ip any host 2001:db8::4:0:4444 (hitcnt=18) ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 6 permit tcp host 2001:db8::f:0:f:f00d host 2001:db8::f:0:ffff eq bgp (hitcnt=11) ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 7 permit tcp host 2001:db8::f:0:f:ffff host 2001:db8::f:0:f00d eq bgp (hitcnt=9) firewall# In the preceding example, access list DENY-IPv6-ALL-RH-TYPES denied a total of 124 unauthorized IPv6 packets on line 2, line 4, and line 5 for hosts behind the IPv6-enabled firewall, and permitted a total of 20 authorized IPv6 packets on line 6 and line 7 from known trusted hosts for BGP on TCP port 179. IPv6 access list DENY-IPv6-ALL-RH-TYPES is applied in the ingress direction on interface outside. ReferencesRFC 1883 Internet Protocol, Version 6 (IPv6) Specification (obsoleted) RFC 2460 Internet Protocol, Version 6 (IPv6) Specification (current) IPv6 Routing Headers Security, presented at CanSecWest/core07 by Philippe Biondi and
Arnaud Ebalard The IPv6 Type 0 Routing Header Issue Scapy (Philippe Biondi) and Scapy6 (IPv6 extension for Scapy, Guillaume
Valadon and Arnaud Ebalard) IPv6 Ping Pong, May 2007, by Geoff Huston Experts Scramble to Quash IPv6 Flaw, 2007-05-09 (May 9, 2007), by Robert Lemos,
SecurityFocus Five Security Flaws in IPv6 IPv6 Protocol Type 0 Route Header Denial of Service Vulnerability Deprecation of Type 0 Routing Headers in IPv6 Security of IPv6 Routing Header and Home Address Option Note About Routing Header Processing on IPv6 Hosts IPv6 Type 0 Routing Header Processing Deprecation of Type 0 Routing Headers in IPv6 Firewalling Considerations for IPv6 Detecting Loops in the IPv6 Routing Header Type 0 IPv6 Transition/Co-existence Security Considerations IPv6 Home Page on Cisco.com IPv6 Extension Headers Review and Considerations Cisco IOS IPv6 Command Reference Cisco IOS IPv6 Configuration Library Unicast RPF for IPv6 on the Cisco 12000 Series This document is part of the Cisco Security Center. This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
Caution: If MIPv6
is deployed within the infrastructure, the following ACL policies may disrupt and/or break
its operations. Therefore, a workaround does not exist for MIPv6.
