Ray Patrick Soucy

IPv6 Security for the LAN with RA Gaurd

When starting to consider what LAN security we need to deploy IPv6, RA is usually the first thing overlooked.

A solution to address the security concerns with IPv6 RA (Router Advertisement) and rogue DHCPv6 is needed.  On IPv4 networks we have the option of using DHCP snooping to suppress unauthorized DHCP servers from handing out address information.  With IPv6, any host can announce itself as a router (using RA) and make network traffic suddenly start making use of it as the router for a network.  This makes it possible for hosts to inadvertently disrupt network service (Vista) or even be used maliciously to perform a man-in-the-middle attack to intercept your traffic.  Similarly with DHCPv6 there is nothing stopping a host from trying to hand out stateful IPv6 address configuration.

Even worse, since modern hosts give traffic priority to IPv6, it becomes easy for a rogue host (Vista) to advertise itself as an IPv6 router on IPv4-only networks.  So there are security concerns even for networks that do not even run IPv6.

It goes without saying that this needs to be addressed before IPv6 can be deployed on most campus and corporate networks where users manage their own PC’s.

Cisco has introduced one solution, known as RA Gaurd.  It’s a work in progress, but hopefully we will start seeing it offered on their LAN switch offerings.

There is still a lack of work on DHCPv6 snooping, which will also be necessary for LAN security.

These two technologies are critical to deployment of IPv6 to the edge for the corporate world.  Hopefully switch vendors will address them sooner rather than later.

There is an IETF problem statement that explains the issues described above in detail:

draft-chown-v6ops-rogue-ra-03