Most firewalls support prefixes assignment and default-gateway detection within the ICMPv6 packets that's used with RT-Advertisements.
The general concept is for the client to solicit or wait for regular advertisements to find the useable ipv6 prefix(es) and gateway information.
1st off the biggest security issues within a ipv6 networks is the risk of a imposter/spoof of the ipv6 gateway. With in cisco and most other routers, you have the means to ensure the preference is set for when you have 2 or more ipv6 gateway and that's serving the local LAN.
In most IOS it's configurable via the following command on routers or L3 switches.
ipv6 nd router-prefernce high | medium | low
But for the commercial firewalls, we don't have this option. Outside of a OpenSourced firewall platform ( pfsense/linux/etc....) the general router-preference within the RT-advertisement is set to "medium".
A juniper SRX configuration with aggressive intervals
So what this means;
- A imposter could hijack your ipv6 host default gateway
- A imposter who spoof's your firewall link-local address , could construct a RT-Advertisement and direct all traffic hijacker
- Your xposed to a MiTM attacks
- A imposter could play-back forged RT-advertisements and disrupt connectivity
- A imposter could inject a spoof rt-advertisement with the default life-time set as zero hence making that router inactive
Okay so the only why we can protect our selves, is to deploy ipv6 spoof protection which is available within Cisco and Juniper L2/L3 switches. Now this protection would prevent spoof'ing and protect us from untrusted ports.
e.g ( sample cisco 2960S configuration )
int gi 1/0/1
ipv6 nd raguard attach-policy HOSTONLY-RA
ipv6 nd inspection attach-policy PROT-ND
ipv6 snooping attach-policy PROTECT-ipv6-snooping
ip device tracking
ipv6 icmp error-interval 80
ipv6 nd raguard policy HOSTONLY-RA
match ra prefix-list deny-v6
ipv6 nd inspection policy PROT-ND
sec-level minimum 1
limit address-count 1
ipv6 nd inspection policy Trust
ipv6 snooping policy PROTECT-ipv6-snooping
limit address-count 1
ipv6 snooping policy Trust
The above will protect Layer2 access-ports from rouge and spoof'd attacks but this might not be available on a low-end switch or non-Cisco hardware ( i.e dlink, hp, trendnet,etc.....)
Keep these thoughts in mind, that route-advertisements are crucial in a ipv6 network and exposes a high degree of risk if tampered with.
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
=( * * )=