ipv6 sourceguard and leasequeries

tom.vanhout — Mon, 15 Nov 2021 16:48:40 GMT

Hi,

i have a problem with the recovery mechanism in ipv6 that uses DHCP leasequeries.

I have been trying to implement ipv6 security measures in our network, the equivalent of dhcp snooping and arp inspection on ipv4.

For this i try to use the SISF-based snooping implementation.

It has been a real hassle so far, documentation describing different implementations, devices reporting duplicate addresses because of the probes etc..

I think i have an implementation now that is ok when it comes to raguard and dhcp-guard.

There does not seem to be a real equivalent of the dynamic arp inspection, so i am looking to implement ipv6 source-guard in order to provide a bit of security on host-level.

The idea is that we force the hosts to get an ip-address through dhcp, that way they get into the device-tracking table and there we can then implement that the host is allowed to send traffic.

IPv6 source guard seems to work ok, as long as your device sends a solicit, so it can properly snoop the data and set the info in the database.

But if you fe. disconnect your cable and reconnect, the entry will be deleted when you disconnect and when you reconnect the host is sending DHCP CONFIRM's, not solicit's.

The CONFIRM arguably does not contain the necessary info to update the database, so normally then a recovery mechanism joins in.

Now it's this recovery mechanism that doesn't seem to work when it should.

So as I understand it, when the host sends out traffic, and the entry is not in the database, the switch will then send a leasequery out to the dhcp-server in order to find out if the host has a dhcp-entry.

For this the switch needs to have an ipv6-adres, it only has a SVI in a mgmt-vlan, so in order to send the leasequery for a host in the uservlan, the switch will send a leasequery via the management-vlan to the dhcp-server.
(note: we have different dhcp-servers per vrf, meaning we will have to list ALL the dhcp-servers as we have all those vlans on a switch?)

There is nice debug option "debug ipv6 dhcp leasequery" so i can track them, and I can see that on some occasions the leasequeries are indeed being sent and the entry get placed into the database.

(it's set as a PKT entry, not DH6, but that seems ok for source-guard)

The problem is that I cannot predict when the leasequeries are being sent.

If I plug in a PC it does not seem to work, fe. disconnect and reconnect the cable.
Usually after about 30 minutes or so, the switch would suddenly start sending leasequeries.

If I reboot the switch, the leasequery sometimes seem to happen, sometimes not.

If i want to have this implemented it should always work straight away.
I am doing something wrong, do other people have the same problem?

configuration used is

ipv6 source-guard policy ipv6-sg-host
permit link-local
validate address
deny global-autoconf

device-tracking policy SOURCE_GUARD_HOST
data-glean recovery dhcp
no protocol udp
tracking disable
!
device-tracking policy SWITCH-TRUSTED
trusted-port
security-level glean
device-role switch
no protocol udp
tracking disable

on the user-interface

device-tracking attach-policy SOURCE_GUARD_HOST
ipv6 source-guard attach-policy ipv6-sg-host

on the uplink

device-tracking attach-policy SWITCH-TRUSTED

Thanks

topic ipv6 sourceguard and leasequeries in Network Security

ipv6 sourceguard and leasequeries