Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4649
Views
10
Helpful
6
Replies

IPv6 HSRP and ND RA SUPPRESS

markhamilton
Beginner
Beginner

‎11-22-2013 11:14 AM - edited ‎03-01-2019 05:42 PM

I have two 7206 routers and 2 3560G switches in a mesh.  I use HSRP to move the gateways around if there are failures etc...  I have been using this with ipv4 for some time and it works well.  We can have any 2 of the devices fail and the network will automatically heal.

In comes ipv6.

I set up ipv6 hsrp and assigned a link local gateway as detailed in any number of documents.  When I brought up ipv6 on a host in the vlan I was testing, it it got the hsrp virtual ip for the gateway just fine and everything was peachy.  The server did set itself up with another global unicast address besides the one I set statically.  *shrug*  Didn't think it was a big deal since I still have 18 quintillion more to play with.

Here is where the issue comes in.

I decided that there were several ways I could think of to abuse the router announcements or use them as a security hole.  I know, some people just say to secure your network.  I actually have some security on the network.  There are no open ports on any switch that are on any sensitive vlan.  Also if anything is removed from a switch or added to a switch we are instantly notified.  Still I wanted to explore removing the posibility of using the auto configuration as an easy way onto a network to exploit it or the router announcements as a way to mess up the network.

To remove some of this I turned off router announcements on both routers.

ipv6 nd ra suppress

Now, when I restarted the network on the server I expected to see no gateways.  It did change but not the way I expected.  Now instead of having one gateway to the hsrp virtual address like I had previously I now had two gateways to the actual link local ip address on the interface of each router.  I could still define the correct gateway in the server and things still worked but I don't know why the other gateways show up.  Shouldn't the suppress stop all router announcements?

BTW, this is on a 12.4 ios so there is no "ipv6 nd ra suppress all" command but the "ipv6 nd ra suppress" is supposed to supress both auto announcements and solicited announcements.

I decided to see if it was something strange with hsrp so I took it all out for ipv6.  The behavior didn't change.  It seems that even with the supress the routers are still answering to a solicitation.  Reading around on the internet I have seen other with a similar issue.  They recommend this:

ipv6 nd prefix default 3600 3600 no-autoconfig

Theoretically this will allow the announcements but tell the servers that they should not auto config a default gateway.  This also failed to stop the gateways from showing up with or withou the "ipv6 nd ra suppress."  It seems it is almost impossible to stop a cisco router from telling everyone it is the a router and gateway to me.

I suppose this could be the implementation of the IPv6 stack in the server.  I am using a Centos 6 box to test with.  It is possible that the server is ignoring the fact that the A bit is not set in the slaac packet.

At this point, to avoid the remote possibility of someone plugging into the network and advertising a default route I will just make sure auto config is off on all of the servers.  If they never solicit a router or listen to router announcements they will not care if a rogue router appears.

Any other thoughts on this?  Am I worrying about something that is a non issue?

Thanks

Mark

Labels:
0 Helpful
6 Replies 6

Andrew Yourtchenko
Cisco Employee
Cisco Employee

‎11-22-2013 11:34 AM

'but the "ipv6 nd ra suppress" is supposed to supress both auto announcements and solicited announcements.'  <-- no. "nd ra suppress", since its inception was suppressing only the periodic announcements.

But, the problem is really not in the routers -  the fact that the servers are configured to listen to the RAs is the problem.

You prevent 7200s from sending RAs, someone comes into the network and accidentally plugs another router, now what ?

So you need to make the servers disregard the RAs.

On linux you'll need to do "sysctl -w net.ipv6.conf.all.accept_ra=0" somewhere during the startup.

On MacOS X it's "sysctl -w net.inet6.ip6.accept_rtadv=0"

(maybe someone will chime in for Windows)

0 Helpful

markhamilton
Beginner
Beginner
In response to Andrew Yourtchenko

‎11-22-2013 12:03 PM

Thank you for your quick reply.  I had kind of come to the same conclusion by the end of my rambling above.  I thought about digging into ra guard in the switches but I think that would just add more complexity to the network and apparently there are still ways of getting around it.

On a Centos box you need to do something like this:

In the ifcfg-eth0 file:

IPV6INIT=yes

IPV6_AUTOCONF=no

IPV6_DEFAULTGW=fe80::1

IPV6_DEFAULTDEV=eth0

IPV6ADDR=2001:DB8::21/64

One gotya I ran into early on was the need for this in the /etc/sysconfig/network file:

NETWORKING_IPV6=yes

IPV6FORWARDING=no

IPV6_AUTOTUNNEL=no

IPV6_AUTOCONF=no

The important and non intuitive one is the last one.  Without the "IPV6_AUTOCONF=no" at the network level the server will not set "sysctl -w net.ipv6.conf.all.accept_ra=0" as you stated ubove.  This will cause all of the interfaces to autoconfig even when autoconfig is turned off at the interface.

I don't have any mac servers at the moment.  I try very hard to keep windows off the network although we have some customers that use it so I suppose I will have to experiment with it.

I guess I will have to look into ipv6 rogue router detection tools when I start to roll ipv6 out to the wireless and public networks.


0 Helpful