Solved: Re: IPv6 NDP Table Exhaustion Attack

901563ravi · ‎08-24-2011

Hi ,

Can anyone please expalin the use of /64 when some; IPv6 experts have predicted IPv6 NDP table exhaustion attack with the use of /64 in your access layer.

So, is to best to use /120 or keep using /64 with some control plane policing mechanism to prevent NDP table exhaustion attack.

Can you please share your thoughts?

Thanks

Ramu

fabios · ‎08-29-2011

Ramu,

provided that whatever suggestion anybody could provide who has to live with the consequence is who implements it .... I would say the decision is yours.

My toughts on this are:

-execute a risk assessment and evaluate the trustiness of your inside users: if they are not security savy or untrusty I would roll out the safest possible network;

-establish a good security policy and acceptable usage policy and bind all users to it (approved by top layer management) so you can restrict usage to an acceptable (from security stand point) level and disciplinate abuses;

My raccomandation is go with the /64 if you can and use the /120 if you must. This is because things like autoconfiguration works if you keep the /64 (48 bits MAC and 16 bits in the middle).

You can defend at the perimeter by filtering any address not aimed to a visible/accessible from outside server and you can confine them to a /120 from an access list point of view wile still using a /64 on their subnet. Clients wil access the Internet through CBAC or reflexive access lists so to punch holes only when connection is established from inside.

Even better, since ipsec is part of IPv6 therefore remote enterprise users will be able to be part of the inside network even when remotely connected without security degradation and access servers that will not need to be made available from the outside.

I understand you are just putting together a test network, but if the aim is to get ready to deploy ipv6 try to establish policies first and configure/design afterward. I saw way to many network built putting together equipment an then to be secured with inadequate design. (I have long since left the wiring closet and I now deal with the policy making bit).

Cheers

Fabio

View solution in original post

fabios · ‎08-29-2011

Hi Ramu,

Your question was a very interesting one at least to me. I had to dig into the standards and I loved what I found.

The best way to raply to you is the following which is great:

http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf

Hope you will find it entartaining.

Cheers

Fabio

901563ravi · ‎08-29-2011

Hi Fabio,

I read the presentation from Jeff S Wheeler and it is a very good presentation on NDP exhaustion attacks.

I am currently designing a test IPv6 network replicating our existing enterprise topology.So, as a best practice design dot point; should I use /120 at the access layer to prevent NDP exhaustion attacks from inside the company and use interface policier on the internet edge to prevent attacks from outside the company as an interim measure till vendors come up with some work around or-> should I completely ignore this security threat and follow the standards?????

Thanks

Ramu

fabios · ‎08-29-2011

Ramu,

provided that whatever suggestion anybody could provide who has to live with the consequence is who implements it .... I would say the decision is yours.

My toughts on this are:

-execute a risk assessment and evaluate the trustiness of your inside users: if they are not security savy or untrusty I would roll out the safest possible network;

-establish a good security policy and acceptable usage policy and bind all users to it (approved by top layer management) so you can restrict usage to an acceptable (from security stand point) level and disciplinate abuses;

My raccomandation is go with the /64 if you can and use the /120 if you must. This is because things like autoconfiguration works if you keep the /64 (48 bits MAC and 16 bits in the middle).

You can defend at the perimeter by filtering any address not aimed to a visible/accessible from outside server and you can confine them to a /120 from an access list point of view wile still using a /64 on their subnet. Clients wil access the Internet through CBAC or reflexive access lists so to punch holes only when connection is established from inside.

Even better, since ipsec is part of IPv6 therefore remote enterprise users will be able to be part of the inside network even when remotely connected without security degradation and access servers that will not need to be made available from the outside.

I understand you are just putting together a test network, but if the aim is to get ready to deploy ipv6 try to establish policies first and configure/design afterward. I saw way to many network built putting together equipment an then to be secured with inadequate design. (I have long since left the wiring closet and I now deal with the policy making bit).

Cheers

Fabio

901563ravi · ‎08-30-2011

Thanks Fabio for the reply.Things are bit clear on the panic I had with NDP.Yes, we have policies in place but still immature on IPv6.

We have a test network where we are testing various IPv6 senarios to develop a design/migration plan to have a dual stack network.

Thanks

Ramu

fabios · ‎08-30-2011

Glad I cold be of help clearing yor toughts and thanksmfor the 5 stars

Fabio

Sent from Cisco Technical Support iPad App

dgraystone · ‎06-28-2018

Hi,

Probably worth noting to anyone reading these posts that things have moved on since this was posted and the IPv6 standards have only recently been ratified with a number of alterations and changes in best practice over the years, including the fact IPsec is no longer mandatory.

There are current best practice guides on a number of official websites such as RIPE.net so I would advise to use those for design standards and come back to vendor configurations to close attack vectors.

Thanks

David