Secure IPv6 Neighbor Discovery
SUMMARY The Secure Neighbor Discovery (SEND) Protocol for IPv6 traffic prevents an attacker who has access to the broadcast segment from abusing NDP or ARP to trick hosts into sending the attacker traffic destined for someone else, a technique known as ARP poisoning.
Understanding Secure IPv6 Neighbor Discovery
One of the functions of the IPv6 Neighbor Discovery Protocol (NDP) is to resolve network layer (IP) addresses to link layer (for example, Ethernet) addresses, a function performed in IPv4 by Address Resolution Protocol (ARP). The Secure Neighbor Discovery (SEND) Protocol prevents an attacker who has access to the broadcast segment from abusing NDP or ARP to trick hosts into sending the attacker traffic destined for someone else, a technique known as ARP poisoning.
To protect against ARP poisoning and other attacks against NDP functions, SEND should be deployed where preventing access to the broadcast segment might not be possible.
SEND uses RSA key pairs to produce cryptographically generated addresses, as defined in RFC 3972, Cryptographically Generated Addresses (CGA). This ensures that the claimed source of an NDP message is the owner of the claimed address.
Example: Configuring Secure IPv6 Neighbor Discovery
This example shows how to configure IPv6 Secure Neighbor Discovery (SEND).
Requirements
This example has the following requirements:
Junos OS Release 9.3 or later
IPv6 deployed in your network
If you have not already done so, you must generate or install an RSA key pair.
To generate a new RSA key pair, enter the following command:
user@host> request security pki generate-key-pair type rsa certificate-id certificate-id-name size size
Overview
To configure SEND, include the following statements:
protocols {
neighbor-discovery {
onlink-subnet-only;
secure {
security-level {
(default | secure-messages-only);
}
cryptographic-address {
key-length number;
key-pair pathname;
}
timestamp {
clock-drift number;
known-peer-window seconds;
new-peer-window seconds;
}
traceoptions {
file filename <files number> <match regular-expression> <size size> <world-readable | no-world-readable>;
flag flag;
no-remote-trace;
}
}
}
}
Specify default to send and receive both secure and unsecured Neighbor Discovery Protocol (NDP) packets. To configure SEND to accept secured NDP messages only and to drop unsecured ones. specify secure-messages-only.
All nodes on the segment need to be configured with SEND if the secure-messages-only option is used, which is recommended unless only a small subset of devices require increased protection. Failure to configure SEND for all nodes might result in loss of connectivity.
Topology
Configuration
Procedure
CLI Quick Configuration
To quickly configure this
example, copy the following commands, paste them into a text file,
remove any line breaks, change any details necessary to match your
network configuration, and then copy and paste the commands into the
CLI at the [edit] hierarchy level.
set protocols neighbor-discovery secure security-level secure-messages-only set protocols neighbor-discovery secure cryptographic-address key-length 1024 set protocols neighbor-discovery secure cryptographic-address key-pair /var/etc/rsa_key set protocols neighbor-discovery secure timestamp
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure a secure IPv6 neighbor discovery:
Configure the security level.
[edit protocols neighbor-discovery secure] user@host# set security-level secure-messages-only
(Optional) Enable the key length.
The default key length is 1024.
[edit protocols neighbor-discovery secure] user@host# set cryptographic-address key-length 1024
(Optional) Specify the directory path of the public-private key file generated for the cryptographic address.
The default location of the file is the /var/etc/rsa_key directory.
[edit protocols neighbor-discovery secure] user@host# set cryptographic-address key-pair /var/etc/rsa_key
(Optional) Configure a timestamp to ensure that solicitation and redirect messages are not being replayed.
[edit protocols neighbor-discovery secure] user@host# set timestamp
Results
From configuration mode, confirm your configuration
by entering the show protocols command. If the output does
not display the intended configuration, repeat the configuration instructions
in this example to correct it.
user@host# show protocols
neighbor-discovery {
secure {
security-level {
secure-messages-only;
}
cryptographic-address {
key-length 1024;
key-pair /var/etc/rsa_key;
}
timestamp;
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Checking the IPv6 Neighbor Cache
Purpose
Display information about the IPv6 neighbors.
Action
From operational mode, enter the show ipv6 neighbors command.
Meaning
In IPv6, the Address Resolution Protocol (ARP) has
been replaced by the NDP. The IPv4 command show arp is
replaced by the IPv6 command show ipv6 neighbors. The key
pieces of information displayed by this command are the IP address,
the MAC (Link Layer) address, and the interface.
Tracing Neighbor Discovery Events
Purpose
Perform additional validation by tracing SEND.
Action
Configure trace operations.
[edit protocols neighbor-discovery secure] user@host# set traceoptions file send-log user@host# set traceoptions flag all
Run the
show logcommand.user@host> show log send-log Apr 11 06:21:26 proto: outgoing pkt on idx 68 does not have CGA (fe80::2a0:a514:0:14c), dropping pkt Apr 11 06:26:44 proto: sendd_msg_handler: recv outgoing 96 bytes on idx 70 with offset 40 Apr 11 06:26:44 dbg: sendd_proto_handler: Modifier (16) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Apr 11 06:26:44 cga: snd_is_lcl_cga: BEFORE overriding cc, cc:0, ws->col:0 Apr 11 06:26:44 proto: outgoing pkt on idx 70 does not have CGA (fe80::2a0:a514:0:24c), dropping pkt Apr 11 06:26:47 proto: sendd_msg_handler: recv outgoing 96 bytes on idx 68 with offset 40 Apr 11 06:26:47 dbg: sendd_proto_handler: Modifier (16) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Meaning
The output shows that because the packet does not have a cryptographically generated address, the packet is dropped.