IPv6 security – IPv6 First Hop Security – Binding Table – part three.
Similar to IPv4, where we can create a binding table with all hosts connected, for IPv6 we can enable the IPv6 Binding Table. The table is populated by ND, DHCP registration process or static entries.
Gi1/0/1 Gi1/0/2
/----\ \ ----- / /----\
| R4 |-------| sw1 |-------| R5 |
\----/ ----- \----/
|\
| Gi1/0/3
/----\
| R6 |
\----/
I enable IPv6 and apply ND policy with port role as a ‘router’.
R4:
R4#sh ipv6 interface
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::223:4FF:FE8E:5E08
No Virtual link-local address(es):
Global unicast address(es):
2001:10:10:10::4, subnet is 2001:10:10:10::/64
Joined group address(es):
FF02::1
FF02::1:FF00:4
FF02::1:FF8E:5E08
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
R4#
R5:
R5#sh ipv6 interface
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::21C:58FF:FE9E:2B00
No Virtual link-local address(es):
Global unicast address(es):
2001:10:10:10::5, subnet is 2001:10:10:10::/64
Joined group address(es):
FF02::1
FF02::1:FF00:5
FF02::1:FF9E:2B00
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
R5#
R6:
R6#sh ipv6 interface
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::21C:58FF:FEF4:AEE0
No Virtual link-local address(es):
Global unicast address(es):
2001:10:10:10::6, subnet is 2001:10:10:10::/64
Joined group address(es):
FF02::1
FF02::1:FF00:6
FF02::1:FFF4:AEE0
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
R6#
Let’s ping all routers and check their neighbor tables:
R4#sh ipv6 neighbors
IPv6 Address Age Link-layer Addr State Interface
2001:10:10:10::5 0 001c.589e.2b00 REACH Fa0/0
2001:10:10:10::6 0 001c.58f4.aee0 REACH Fa0/0
FE80::21C:58FF:FEF4:AEE0 0 001c.58f4.aee0 REACH Fa0/0
FE80::21C:58FF:FE9E:2B00 0 001c.589e.2b00 REACH Fa0/0
R5#sh ipv6 neighbors
IPv6 Address Age Link-layer Addr State Interface
2001:10:10:10::4 3 0023.048e.5e08 STALE Fa0/0
2001:10:10:10::6 0 001c.58f4.aee0 REACH Fa0/0
FE80::223:4FF:FE8E:5E08 3 0023.048e.5e08 STALE Fa0/0
R6#sh ipv6 neighbors
IPv6 Address Age Link-layer Addr State Interface
2001:10:10:10::5 0 001c.589e.2b00 STALE Fa0/0
2001:10:10:10::4 4 0023.048e.5e08 STALE Fa0/0
FE80::223:4FF:FE8E:5E08 4 0023.048e.5e08 STALE Fa0/0
FE80::21C:58FF:FE9E:2B00 0 001c.589e.2b00 STALE Fa0/0
Let’s check the binding table on SW1:
SW1#sh ipv6 neighbors binding vlanid 20
vlanDB has 6 entries for vlan 20, 6 dynamic
Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
IPv6 address Link-Layer addr Interface vlan prlvl age state Time left
ND FE80::223:4FF:FE8E:5E08 0023.048E.5E08 Gi1/0/1 20 0011 120s REACHABLE 194 s
ND FE80::21C:58FF:FEF4:AEE0 001C.58F4.AEE0 Gi1/0/3 20 0011 127s REACHABLE 180 s
ND FE80::21C:58FF:FE9E:2B00 001C.589E.2B00 Gi1/0/2 20 0011 120s REACHABLE 188 s
ND 2001:10:10:10::6 001C.58F4.AEE0 Gi1/0/3 20 0011 142s REACHABLE 158 s
ND 2001:10:10:10::5 001C.589E.2B00 Gi1/0/2 20 0011 135s REACHABLE 171 s
ND 2001:10:10:10::4 0023.048E.5E08 Gi1/0/1 20 0011 130s REACHABLE 179 s
SW1#
SW1#sh ipv6 neighbors binding vlanid 20 details
vlanDB has 6 entries for vlan 20, 6 dynamic
Binding table configuration:
----------------------------
max/box : 2
max/vlan : no limit
max/port : 2
max/mac : no limit
Binding table current counters:
------------------------------
dynamic : 6
local : 0
total : 6
Binding table counters by state:
----------------------------------
STALE : 6
total : 6
Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
IPv6 address Link-Layer addr Interface vlan prlvl age state Time left Filter Policy (feature)
ND FE80::223:4FF:FE8E:5E08 0023.048E.5E08 Gi1/0/1 20 0011 8mn STALE 90311 s no ROUTER-POLICY (NDP inspection)
ND FE80::21C:58FF:FEF4:AEE0 001C.58F4.AEE0 Gi1/0/3 20 0011 5mn STALE 89229 s no ROUTER-POLICY (NDP inspection)
ND FE80::21C:58FF:FE9E:2B00 001C.589E.2B00 Gi1/0/2 20 0011 5mn STALE 86953 s no ROUTER-POLICY (NDP inspection)
ND 2001:10:10:10::6 001C.58F4.AEE0 Gi1/0/3 20 0011 5mn STALE 88042 s no ROUTER-POLICY (NDP inspection)
ND 2001:10:10:10::5 001C.589E.2B00 Gi1/0/2 20 0011 5mn STALE 88554 s no ROUTER-POLICY (NDP inspection)
ND 2001:10:10:10::4 0023.048E.5E08 Gi1/0/1 20 0011 9mn STALE 86353 s no ROUTER-POLICY (NDP inspection)
SW1#
Now I change/add IP addresses on R4 :
SW1#sh ipv6 neighbors binding interface gig1/0/1
portDB has 2 entries for interface Gi1/0/1, 2 dynamic (limit 2)
Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
IPv6 address Link-Layer addr Interface vlan prlvl age state Time left
ND FE80::223:4FF:FE8E:5E08 0023.048E.5E08 Gi1/0/1 20 0011 10mn STALE 90194 s
ND 2001:10:10:10::4 0023.048E.5E08 Gi1/0/1 20 0011 11mn STALE 86236 s
SW1#
We see we are able to add new IP address and the bindings table is updated:
SW1#
Mar 30 02:25:53.281: %SISF-6-ENTRY_CREATED: Entry created A=2001:20:20:20::4 V=20 I=Gi1/0/1 P=0011 M=
Mar 30 02:25:53.281: %SISF-6-ENTRY_CHANGED: Entry changed A=2001:20:20:20::4 V=20 I=Gi1/0/1 P=0011 M=
Mar 30 02:25:54.279: %SISF-6-ENTRY_CHANGED: Entry changed A=2001:20:20:20::4 V=20 I=Gi1/0/1 P=0011 M=0023.048E.5E08
SW1#
SW1#sh ipv6 neighbors binding interface gig1/0/1
portDB has 3 entries for interface Gi1/0/1, 3 dynamic (limit 2)
Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
IPv6 address Link-Layer addr Interface vlan prlvl age state Time left
ND FE80::223:4FF:FE8E:5E08 0023.048E.5E08 Gi1/0/1 20 0011 13mn STALE 90053 s
ND 2001:20:20:20::4 0023.048E.5E08 Gi1/0/1 20 0011 20s REACHABLE 288 s
ND 2001:10:10:10::4 0023.048E.5E08 Gi1/0/1 20 0011 13mn STALE 86095 s
SW1#
Mar 30 02:26:39.225: %SISF-6-ENTRY_CREATED: Entry created A=2001:30:30:30::4 V=20 I=Gi1/0/1 P=0011 M=
Mar 30 02:26:39.225: %SISF-6-ENTRY_CHANGED: Entry changed A=2001:30:30:30::4 V=20 I=Gi1/0/1 P=0011 M=
Mar 30 02:26:40.232: %SISF-6-ENTRY_CHANGED: Entry changed A=2001:30:30:30::4 V=20 I=Gi1/0/1 P=0011 M=0023.048E.5E08
SW1#
SW1#
SW1#sh ipv6 neighbors binding interface gig1/0/1
portDB has 4 entries for interface Gi1/0/1, 4 dynamic (limit 2)
Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
IPv6 address Link-Layer addr Interface vlan prlvl age state Time left
ND FE80::223:4FF:FE8E:5E08 0023.048E.5E08 Gi1/0/1 20 0011 13mn STALE 90014 s
ND 2001:30:30:30::4 0023.048E.5E08 Gi1/0/1 20 0011 14s REACHABLE 290 s
ND 2001:20:20:20::4 0023.048E.5E08 Gi1/0/1 20 0011 60s REACHABLE 249 s
ND 2001:10:10:10::4 0023.048E.5E08 Gi1/0/1 20 0011 14mn STALE 86055 s
SW1#
Now, I remove the ND policy from Gig1/0/1 and enable ND inspection on the interface:
SW1#sh run int gig1/0/1
Building configuration...
Current configuration : 140 bytes
!
interface GigabitEthernet1/0/1
switchport access vlan 20
switchport mode access
ipv6 nd inspection vlan 20
ipv6 snooping vlan 20
end
SW1#
Let’s create static bindings:
SW1#
!
ipv6 neighbor binding reachable-lifetime 50
ipv6 neighbor binding logging
ipv6 neighbor binding max-entries 2 vlan-limit 2
ipv6 neighbor binding vlan 20 FE80::223:4FF:FE8E:5E08 interface Gi1/0/1 0023.048e.5e08 tracking enable
ipv6 neighbor binding vlan 20 2001:10:10:10::20 interface Gi1/0/1 0023.048e.5e08 tracking enable
ipv6 neighbor tracking
!
and if the static entry appears:
SW1#sh ipv6 neighbors binding
Binding Table has 6 entries, 4 dynamic (limit 2)
Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
IPv6 address Link-Layer addr Interface vlan prlvl age state Time left
S FE80::223:4FF:FE8E:5E08 0023.048E.5E08 Gi1/0/1 20 0100 15s REACHABLE 36 s
ND FE80::21C:58FF:FEF4:AEE0 001C.58F4.AEE0 Gi1/0/3 20 0011 47s REACHABLE 4 s try 0
ND FE80::21C:58FF:FE9E:2B00 001C.589E.2B00 Gi1/0/2 20 0011 43mn STALE 88731 s
S 2001:10:10:10::20 0023.048E.5E08 Gi1/0/1 20 0100 32s REACHABLE 19 s try 0
ND 2001:10:10:10::6 001C.58F4.AEE0 Gi1/0/3 20 0011 1s REACHABLE 50 s try 0
ND 2001:10:10:10::5 001C.589E.2B00 Gi1/0/2 20 0011 43mn STALE 86340 s
Let’s try to add a new IP:
R4(config-if)#ipv6 address 2001:10:10:10::14/64
And check what’s happen when we ping R6:
SW1#
Mar 30 03:03:16.059: SISF[CLA]: Packet for:
Mar 30 03:03:16.059: SISF[CLA]: Protocol number: 58 value 136
Mar 30 03:03:16.059: SISF[CLA]: feature NDP inspection
Mar 30 03:03:16.059: SISF[CLA]: feature Snooping
Mar 30 03:03:16.059: SISF[SWI]: Gi1/0/1 vlan 20 Feature_0 NDP inspection priority 160
Mar 30 03:03:16.059: SISF[SWI]: Gi1/0/1 vlan 20 Feature_1 Snooping priority 128
Mar 30 03:03:16.067: SISF[MEM]: Owner is this process
Mar 30 03:03:16.067: SISF[MEM]: semaphore 6930E18 (re)locked
Mar 30 03:03:16.067: SISF[MEM]: Locking, count is now 1
Mar 30 03:03:16.067: SISF[CLA]: Packet for:
Mar 30 03:03:16.067: SISF[CLA]: Protocol number: 58 value 136
Mar 30 03:03:16.067: SISF[CLA]: feature NDP inspection
Mar 30 03:03:16.067: SISF[CLA]: feature Snooping
Mar 30 03:03:16.067: SISF[SWI]: Gi1/0/1 vlan 20 Feature_0 NDP inspection priority 160
Mar 30 03:03:16.067: SISF[SWI]: Gi1/0/1 vlan 20 Feature_1 Snooping priority 128
Mar 30 03:03:16.067: SISF[PRS]: Gi1/0/1 vlan 20 Parse msg ND_NEIGHBOR_ADVERT. len 8
Mar 30 03:03:16.067: SISF[PRS]: Gi1/0/1 vlan 20 Found 1 options
Mar 30 03:03:16.067: SISF[PRS]: Gi1/0/1 vlan 20 option 2 : ND_OPT_TARGET_LINKADDR
Mar 30 03:03:16.067: SISF[GLN]: Gi1/0/1 vlan 20 setting action to 0 pid 0
Mar 30 03:03:16.067: SISF[POL]: Vlan 20ac check(smac,lla): MATCH for 2001:10:10:10::14
Mar 30 03:03:16.067: SISF[PRS]: Gi1/0/1 vlan 20 Source and LLA match
Mar 30 03:03:16.067: matches vlan list on policy dSISF[PRS]: Gi1/0/1 vlan 20 No RSA option
Mar 30 03:03:16.067: SISF[PRS]: Gi1/0/1 vlan 20 preference level set 5
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20 (unsecure)NA without CGA option
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20 Unsecure message from untrusted port
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20 NDP Inspection setting sec level to INSPECT
Mar 30 03:03:16.067: SISF[PRS]: Gi1/0/1 vlan 20 Advertise from access: default action is update entry
Mar 30 03:03:16.067: SISF[GLN]: Gi1/0/1 vlan 20 setting action to 2 pid 0
Mar 30 03:03:16.067: SISF[BT ]: Max dynamic entries 2 reached
Mar 30 03:03:16.067: SISF[GLN]: Gi1/0/1 vlan 20 setting action to 4 pid 0efault
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20 NDPI rcv: ND_NEIGHBOR_ADVERT on Gi1/0/1
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20 src 2001:10:10:10::14
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20 dst 2001:10:10:10::6
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20 Target: 2001:10:10:10::14
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20 option 2 : ND_OPT_TARGET_LINKADDR
Mar 30 03:03:16.067: SISF[PRS]: Gi1/0/1 vlan 20 Source-m
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20 ! DROP: ND_NEIGHBOR_ADVERT src 2001:10:10:10::14 dst 2001:10:10:10::6 reason=14
Mar 30 03:03:16.067: SISF[SWI]: Gi1/0/1 vlan 20 Feature NDP inspection rc 1
Mar 30 03:03:16.067: SISF[SWI]: Gi1/0/1 vlan 20 Feature drop
Mar 30 03:03:16.067: SISF[MEM]: Unlocking, count is now 0
Mar 30 03:03:16.067: SISF[MEM]: 6930E18 semaphore system unlocked
…
Mar 30 03:03:17.166: SISF[NDP]: Gi1/0/1 vlan 20 ! DROP: ND_NEIGHBOR_ADVERT src 2001:10:10:10::14 dst 2001:10:10:10::6 reason=14
Mar 30 03:03:17.166: SISF[SWI]: Gi1/0/1 vlan 20 Feature NDP inspection rc 1
Mar 30 03:03:17.166: SISF[SWI]: Gi1/0/1 vlan 20 Feature drop
Mar 30 03:03:17.166: SISF[MEM]: Unlocking, count is now 0
Mar 30 03:03:17.166: SISF[MEM]: 6930E18 semaphore system unlocked
…
Mar 30 03:03:19.431: SISF[CLA]: Packet for:
Mar 30 03:03:19.431: SISF[CLA]: Protocol number: 58 value 136
Mar 30 03:03:19.431: SISF[CLA]: feature NDP inspection
Mar 30 03:03:19.431: SISF[CLA]: feature Snooping
Mar 30 03:03:19.431: SISF[SWI]: Gi1/0/1 vlan 20 Feature_0 NDP inspection priority 160
Mar 30 03:03:19.431: SISF[SWI]: Gi1/0/1 vlan 20 Feature_1 Snooping priority 128
Mar 30 03:03:19.456: SISF[MEM]: Owner is this process
Mar 30 03:03:19.456: SISF[MEM]: semaphore 6930E18 (re)locked
Mar 30 03:03:19.456: SISF[MEM]: Locking, count is now 1
Mar 30 03:03:19.456: SISF[CLA]: Packet for:
Mar 30 03:03:19.456:
Mar 30 03:03:41.569: %SYS-3-MSGLOST: 51 messages lost because of queue overflow
Mar 30 03:03:19.456: SISF[NDP]: Gi1/0/1 vlan 20 ! DROP: ND_NEIGHBOR_ADVERT src 2001:10:10:10::14 dst 2001:10:10:10::6 reason=14
Mar 30 03:03:19.456: SISF[SWI]: Gi1/0/1 vlan 20 Feature NDP inspection rc 1
Mar 30 03:03:19.456: SISF[SWI]: Gi1/0/1 vlan 20 Feature drop
Mar 30 03:03:19.456: SISF[MEM]: Unlocking, count is now 0
Mar 30 03:03:19.456: SISF[MEM]: 6930E18 semaphore system unlocked
Mar 30 03:03:42.575: %SYS-3-MSGLOST: 202 messages lost because of queue overflowSISF[PRS]: Gi1/0/1 vlan 20 Advertise from access: default action is update entry
Mar 30 03:03:20.396: SISF[GLN]: Gi1/0/1 vlan 20 setting action to 2 pid 0
Mar 30 03:03:20.396: SISF[BT ]: Max dynamic entries 2 reached
Mar 30 03:03:20.396: SISF[GLN]: Gi1/0/1 vlan 20 setting action to 4 pid 0
Mar 30 03:03:20.396: SISF[NDP]: Gi1/0/1 vlan 20 ! DROP: ND_NEIGHBOR_ADVERT src 2001:10:10:10::14 dst 2001:10:10:10::6 reason=14
Mar 30 03:03:20.396: SISF[SWI]: Gi1/0/1 vlan 20 Feature NDP inspection rc 1
Mar 30 03:03:20.396: SISF[SWI]: Gi1/0/1 vlan 20 Feature drop
Mar 30 03:03:20.396: SISF[MEM]: Unlocking, count is now 0
Mar 30 03:03:20.396: SISF[MEM]: 6930E18 semaphore system unlocked
Mar 30 03:03:44.589: %SYS-3-MSGLOST: 494 messages lost because of queue overflow
Mar 30 03:03:21.369: SISF[MEM]: Unlocking, count is now 1
Mar 30 03:03:21.369: SISF[MEM]: 6930E18 semaphore system unlocked
Mar 30 03:03:21.369: SISF[SWI]: SVI is Vlan20
As we see the ping is blocked due to an address limit exceeded.
SW1#show ipv6 snooping counters interface gigabitEthernet1/0/1
Received messages on Gi1/0/1:
Protocol Protocol message
NDP NS[14] NA[51]
DHCPv6
Bridged messages from Gi1/0/1:
Protocol Protocol message
NDP NS[19] NA[3]
DHCPv6
Dropped messages on Gi1/0/1:
Feature Protocol Msg [Total dropped]
NDP inspection NDP NS [5]
reason: Address limit per box reached [5]
NA [32]
reason: Address limit per box reached [32]
Snooping NDP NS [3]
reason: Address limit per box reached [3]
NA [3]
reason: Address limit per box reached [3]
SW1#
4
Kudos
4
Kudos