[afripv6-discuss] What have you done for IPv6 lately, since the 1st of January, 2013?

Andrew Alston alston.networks at gmail.com
Mon Feb 18 10:27:35 SAST 2013


Hi Nishal,


> could you contexualise your situation please?  would this be a university
campus/dormitory/corporate use case/... ?
> do you tie these to one user/vlan via radius;  presumably not one device
per /64?
> could you explain what the "issues associated with RA" are - particularly,
anything that isn't necessarily solved by a somewhat tools like RAGuard ? 

This particular client is a University network, with approx. 20 thousand
network ports, hundreds of AP's and various other equipment.

The static /64 idea we're exploring is actually based on pvlan'ing.
Basically:

Behind the distribution layers sit the edge switches, every port on the edge
switch is in a separate vlan, which is trunked back to the distribution that
edge switch sits behind.  The distribution layer then combines these into
aggregation vlan's for the purpose of things like v4 dhcp requests and for
providing v4 next-hop gateways.  On the v6 level however, each private vlan
has it's own statically assigned /64 on the distribution (we script this).
Further to this, each port runs in isolation mode at the edge unless
specifically configured in community mode.  What this means is that edge
switches are forced to communicate via the distribution layer, and there is
no port -> port communication on the edge (so we have port isolation).  At
the same time, we have the option of configuring community based ports at
the distribution layer, where several pvlans are combined as a community, so
while there is still edge isolation, those ports will be able to communicate
with each other via switching at the distribution level. 

More about PVLAN's can be read here:
http://www.juniper.net/techpubs/en_US/junos12.1/topics/concept/private-vlans
-ex-series.html

With regards the RA issues, many edge switches do not support things like
RA-guard (particularly if they are fairly unintelligent devices that simply
support vlan creation etc).   As a result, unless you have port isolation
enabled on those switches it becomes possible for one device to flood RA
announcements onto the shared switching segment on an edge switch, which
will be picked up and interpreted by anything listening for RA's.  This
creates fairly serious denial of service possibilities on the switch.  See:
http://seclists.org/fulldisclosure/2011/Apr/86 (one example).

I also quote from RFC 6105 (IPv6 RA-Guard RFC):

RA-Guard applies to an environment where all messages between IPv6
end-devices traverse the controlled L2 networking devices.  It does
not apply to shared media, when devices can communicate directly
 without going through an RA-Guard-capable L2 networking device.

Meaning that where you have "dumb" edge switches with shared segments, you
are FORCED to take another alternative, hence the PVLAN's.

>> Sadly, we've found that DHCPv6 hasn't been a terribly viable option
because of a wide range of clients and lack of support on the client side in
many devices, RA is still the more mature of the options in terms of end
point support, so, it's now about securing the RA.

> could you perhaps provide us with a list of devices where you've seen
dhcp6 client support not work?  you could hopefully save others valuable
operational time.

Certain CCTV cameras which aren't assigned static addresses, building
management devices which don't get static addresses, older windows xp boxes
that DO have v6 enabled (it requires an additional client), etc.

>> We're also still investigating IPS options under IPv6, and this is
proving to be a MAJOR challenge.  

>> Using a device from Palo Alto, we tapped the network firstly with v4,
using port mirroring, and we got some fairly interesting IPS data back out
of that.  However, mirroring the v6 traffic, while there was a couple of
hundred meg of traffic on the port, we were not getting ANY IPS hits.  
>> This either means that by some miracle there was nothing the device was
seeing that was nasty (yeah, right), or the device simply wasn't able to see
the V6 properly.  We're raising that one with the vendor at the moment to
see if we can figure it out.  Any advice though from the 
>> community about v6 IPS devices that can act as network taps would be
hugely appreciated.  (We're looking for IPS devices that can handle 10gig+
of traffic per device).

> my, admittedly poor, google-fu returns hits for freebsd+10gb+pfsense.

Pfsense is more a firewall than an IPS device (unless you include snort),
and furthermore, being an entirely software based system, it does not scale
terribly well to these speeds.  We are still hoping that the issues we are
seeing on the PA network tap is merely a configuration issue however, and
we've asked the question and await a reply.  

Thanks 

Andrew




More information about the afripv6-discuss mailing list