IPv6 and ICMPv6 Security

Layer 2 was designed with a plug and play approach; connect a switch and it simply works. This type of ease often causes people to forget about security and securing the switched infrastructure. Compromising a network at layer 2 can affect traffic at all layers above it. Once layer 2 is compromised, easier to launch man-in-the-middle attacks for secure upper layer protocols such as Secure Sockets Layer ( SSL ) and Secure Shell ( SSH ).




When discussing IPv6 why concern ourselves about layer 2 security?IPv6 is IP and operates at Layer 3, right? 🙂

IPv6 has to discover; other adjacent IPv6 nodes over layer 2. It uses Neighbor Discovery Protocol ( NDP ) to discover IPv6 neighbors and NDP operates over ICMPv6, not directly over Ethernet. Unlike Address Resolution Protocol ( ARP ) for IPv4. ICMPv6 offers-equivalent functions to IPv4 ARP but also additional functions such as SEND ( Secure Neighbor Discovery ) and MLD ( Multicast Listener Discovery ) etc. If you expand layer 2 and adjacent IPv6 hosts connect via layer 2 switches and not layer 3 routers you will be faced with IPv6 layer 2 first hop security problems.

Of course, if you “properly” configured network and used layer 2 where it should only be used for adjacent node discovery. The first hop could then be a layer 3 switch, which removes IPv6 layer 2 vulnerabilities. For example, the layer 3 switch cannot listen to RA messages and could also provide uRFP to verify the source of IPv6, mitigating against IPv6 spoofing.



Initially, Internet Control Messaging Protocol ( ICMP ) was introduced to aid network troubleshooting by providing tools used to verify end-to-end reachability. ICMP also reports back errors on hosts. Unfortunately, due to its nature and lack of built-in security, it quickly became target for many attacks. For example, ICMP REQUESTS are used by an attacker for network reconnaissance. ICMP lack of inherent security opened it up to a number of vulnerabilities. Resulting in security teams blocking all ICMP message types. Having adverse effects on useful ICMP features such as Path MTU.

ICMP for v4 and v6 are completely different. Unlike ICMP for IPv4, ICMPv6 is an integral part of IPv6 communication and ICMPv6 has features that are required for IPv6 operation. For this reason its not possible to simply block ICMPv6 and all its message types. ICMPv6 is a legitimate part of V6; need to select what you can filter.




ICMPv6 and Hop Count

The majority of ICMPv6 messages have their hop count set to 255; exemption of PMTU and ICMPv6 error messages. Any device that receives an ICMPv6 message with a max hop count less than 255 should drop the packet as it could be crafted by illegal source. By default, ICMPv6 with a hop count of 255 messages are dropped at layer 3 boundaries which is used as a loop prevention mechanism.

The default behavior can cause security concerns. For example, if a firewall receives an ICMPv6 packet with a hop count of 1, it by default, decrements the hop count and sends back an ICMPv6 time exceeded. If a firewall follows default behavior, the attacker could overwhelm with packets containing Time-To-Live ( TTL  ) 1. Potential DoS attacking firewall device.

Try to harden devices by limiting ICMPv6 error messages rate. This will prevent DoS attack by attackers sending a barge of malformed packets requiring many ICMPv6 errors messages. Use command – ipv6 ICMP error-interval for error return rate limiting.


Prevent ICMPv6 Address Spoofing

Best practice to check source and destination address in an ICMPv6 packet. For example, MLD ( Multicast Listener Discovery ), the source should always be a link-local address. If this is not the case, it is likely the packet has originated from an illegal source and should be dropped. You may also block any ICMPV6 address that has not been assigned by the IANA. However, this is a manual process and ACL adjustment are made whenever IANA makes changes to the list.




About Matt Conran

Matt Conran has created 184 entries.

Leave a Reply