Securing the Access Layer (IOS Advantage Webinar)

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1

Cisco IOS Advantage Webinars Securing the Access Layer

Jason Frazier / Andrew Yourtchenko / Ralph Schmieder

We’ll get started a few minutes past the top of the hour.

Note: you may not hear any audio until we get started.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 2

Speakers

Jason Frazier

Ralph Schmieder

Andrew Yourtchenko

Panelists

Shelly Cadora

Ken Hook

Eric Vyncke


• Submit questions in Q&A panel and send to “All Panelists”

Avoid CHAT window for better access to panelists

• For Webex audio, select COMMUNICATE > Join Audio Broadcast

• For Webex call back, click ALLOW Phone button at the bottom of Participants side panel

• Where can I get the presentation?

https://communities.cisco.com/docs/DOC-29149

Or send email to: [email protected]

• Please fill in Survey at end of event

• Join us on June 6 for our next IOS Advantage Webinar:

Deploying Application Visibility and Control Policies




mailto:[email protected]


Risk and Exposure

• Exposed to end users, the access layer is inherently vulnerable

Infrastructure Protection

• Security at the network edge protects the network infrastructure

Network Intelligence

• Key data can only be gathered at the access layer


• Establish perimeter

• Block Known Attack

Vectors

• Apply Best Practices

• Make L2 and L3 Flows

Centrally Visible

• Collect Detailed Telemetry

of Endpoints

Enforce Monitor


Intro

Establish the Perimeter

Monitor

IPv6 Refresher

SeND

Distributed vs. Centralized

IPv6 Vulnerabilities and Attack Vectors

Enforce

Conclusion


No Access For

Unknown Users AC

Employee

Customizable Access

for Authenticated

Users and Devices

IEEE 802.1X Is Like a Port Firewall


Switch

Hub

Endpoint 1

Single Host (802.1X)

Endpoint 2

Only one MAC Address is

allowed. 2nd MAC Address

causes Security Violation

dACL

Switch

Hub

Endpoint 1

Multi-Host

Endpoint 2

1st MAC Address is

authenticated. 2nd endpoint

piggybacks on 1st MAC Address

authentication and bypass

authentication

Authenticated Piggyback

VLAN*

Switch

Endpoint 1

Multi-Domain Auth (MDA)

Endpoint 2

Each domain (Voice or Data)

authenticates one MAC

address. 2nd MAC address on

each domain causes security

violation

Data

Voice

VLAN dACL

Switch

Endpoint 1

Multi-Authentication

Endpoint 2

Voice domain authenticates

one MAC address. Data

domain authenticates multiple

MAC addresses. dACL or

single VLAN Assignment for all

devices are supported

Data Data

Voice

dACL VLAN*

VLAN


Known Attack Vectors:

• Spoofing and MITM

• Bypassing NAC Requirements

Sophisticated, commercial Tools available (Example: Pwn Plug Elite)

How to address this?


Employee

AC 3

Even with physical access,

rogue users cannot monitor

or spoof encrypted traffic

Uplink

MACSec

Downlink

MACSec


*Network Edge Authentication Topology

Extend Trust into physically unsecured locations

(e.g., conference rooms, cubicles, etc.

Prevent unauthorized network extensions

Secure access control for shared media access

Industry

first

ISE

CORPORATE RESOURCES

SiSi

SiSi SiSi

SiSi

Secure Insecure

Perimeter

Demarcation


Not all networks are alike –

Cisco offers a solution that suits your needs!


Solution

• Securing the perimeter is part of TrustSec

• This includes Policy Server and proven designs which span across multiple technologies

Deployment Models

• Pick what is best suited for your environment

• Adapt the solution to changing security requirements

Feature Rich Implementation

• Successful implementation in Real World Networks goes way beyond basic authentication

• Address all networked devices, known and unknown

• BYOD as part of the solution

Guidelines available

• TrustSec Design & Implementation Guide (DIG, www.cisco.com/go/trustsec)

• Whitepapers, Data Sheets and Presentations (www.cisco.com/go/ibns)


• Can I identify network attacks on before impacting productivity?

• Can I prevent loss of data and employee productivity in case of attacks?

• Can I protect the company’s brand and reputation?


• Know the applications running in your network

• Know what devices are accessing what resources

• Perform capacity planning

Know your

network

• All flows available with greatest detail

• Locate the source precisely: Get MAC-address and access port information associated with the flow

• Location Awareness: Map ports to location

From the wiring closet

• Correlate Flow, Port and MAC

• Mapping user identity to the flows is the next step

• External Software to analyze, correlate and alarm.

• Anomaly Detection and Reporting

And more

Flo

w A

naly

sis


Attack

Countermeasure

Smart Logging/Telemetry

Via Netflow v9

NetFlow Collector

Visibility with Smart Logging

• Is the access layer under attack?

• What is the nature of the attack

• Are my countermeasures working?

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps10745/product_bulletin_c25-658743_ps6406_Products_Bulletin.html


Visibility With IOS Sensor

• Correlate CDP, LLDP, DHCP, MAC OUI, RADIUS, NetFlow

Data and Location

• Centralized Profiling and Analysis at ISE

SSC

Employee (bad credential)

802.1X

SSC

Employee

Guest

Managed Assets

Rogue

ISE

CDP DHCP

Netflow

LLDP RADIUS

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/15.0_1_se/device_sensor/guide/sensor_guide.html


What

‘Monitor Mode’

Authenticate without authorizing

802.1X / MAB reveal who / what

Everyone still gets full access

Why

Leverage existing information

Prepare for access control

The “easy button” for 802.1X

SSC

RADIUS Authentication &

Accounting Logs

• Username, MAC Address, IP

Address, Switch, Port, Usage

statistics – all in one place!

• Passed/Failed 802.1X attempts

Valid / invalid 802.1X-capable

endpoints

• Passed/Failed MAB attempts

Valid / unknown MACs

ISE


Operations contained within the link boundaries, necessary for a node to communicate with its neighbors, including the link exit points.

• It encompasses:

• Address configuration parameters

• Address initialization

• Address resolution

• Default gateway discovery

• Local network configuration

• Neighbor reachability tracking


NDP (ARP replacement in IPv6)

• Discover other hosts & routers on local network

• Incorporates many features from older link-layer protocols

• Makes extensive use of IPv6 multicast addresses

• Operates using ICMPv6

• About other hosts

• Address Resolution*

• Duplicate Addresses

• Neighbor Unreachable

• Next Hop

• About routers

• Discovery

• Network Prefix

• Network Parameters

• Autoconfiguration

NDP is also the protocol used to learn information:

* Like we used to do with ARP


• Neighbor solicitation (NS)

• Neighbor advertisements (NA)

• Router solicitation (RS)

• Router advertisements (RA)

• Neighbor Unreachability Detection (NUD)

• Duplicate Address Detection (DAD)

• Redirects

Primary ICMPv6 NDP Messages

All can be used as attack vectors! Defined in RFC 4861, “Neighbor Discovery for IP Version 6 (IPv6)” and RFC 4862 (“IPv6 Stateless Address Autoconfiguration”)

NDP

RA RS

NS NA

Redirects

NUD

DAD

IPv6

SLAAC

• IPv6 Stateless Address Auto Configuration (SLAAC)


End-nodes exposed to many threats

• Address configuration parameters: Trickery on configuration parameters

• Address initialization: Denial of address insertion

• Address resolution: Address stealing

• Default gateway discovery: Rogue routers

• Local network configuration: Trickery on configuration parameters

• Neighbor reachability tracking: Trickery on neighbor status

Malicious nodes can hide on the link

• To disrupt link-operations

• To poison neighbor caches

• To attack on-link or off-link victims

• To highjack key roles such as routers or DHCP servers

Malicious nodes can sit anywhere in the network

• To launch DoS attacks on last-router and exploit link-operations security caveats


Threats are very much topology dependent: what is specific to IPv6 from topology standpoint?

• More addresses!

• More end-nodes allowed on the link (up to 264 !)

• Bigger neighbor cache on end-nodes and on default-router

• May lead to some dramatic topology evolution

• Creates new opportunities for DoS attacks

Threats are also dependent on the protocols in use: what is different?

• More distributed and more autonomous operations

• Nodes discover automatically their default router

• Nodes auto-configure their addresses

• Nodes defend themselves (SeND)

• Distributed address assignment creates more challenges for address security


DHCP-server

– Announces link parameters

Self assign addresses

– Assign addresses

Legacy IPv4 link model is very much DHCP-centric

DHCP-server – Announces default router



IPv6 link model is essentially distributed, with DHCP playing a minor role


Distributed Security ≡ Secure Neighbor Discovery

WHAT SEND PROVIDES

• Each node on the link takes care of its own security

• Verifies router legitimacy

• Verifies address ownership

WHAT SEND DOES NOT PROVIDE

• It does not verify other key role legitimacy (DHCP server, NTP, etc.)

• It only applies to link operations

• It does not provide end-to-end security

• It does not guarantee authorization (≠ 802.1X)


ND-message

SIGN

VERIFY

Address Src = My address!

Prefix Interface-id =

Computes Address


Router R

host

Certificate Authority CA0 Certificate Authority

Certificate C0

Router

certificate

request

Router certificate CR

Certificate Path Solicit (CPS): I trust CA0, who are you ?

Certificate Path Advertize (CPA): I am R, this is my certificate CR

1

2

3

4

5

6 Verify CR against CA0

7 Start using R as default gateway

Router Advertisement


A chain of trust is “easy” to establish within the administrative boundaries,

but very hard outside

To benefit fully from SeND, nodes must be:

Provisioned with CA certificate(s)

Time synchronized/have access to the NTP server

Have access to a CRL or OCSP server

ADMINISTRATIVE BOUNDARY

CA

Router Host

CA

Router Host

CA


• Due to transition realities and lack of pervasive support for SeND:

At best there will be a mix of CGA, Router Auth. and “old” ND support

More likely, a small number of SeND capable nodes lost in the middle of many non-capable.

• This has almost no value because it’s a 2 player games: nodes with no SeND / CGA support can’t verify SeND / CGA credentials!


Trustee

Move to a different deployment model?


host

router

time server

web server

Trusted end-nodes

un-trusted end-nodes

attacker

DHCP server/relay

• Distributed: security verified between any pair of nodes

• Centralized: security verified between each node and the central switch


• Advantages

– No central administration, no central operation

– No bottleneck, no single-point of failure

– Intrinsic part of the link-operations

– No tying up to the L2 infra

– Load distribution

• Disadvantages

– Heavy provisioning of end-nodes

– Only provisioned end-nodes are protected

– Tied up to nodes capability

– Bootstrapping issue

– Complexity spread all over the domain Provisioning Infrastructure

Configuration Server

DHCP Server

Time Server

Certificate Server

Hosts

L2/link Infrastructure

Internet


• Advantages

– central administration, central operation

– Complexity and provisioning limited to first hop

– All nodes protected

– Transitioning much easier

• Disadvantages

– Applicable only to certain topologies

– Requires first-hop to learn about end-nodes

– First-hop can be a bottleneck and single-point of failure

Provisioning Infrastructure

Configuration Server

DHCP Server

Time Server

Certificate Server

Hosts

L2/link Infrastructure


WHAT IS IT?

• Takes care of all nodes security, primarily from a link-operations standpoint

• Leverages information gleaned by snooping link-operations

• Arbitrates between different address assignment methods, different protocols, different nodes, different ports, etc.

REQUIREMENTS

• Must be “in the centre” or part of the security perimeter

• Requires some provisioning

• Must be versatile (NDP, SeND, DHCP, MLD, etc.)


First Hop Security (FHS)

FHS

FHS FHS


ICMP Type = 133 (Router Solicitation)

Src = UNSPEC (or Host link-local address)

Dst = All-routers multicast address (FF02::2)

Query = please send RA

ICMP Type = 134 (Router Advertisement)

Src = Router link-local address

Dst = All-nodes multicast address (FF02::1)

Data = router lifetime, retranstime, autoconfig flag

Option = Prefix, lifetime

RS

RA

Use B as default gateway

• Find default/first-hop routers

• Discover on-link prefixes => which destinations are neighbors

• Messages: Router Advertisements (RA), Router Solicitations (RS)

B A


Node A sending off-link traffic to C

• Attacker tricks victim into accepting him as default router

• Based on rogue Router Advertisements

• The most frequent threat by non-malicious user

Src = C’s link-local address

Dst = All-nodes

Data = router lifetime, autoconfig flag

Options = subnet prefix, slla

RA

B

Src = B’s link-local address

Dst = All-nodes

Data = router lifetime=0

RA

C A


Stateless, based on prefix information delivered in Router Advertisements

Messages: Router Advertisements, Router Solicitations

ICMP Type = 133 (Router Solicitation)

Src = UNSPEC (or Host link-local address)

Dst = All-routers multicast address (FF02::2)

Query = please send RA

ICMP Type = 134 (Router Advertisement)

Src = Router link-local address

Dst = All-nodes multicast address (FF02::1)

Data = router lifetime, retranstime, autoconfig flag

Options = Prefix X,Y,Z, lifetime

RS

RA

Source traffic with X::x, Y::y, Z::z

Computes X::x, Y::y, Z::z and DAD them NS


C

• Attacker spoofs Router Advertisement with false on-link prefix

• Victim generates IP address with this prefix

• Access router drops outgoing packets from victim (ingress filtering)

• Incoming packets can't reach victim

Node A sourcing off-link traffic to B with BAD::A


Dst = All-nodes

Options = prefix BAD, Preferred lifetime

RA

B

B filters out BAD::A

Computes BAD::A and DAD it


Dst = All-nodes

Options = prefix X Preferred lifetime = 0

RA

Deprecates X::A

A


• Resolves IP address into MAC address • Creates neighbor cache entry

Messages: Neighbor Solicitation, Neighbor Advertisement

NS

NA

A and B can now exchange packets on this link

B A C

ICMP type = 135 (Neighbor Solicitation)

Src = A

Dst = Solicited-node multicast address of B

Data = B

Option = link-layer address of A

Query = what is B’s link-layer address? ICMP type = 136 (Neighbor Advertisement) Src = one B’s IF address Dst = A Data = B

Option = link-layer address of B


• Attacker can claim victim's IP address

B

NS Dst = Solicited-node multicast address of B

Query = what is B’s link-layer address?

Src = B or any C’s IF address Dst = A

Data = B Option = link-layer address of C

NA

A C


• Verify address uniqueness

• Probe neighbors to verify nobody claims the address

Messages: Neighbor Solicitation, Neighbor Advertisement

ICMP type = 135 (Neighbor Solicitation)

Src = UNSPEC = 0::0

Dst = Solicited-node multicast address of A

Data = A

Query = Does anybody use A already?

NS

Node A can start using address A

B A C


• Attacker hacks any victim's DAD attempts

• Victim can't configure IP address and can't communicate

Src = UNSPEC

Dst = Solicited-node multicast address of A

Data = A

Query = Does anybody use A already? NS

Src = any C’s IF address Dst = A

Data = A Option = link-layer address of C

NA “it’s mine !”

C A


DHCP Attack ARP Attack IP Spoof Attack

RA Attack STP Attack CPU Attack

DHCP Snooping

Dynamic ARP Inspection

IP Source Guard

RA Guard

BPDU Guard

Control Plane Policing

MiTM

DoS


• For more info: http://www.cisco.com/web/strategy/docs/gov/turniton_cisf.pdf


IPv6 FHS

IPv6

Binding Integrity

Guard

IPv6

RA Guard

IPv6

DHCP Guard

IPv6

Source Guard

IPv6

Destination Guard

• Integrity protection

for FHS binding

table

• Protection against

IPv6 address theft


MiM Attacks


rouge or malicious

Router

Advertisement


MiM & DoS attacks

• Rejects invalid

DHCP Offers

• Validate source

address or prefix

• Protects against

source address

spoofing

• Validates

destination address

of IPv6 traffic

reaching the link

• Protects against

scanning or DoS

attacks


• If IPv6 RA Guard is not available...

ipv6 access-list ACCESS_PORT

remark Block all traffic DHCP server -> client

deny udp any eq 547 any eq 546

remark Block Router Advertisements

deny icmp any any router-advertisement

permit any any

Interface gigabitethernet 1/0/1

switchport

ipv6 traffic-filter ACCESS_PORT in


host

Router Advertisement Option: prefix(s)

“I am the default gateway”

?

• Configuration- based • Learning-based • Challenge-based

Verification succeeded ?

Bridge RA

• Switch selectively accepts or rejects RAs based on various criteria • Can be ACL based, learning based or challenge (SeND) based • Hosts see only allowed RAs, and RAs with allowed content


• Extension headers chain can be so large that it is fragmented!

• Finding the layer 4 information is not trivial in IPv6

Skip all known extension headers

Until either known layer 4 header found => SUCCESS

Or unknown extension header/layer 4 header found... => FAILURE

Or end of extension headers => FAILURE

IPv6 hdr HopByHop Routing Destination Destination Fragment1

IPv6 hdr HopByHop Fragment2 ICMP Data

Layer 4 header is

in 2nd fragment


host

Binding table

Address

glean

– Arbitrate collisions, check ownership

– Check against max allowed per box/vlan/port

– Record & report changes

Valid?

bridge


H1

Binding table

IPv6 MAC VLAN IF STATE

A1 MACH1 100 P1 STALE

A21 MACH2 100 P2 REACH


A3 MACH3 100 P3 STALE

H2 H3

Address glean

DAD NS [IP source=UNSPEC, target = A1]


NA [target = A1LLA=MACH1]

IPv6 MAC VLAN IF STATE




– Keep track of device state

– Probe devices when becoming stale

– Remove inactive devices from the binding table

– Record binding creation/deletion/changes


H1

Binding table

NS [IP source=A1, LLA=MACH1]

DHCP-

server

REQUEST [XID, SMAC = MACH2]

REPLY[XID, IPA21, IPA22]

H2 H3

data [IP source=A3, SMAC=MACH3]


NA [IP source=A1, LLA=MACH3]

IPv6 MAC VLAN IF

A1 MACH1 100 P1

A21 MACH2 100 P2

A22 MACH2 100 P2

A3 MACH3 100 P3

DHCP LEASEQUERY

DHCP LEASEQUERY_REPLY


H1

Binding table IPv6 MAC VLAN IF

A1 MACA1 100 P1

A21 MACA21 100 P2

A22 MACA22 100 P2

A3 MACA3 100 P3

H2 H3

Address glean

– Allow traffic sourced

with known IP/SMAC

– Deny traffic sources

with unknown IP/SMAC

P1:: data, src= A1, SMAC = MACA1

P2:: data src= A21, SMAC = MACA21

P3:: data src= A3, SMAC = MACA3

P3 ::A3, MACA3


NA [target = A1LLA=MACA3]

DHCP LEASEQUERY

DHCP LEASEQUERY_REPLY


host

Forward packet

• Mitigate prefix-scanning attacks and Protect ND cache • Useful at last-hop router and L3 distribution switch • Drops packets for destinations without a binding entry

Lookup D1

found

B

NO

L3 switch

Src=D1

Internet

Address glean Scanning

{P/64}

Src=Dn

Binding table Neighbor cache


host

Binding table

DHCP REQUEST

DHCP REQUEST + Interface-ID option

DHCP REPLY+ Interface-ID option

DHCP REPLY

Stores binding

DHCP-

server


• ~5,000 MAC addresses seen

• ~75% MAC addresses dualstack: had both IPv4 and IPv6

• Multi-subnet CAPWAP: need multicast routing Else: no RA reaches the client, hence no IPv6

• Needed to tune the timers aggressively: 3 minutes iPad / iPhone create new address every time they join the net The limit of 8 addresses is not enough!


• IPv6 FHS

• IPv4 FHS


• Control Plane Policing (CoPP): Protect the Control Plane of a network device from DoS attacks

• STP toolkit (Root Guard, BPDU Guard). Safeguard the STP from misconfiguration and malicious attacks

• Best Practices about Infrastructure Security available

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml


Dynamic ARP

Inspection

DHCP Snooping

IP Source Guard

IPv6 RA Guard Smart Logging

NetFlow IOS Sensor

Monitor Mode IEEE 802.1X

MACSec

Enforce Monitor

Enforce

And

Monitor

IPv6 DHCP Guard

IPv6 Binding Integrity Guard

IPv6 Src/Dst Guard

Thank you.


• Thank you!

• Please complete the post-event survey.

• Join us June 6 for our next webinar:

Deploying Application Visibility and Control Policies

To register, go to www.cisco.com/go/iosadvantage


Cisco IOS Software Platforms Catalyst 6500 Catalyst 4000 Catalyst 2K/3K 2K IOS LAN

Lite

IEEE 802.1Xauthentication 12.1(13)SE 12.2(40)SG 12.2(25)SEA 12.2(25)SEA

MAC Authentication Bypass 12.2(33)SXH 12.2(44)SG 12.2(25)SEE 12.2(37)EY

Local Web Authentication 12.2(33)SXH 12.2(40)SG 12.2(35)SEE No

Flexible authentication 12.2(33)SXI 12.2(50)SG 12.2(50)SE No

802.1X with Open Access 12.2(33)SXI 12.2(40)SG 12.2(50)SE No

Multi-auth 12.2(33)SXI 12.2(40)SG 12.2(50)SE No

Multi-domain Auth (MDA) 12.2(33)SXI 12.2(44)SG 12.2(35)SEE No

NEAT 12.2(33)SXJ 12.2(54)SG 12.2(52)SE No

MACSec endpoint (downlink) encryption No Sup7E + 4748LC 12.2(53)SE1 (3K-X) No

MACSec uplink encryption

VLAN assignment 12.1(13)E 12.2(44)SG 12.2(25)SEA 12.2(37)EY

MDA with dynamic Voice VLAN

assignment

No 12.2(52)SG 12.2(40)SE No

Guest VLAN, Auth-Fail VLAN 12.2(33)SXH 12.2(40)SG 12.2(25)SED 12.2(37)EY

User Distribution 12.2(33)SXI1 12.2(54)SG 12.2(52)SE No

Downloadable ACL 12.2(33)SXI 12.2(40)SG 12.2(50)SE No

RADIUS Change of Authorization 12.2(33)SXI4 12.2(54)SG 12.2(52)SE No

Multiauth with VLAN assignment ? 15.0(2)SG 12.2(55)SE No

Wake-on-LAN (WoL) 12.2(33)SXI 12.2(40)SG 12.2(25)SEC No

Inactivity timer (MAB and 802.1x) 12.2(33)SXI 12.2(40)SG 12.2(50)SE

CDP 2nd port disconnect 12.2(33)SXI 12.2(40)SG 12.2(50)SE No

Integration with DAI, IPSG, port security 12.2(33)SXI 12.2(40)SG 12.2(25)SEA 12.2(37)EY

MAC Move/MAC Replace 12.2(33)SXI4 12.2(54)SG 12.2(55)SE No

Critical Data VLAN (IAB) 12.2(33)SXH 12.2(40)SG 12.2(50)SE No

Critical Voice VLAN 12.2(33)SXJ1 15.0(2)SG 15.0(1)SE No

Combine these

features for easier

deployments with

“Monitor Mode”

Most competitive switches lack

these features that make 802.1X

deployable. Make sure your

customer includes them in RFP.


2K 3K 4K 6K

DHCP

Snooping

Y Y Y Y

Dynamic Arp

Inspection

Y Y Y Y

IP Source

Guard

Y Y Y Y

BPDU Guard Y Y Y Y

RA Guard 15.0(2)SE

‘Nile’, 2960S

only

15.0(2)SE

‘Nile’ (E and

X)

12.2(54)SG 12.2(33)SXI4

Control

Plane

Policing

N N Y Y


2K 3K 4K 6K

Smart

Logging

No 12.2(58)SE

IOS Sensor 15.0(1)SE* 15.0(1)SE*

Oct 2011 No

Netflow No With uplink

module

Sup 7

Monitor

Mode

12.2(50)SG

12.2(50)SG 12.2(50)SE 12.2(33)SXI

*Full functionality requires ISE 1.1


What is specific with IPv6 in the layer-2 domain? More addresses!

• More end-nodes allowed on the link (up to 264 !)

• More states (neighbor cache, etc.) on hosts routers and switches.

• May lead to some dramatic topology evolution.

• Creates new opportunities for DoS & MiM attacks

What else? Link-operations protocol(s): IPv6 = Neighbor Discovery

• More distributed and more autonomous operations

• Nodes discover automatically their default router.

• Nodes auto-configure their addresses

• Nodes can defend themselves (SeND)


• SeND is NOT a new protocol

• SeND is “just” an extension to NDP with new messages (CPS/CPA) and more options (Signature, etc.)

• Therefore ND+SeND remains a protocol operating on the link

• SeND is a distributed mitigation mechanism

• SeND does not provide any “end-to-end” security

• SeND specified in RFC3971 and RFC3972


• Very powerful, the RA guard multicast group is built with ports which have the RA guard feature configured and a device-role of "router" or "monitor”. Only switch only ports belonging to the RA guard multicast group will receive RS messages.

Interface Ethernet0/0

ipv6 nd router-preference high

switch(config)# ipv6 nd raguard limited-broadcast

Securing the Access Layer (IOS Advantage Webinar)

Technology

Transcript of Securing the Access Layer (IOS Advantage Webinar)