From Perimeter Router Security Technical Implementation Guide Cisco
Part of IPv6 Router Advertisements must be suppressed.
Many of the known attacks in stateless autoconfiguration are defined in RFC 3756 were present in IPv4 ARP attacks. IPSec AH was originally suggested as mitigation for the link local attacks, but has since been found to have bootstrapping problems and to be very administrative intensive. Due to first requiring an IP address in order to set up the IPSec security association creates the chicken-before-the-egg dilemma. There are solutions being developed (Secure Neighbor Discovery and Cryptographic Generated Addressing) to secure these threats but are not currently available at the time of this writing.
Inspect the device configuration to validate IPv6 router advertisement suppression is enabled on all external-facing interfaces. This is applicable to all IPv6-enabled interfaces connected to an IP backbone (i.e. NIPRNet, SIPRNet, etc), backdoor link, or an alternate gateway (AG). The configuration to suppress IPv6 router advertisements will look similar to the following on IOS devices: interface fa0/0 ipv6 address 2001::0:0:1/64 ipv6 nd ra suppress Note: The suppression of IPv6 router advertisement is only applicable on IPv6-enabled interfaces. An IOS interface is enabled for IPv6 via the interface command ipv6 enable, which will automatically create the ipv6 link-local address, or the interface command ipv6 address. With the exception of Ethernet and FDDI, router advertisements are suppressed by default; hence, you will not see this command.
Configure the network device to enable route advertisement suppression on all external facing have IPv6 enabled on the interface.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer