Building

Some more Notes on RA Guard Evasion and “undetermined-transport”

I just had an interesting discussion with Jim Small (who gives the “IPv6 Attacks and Countermeasures” talk at the North American IPv6 Summit next week) about the feasibility of the “undetermined-transport” keyword in PACLs on Cisco 3560 switches (here running  IOS 15.0(2)SE). Actually there’s some kind-of funny behavior as for it on that platform (and there’s even some Cisco documentation stating it’s not supported). Let’s have a look, and start with a quick refresher.

Rogue router advertisements pose a significant security and network stability risk in IPv6 networks. That’s why there’s a security feature implemented on certain switches which is called “RA Guard” (see also here). Unfortunately (at least Cisco’s current implementation of) RA Guard can easily be circumvented, e.g. by using the following command from the THC IPV6 attack toolkit:

fake_router26 -E D eth0

This is a known problem (see Fernando‘s IETF draft on RA Guard implementation advice) and the common way addressing this in Cisco space is by replacing RA Guard with a PACL containing “undetermined-transport” (as, for example, described/discussed here and here). Unfortunately, it seems that “undetermined-transport” is not supported on some 3560 platforms/images and an attempt to bind an ACL containing it to a port gives a parsing error, like:

 

Switch>sh access-list
IPv6 access list Stop_RA_Attacks
deny icmp any any router-advertisement log-input sequence 10
deny ipv6 any any log-input undetermined-transport sequence 11
permit ipv6 any any sequence 20;

Switch(config)#int g0/3
Switch(config-if)# ipv6 traffic-filter Stop_RA_Attacks in
% This ACL contains following unsupported entries.
% Remove those entries and try again. deny ipv6 any any log-input undetermined-transport sequence 11
% This ACL can not be attached to the interface.
Switch(config-if)#
*Mar 1 00:59:05.298: %PARSE_RC-4-PRC_NON_COMPLIANCE: ` ipv6 traffic-filter Stop_RA_Attacks in'

 

However, if one adds the ACL entry containing “undetermined-transport” after binding the ACL to the port, it is accepted and, more importantly, it works like a charm (we tested this in several settings). This could look like this:

 

Switch(config)#ipv6 access-list Stop_RA_Attacks
Switch(config-ipv6-acl)#no deny ipv6 any any log-input undetermined-transport $
Switch(config-ipv6-acl)#exi
Switch(config)#int g0/3
Switch(config-if)# ipv6 traffic-filter Stop_RA_Attacks in
Switch(config-if)#exi

 

and then

 

Switch(config)#ipv6 access-list Stop_RA_Attacks
Switch(config-ipv6-acl)#deny ipv6 any any log-input undetermined-transport sequence 11
Switch(config-ipv6-acl)#exi

 

Overall, the relevant parts of the config then look like:

 

Switch(config)#do sh run | b 0/3
interface GigabitEthernet0/3
switchport access vlan 20
switchport mode access
ipv6 traffic-filter Stop_RA_Attacks in
Switch(config)#do sh access-list

IPv6 access list Stop_RA_Attacks
deny icmp any any router-advertisement log-input sequence 10
deny ipv6 any any log-input undetermined-transport sequence 11
permit ipv6 any any sequence 20
Switch(config)#

 

========

So, in short, going with PACLs with “undetermined-transport” provides much better protection against rogue RAs than “RA Guard” currently. And it can be used on some platforms (at least on 3560s running 15.0(2)SE) if applied the right way.

Have a great weekend everybody

Enno

Comments

  1. Hi Enno,

    The expected behaviour should be the following on 15.0(2)SE: “undetermined-transport” should be supported on 3560s, but only on X and E series. The non X and E series do not support the “undetermined-transport” keyword, but should accept the ACL blindly (in case they are stacked with X and E).
    The non X and E series might never support “undetermined-transport” for hardware reasons.

    The output you provide seems to be different, and would indicate that the parser requires a specific order to apply the ACL. This is not good and we should get a bug filed if you are running an X/E series. If not, I’ll get pushed back by engineering.

    I don’t have a 3560 X or E available, so would you mind providing a “sh ver” from your switch so I can file a bug internally for this?

    Cheers,
    Alex

    1. Hi Alex,

      thanks for your feedback.
      Here’s the “sh ver”:

      Switch>sh ver | b Ports
      Switch Ports Model SW Version SW Image
      —— —– —– ———- ———-
      * 1 10 WS-C3560CG-8PC-S 15.0(2)SE C3560c405ex-UNIVERSALK9-M

      This one was/isn’t stacked with anything.

      best

      Enno

  2. Hi Enno,

    Dit you ever have problems with the “deny ipv6 any any log-input undetermined-transport” statement dropping legitimate traffic? This is what I see on a 4500 platform.

    With Kind Regards,

    David

Leave a Reply

Your email address will not be published. Required fields are marked *