- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: Securing IPv6 on A-series (Comware 5.2++)
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2011 02:03 AM - edited 05-15-2011 02:41 AM
05-15-2011 02:03 AM - edited 05-15-2011 02:41 AM
Securing IPv6 on A-series (Comware 5.2++)
I´d like to start a thread dealing with IPv6 problems and fixing them with inbuilt capabilites of HP A-series based upon Comware 5.20 and up. It would be great if you could post your solutions as well.
----------------------------------------------------------------------------------------------------------------------------------------------------
- problem: faked router advertisement
- location: access port
- used tool: flood_router6 from http://www.thc.org/thc-ipv6/
- solution: blocking the unwanted traffic (RA Snooping)
acl ipv6 number 3900 name blocking-faked-ra rule 10 deny icmpv6 icmpv6-type router-advertisement rule 20 deny udp destination fe80::/64 destination-port eq 546 source-port eq 547 quit traffic behavior b_RA filter deny quit traffic classifier c_RA if-match acl ipv6 3900 quit qos policy p_RA classifier c_RA behavior b_RA quit interface GigabitEthernet 1/0/1 qos apply policy p_RA inbound quit
- Tags:
- IPv6
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-01-2011 11:04 PM
06-01-2011 11:04 PM
Re: Securing IPv6 on A-series (Comware 5.2++)
Nice post! Looking forward to hearing other suggestions.
Paul
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-04-2011 02:10 AM - edited 07-04-2011 02:10 AM
07-04-2011 02:10 AM - edited 07-04-2011 02:10 AM
Re: Securing IPv6 on A-series (Comware 5.2++)
Why not using 'nd detection'?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-06-2011 02:21 AM
07-06-2011 02:21 AM
Re: Securing IPv6 on A-series (Comware 5.2++)
Yes, ND Attack Detection will cover this and other ND, RA, etc issues. Works great. See:
br
Manuel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2012 10:35 AM
05-24-2012 10:35 AM
Re: Securing IPv6 on A-series (Comware 5.2++)
Does anyone know whether HP/H3C is working on an improved "ND attack detection/blocking mechanism", as this one needs a lot of improvement?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-30-2012 03:23 AM
05-30-2012 03:23 AM
Re: Securing IPv6 on A-series (Comware 5.2++)
Which improvements do you want?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-30-2012 08:03 AM - edited 05-30-2012 08:18 AM
05-30-2012 08:03 AM - edited 05-30-2012 08:18 AM
Re: Securing IPv6 on A-series (Comware 5.2++)
Well,
reasons for improvement:
1. HP´s “ipv6 nd detection” feature doesn´t protect against IPv6 router advertisement flooding attacks (see below)
2. “ACL and QoS Configuration Guide” says:
„Fragments filtering with ACLs
Traditional packet filtering matches only first fragments of packets, and allows all subsequent non-first
fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To avoids the risks, the H3C ACL implementation:
- • Filters all fragments by default, including non-first fragments.
- • Allows for matching criteria modification, for example, filters non-first fragments only.”
- RA flooding attacks based on fragmented packets aren´t filtered by activated packet-filter at all(see below)
=> RA flooding attacks based on fragmented packets aren´t filtered by activated packet-filter at all(see below)
3. filtering fragmented IPv6 and ICMPv6 packets and/or specific routing headers isn´t supported on HP´s edge switches
used software tool
- THC-IPv6 (The Hackers Choice IPv6), toolkit for testing common IPv6 and ICMPv6 vulnerabilities
- http://thc.org/thc-ipv6/
- So let´s play with it on a test subnet!
tested switching equipment
- HP 5500 EI (H3C S5500-EI, 3COM 4800G)
- Firmware release: A5500EI-CMW520-R2215
- http://h20000.www2.hp.com/bc/docs/support/SupportManual/c03330497/c03330497.pdf
- HP 5500 HI
- Firmware release: A5500HI-CMW520-R5101P01
- http://h20000.www2.hp.com/bc/docs/support/SupportManual/c03207368/c03207368.pdf
1.
test case 1: “ipv6 nd detection” (5500 EI/5500 HI):
- Activate nd detection:
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C]vlan 1
[H3C-vlan1]ipv6 nd detection enable
[H3C-vlan1]quit
H3C]interface GigabitEthernet1/0/23
[H3C-GigabitEthernet1/0/23]ipv6 nd detection trust
[H3C-GigabitEthernet1/0/23]quit
- Put in laptop with http://thc.org/thc-ipv6/ in interface GigabitEthernet 1/0/1
- Put in laptop with e.g. Microsoft Windows XP/Vista/7/Server 2003/Server 2008 in interface GigabitEthernet 1/0/2 and open Task Manager
- Run “flood_router6 -HF eth0 FE80::DEAD/64” on laptop with THC-IPv6
- Result: CPU on Windows machines will be at 100%
2.
test case 2: “IPv6 ACL” (5500 EI/5500 HI):
The following will not filter fragmented IPv6 packets:
acl ipv6 number 3109 rule 10 deny icmpv6 icmp6-type router-advertisement interface gigabitethernet 1/0/4 packet-filter ipv6 3109 inbound
- Just put in laptop with http://thc.org/thc-ipv6/ in interface GigabitEthernet 1/0/4
- Put in laptop with e.g. Microsoft Windows XP/Vista/7/Server 2003/Server 2008 in interface GigabitEthernet 1/0/2 and open Task Manager
- Run “flood_router6 -HF eth0 FE80::DEAD/64” on laptop with THC-IPv6
- Result: CPU on Windows machines will be at 100% again
3.
blocking fragmented IPv6 packets (and specific ICMPv6-types) on edge/access ports with packet-filter isn´t supported on (some?) Comware based edge switches:
acl ipv6 number 3201 rule 10 deny ipv6 fragment interface gigabitethernet 1/0/2 packet-filter ipv6 3201 inbound dis log rev "PFLT/5/FLT_SET_POLICY_NOTSUPPORT_FAIL: Failed to apply the filter policy to or refresh the filter policy 3201 on interface GigabitEthernet1/0/2.Not supported."
acl ipv6 number 3200 rule 10 deny icmpv6 fragment interface gigabitethernet 1/0/1 packet-filter ipv6 3200 inbound
dis log rev gives:
"PFLT/5/FLT_SET_POLICY_NOTSUPPORT_FAIL: Failed to apply the filter policy to or refresh the filter policy 3200 on interface GigabitEthernet1/0/1.Not supported."
acl ipv6 number 3203 rule 10 deny ipv6 routing
interface gigabitethernet 1/0/3 packet-filter ipv6 3203 inbound
dis log rev gives:
"PFLT/5/FLT_SET_POLICY_NOTSUPPORT_FAIL: Failed to apply the filter policy to or refresh the filter policy 3202 on interface GigabitEthernet1/0/3.Not supported."
=> Number 3 would help a lot, as "normal edge users" don´t have any applications using fragmented IPv6 packets. The feature seems to be available on Comware? Why not just activating it?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-31-2012 12:47 PM
12-31-2012 12:47 PM
Re: Securing IPv6 on A-series (Comware 5.2++)
It seems Cisco has some ideas for this problem:
- RA Throttler
- NDP Multicast Suppress
- Destination Guard
- Prefix Guard
- DAD Proxy
- Binding Table Recovery
- SVI support
What about HP?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2014 03:32 PM
07-29-2014 03:32 PM
Re: Securing IPv6 on A-series (Comware 5.2++)
I turns out that (at least for 5820 and 5120EI) one cannot filter fragments nor routing headers (such as RH0) in ACLs used by physical interfaces.
However you can do this for ACLs used by software, that is mgmt-interfaces such as SSH, SNMP etc used by the switch/router itself.
This is also described in the following knowledge base article:
Also these models (5820 and 5120EI but I guess this applies to many more) doesnt comply with RFC 5095 ("Deprecation of Type 0 Routing Headers in IPv6" http://www.ietf.org/rfc/rfc5095.txt) which otherwise would have been a workaround for not be able to filter RH0 on physical interfaces.
I have been in contact with HP regarding this (RFC5095) so lets see how things will evolve (HP after all fixed bypass of ACL through extension headers by adding a new global named "ipv6 option drop enable").