HPE Community
Comware Based
1752781 Members
6587 Online
108789 Solutions
New Discussion

Re: Securing IPv6 on A-series (Comware 5.2++)

 
snoms
Occasional Advisor

‎05-15-2011 02:03 AM - edited ‎05-15-2011 02:41 AM

‎05-15-2011 02:03 AM - edited ‎05-15-2011 02:41 AM

Securing IPv6 on A-series (Comware 5.2++)

I´d like to start a thread dealing with IPv6 problems and fixing them with inbuilt capabilites of HP A-series based upon Comware 5.20 and up. It would be great if you could post your solutions as well.

 

----------------------------------------------------------------------------------------------------------------------------------------------------

 

- problem: faked router advertisement

- location: access port

- used tool: flood_router6 from http://www.thc.org/thc-ipv6/

- solution: blocking the unwanted traffic (RA Snooping)

 

 

acl ipv6 number 3900 name blocking-faked-ra
rule 10 deny icmpv6 icmpv6-type router-advertisement
rule 20 deny udp destination fe80::/64 destination-port eq 546 source-port eq 547
quit
traffic behavior b_RA
filter deny
quit
traffic classifier c_RA
if-match acl ipv6 3900
quit
qos policy p_RA
classifier c_RA behavior b_RA
quit
interface GigabitEthernet 1/0/1
qos apply policy p_RA inbound
quit

 

 

 

8 REPLIES 8
paulgear
Esteemed Contributor

‎06-01-2011 11:04 PM

‎06-01-2011 11:04 PM

Re: Securing IPv6 on A-series (Comware 5.2++)

Nice post!  Looking forward to hearing other suggestions.

Regards,
Paul
0 Kudos
Davy Priem
Regular Advisor

‎07-04-2011 02:10 AM - edited ‎07-04-2011 02:10 AM

‎07-04-2011 02:10 AM - edited ‎07-04-2011 02:10 AM

Re: Securing IPv6 on A-series (Comware 5.2++)

Why not using 'nd detection'?

0 Kudos
manuel.bitzi
Trusted Contributor

‎07-06-2011 02:21 AM

‎07-06-2011 02:21 AM

Re: Securing IPv6 on A-series (Comware 5.2++)

Yes, ND Attack Detection will cover this and other ND, RA, etc issues. Works great. See:

 

http://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Switches/H3C_S12500_Series_Switches/Configuration/Operation_Manual/H3C_S12500_CG-B1327P01-5W120/11/201012/704209_1285_0.htm

 

br

Manuel

H3CSE, MASE Network Infrastructure [2011], Switzerland
0 Kudos
MichaelM55
Trusted Contributor

‎05-24-2012 10:35 AM

‎05-24-2012 10:35 AM

Re: Securing IPv6 on A-series (Comware 5.2++)

Does anyone know whether HP/H3C is working on an improved "ND attack detection/blocking mechanism", as this one needs a lot of improvement?

0 Kudos
Davy Priem
Regular Advisor

‎05-30-2012 03:23 AM

‎05-30-2012 03:23 AM

Re: Securing IPv6 on A-series (Comware 5.2++)

Which improvements do you want?

0 Kudos
MichaelM55
Trusted Contributor

‎05-30-2012 08:03 AM - edited ‎05-30-2012 08:18 AM

‎05-30-2012 08:03 AM - edited ‎05-30-2012 08:18 AM

Re: Securing IPv6 on A-series (Comware 5.2++)

 

Well,

 

reasons for improvement:

 

1. HP´s “ipv6 nd detection” feature doesn´t protect against IPv6 router advertisement flooding attacks (see below)

 

2. “ACL and QoS Configuration Guide” says:

„Fragments filtering with ACLs

Traditional packet filtering matches only first fragments of packets, and allows all subsequent non-first

fragments to pass through. Attackers can fabricate non-first fragments to attack networks.

To avoids the risks, the H3C ACL implementation:

  • • Filters all fragments by default, including non-first fragments.
  • • Allows for matching criteria modification, for example, filters non-first fragments only.”
    • RA flooding attacks based on fragmented packets aren´t filtered by activated packet-filter at all(see below)

=> RA flooding attacks based on fragmented packets aren´t filtered by activated packet-filter at all(see below)

 

3. filtering fragmented IPv6 and ICMPv6 packets and/or specific routing headers isn´t supported on HP´s edge switches

 

 

used software tool

  • THC-IPv6 (The Hackers Choice IPv6), toolkit for testing common IPv6 and ICMPv6 vulnerabilities

tested switching equipment

  1. HP 5500 EI (H3C S5500-EI, 3COM 4800G)
  1. HP 5500 HI

 

 

1.

test case 1: “ipv6 nd detection” (5500 EI/5500 HI):

  • Activate nd detection:

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C]vlan 1

[H3C-vlan1]ipv6 nd detection enable

[H3C-vlan1]quit

H3C]interface GigabitEthernet1/0/23

[H3C-GigabitEthernet1/0/23]ipv6 nd detection trust

[H3C-GigabitEthernet1/0/23]quit

  • Put in laptop with http://thc.org/thc-ipv6/ in interface GigabitEthernet 1/0/1
  • Put in laptop with e.g. Microsoft Windows XP/Vista/7/Server 2003/Server 2008 in interface GigabitEthernet 1/0/2 and open Task Manager
  • Run “flood_router6 -HF eth0 FE80::DEAD/64” on laptop with THC-IPv6
  • Result: CPU on Windows machines will be at 100%

 

2.

test case 2:  “IPv6 ACL” (5500 EI/5500 HI):

 

The following will not filter fragmented IPv6 packets:

 

 

acl ipv6 number 3109
rule 10 deny icmpv6 icmp6-type router-advertisement

interface gigabitethernet 1/0/4
 packet-filter ipv6 3109 inbound

 

 

 

  • Just put in laptop with http://thc.org/thc-ipv6/ in interface GigabitEthernet 1/0/4
  • Put in laptop with e.g. Microsoft Windows XP/Vista/7/Server 2003/Server 2008 in interface GigabitEthernet 1/0/2 and open Task Manager
  • Run “flood_router6 -HF eth0 FE80::DEAD/64” on laptop with THC-IPv6
  • Result: CPU on Windows machines will be at 100% again

 

 

3.

 

blocking fragmented IPv6 packets (and specific ICMPv6-types) on edge/access ports with packet-filter isn´t supported on (some?) Comware based edge switches:

 

 

acl ipv6 number 3201
 rule 10 deny ipv6 fragment

interface gigabitethernet 1/0/2
 packet-filter ipv6 3201 inbound


dis log rev
"PFLT/5/FLT_SET_POLICY_NOTSUPPORT_FAIL: Failed to apply the filter policy to or refresh the filter policy 3201 on interface GigabitEthernet1/0/2.Not supported."

 

 

acl ipv6 number 3200
 rule 10 deny icmpv6 fragment

interface gigabitethernet 1/0/1
packet-filter ipv6 3200 inbound


dis log rev gives:

"PFLT/5/FLT_SET_POLICY_NOTSUPPORT_FAIL: Failed to apply the filter policy to or refresh the filter policy 3200 on interface GigabitEthernet1/0/1.Not supported."

 

acl ipv6 number 3203
 rule 10 deny ipv6 routing

interface gigabitethernet 1/0/3
 packet-filter ipv6 3203 inbound


dis log rev gives:

"PFLT/5/FLT_SET_POLICY_NOTSUPPORT_FAIL: Failed to apply the filter policy to or refresh the filter policy 3202 on interface GigabitEthernet1/0/3.Not supported."

 

 

 => Number 3 would help a lot, as "normal edge users" don´t have any applications using fragmented IPv6 packets. The feature seems to be available on Comware? Why not just activating it?

0 Kudos
MichaelM55
Trusted Contributor

‎12-31-2012 12:47 PM

‎12-31-2012 12:47 PM

Re: Securing IPv6 on A-series (Comware 5.2++)

It seems Cisco has some ideas for this problem:


- RA Throttler
- NDP Multicast Suppress
- Destination Guard
- Prefix Guard
- DAD Proxy
- Binding Table Recovery
- SVI support

 

What about HP?

0 Kudos
Apachez-
Trusted Contributor

‎07-29-2014 03:32 PM

‎07-29-2014 03:32 PM

Re: Securing IPv6 on A-series (Comware 5.2++)

I turns out that (at least for 5820 and 5120EI) one cannot filter fragments nor routing headers (such as RH0) in ACLs used by physical interfaces.

 

However you can do this for ACLs used by software, that is mgmt-interfaces such as SSH, SNMP etc used by the switch/router itself.

 

This is also described in the following knowledge base article:

 

http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?sp4ts.oid=4218345&spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Dmmr_kc-0119764-5%257CdocLocale%253Den_US%257CcalledBy%253DSearch_Result&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken

 

Also these models (5820 and 5120EI but I guess this applies to many more) doesnt comply with RFC 5095 ("Deprecation of Type 0 Routing Headers in IPv6" http://www.ietf.org/rfc/rfc5095.txt) which otherwise would have been a workaround for not be able to filter RH0 on physical interfaces.

 

I have been in contact with HP regarding this (RFC5095) so lets see how things will evolve (HP after all fixed bypass of ACL through extension headers by adding a new global named "ipv6 option drop enable").

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.