• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Problème avec la sécurisation d'IPv6 Neighbor Discovery (ND) - Besoin de conseil

Started by gabinlm, September 25, 2024, 12:19:22 PM

Previous topic - Next topic

gabinlm

Bonjour à tous,

Je travaille actuellement sur la mise en place d'un réseau avec un support complet d'IPv6, mais je rencontre des difficultés concernant la sécurisation du protocole Neighbor Discovery (ND). Je cherche à protéger le réseau contre les attaques comme le Neighbor Spoofing ou d'autres formes d'usurpation d'adresses, mais je ne suis pas sûr que mes configurations soient optimales.

J'ai lu sur certaines méthodes, comme l'utilisation de SEND (Secure Neighbor Discovery), mais la complexité de sa mise en œuvre me pose problème. Est-ce que vous avez déjà utilisé SEND ou d'autres approches pour sécuriser ND dans un environnement IPv6 ? Quels seraient les meilleurs outils ou configurations pour renforcer la sécurité ? J'ai trouvé un lien sur les solutions que j'ai appliquées en IPv4, qui pourrait être utile pour la transition vers IPv6 contre l'ARP spoofing.

snarked

French isn't among my top languages, but as I understand your post, you are concerned about route spoofing.  You should be able to trust that the ND packets themselves are authentic as they are required to be link-level, and thus the source address should always be within FE80::/10, the destination within FE80::/10 or FF02::/16 (FF02::1 or FF02::2 specified in the RFC's, except redirect), and a TTL of 255, which makes certain it is from a direct connection.  ICMP packets can be IPSec wrapped if further security hardening is needed.

As for the content of the packet, you are correct in that if the neighbor is compromised, bad routes can be inserted.  However, if your system cannot trust its immediate neighbors, it should not accept data from them.  Does that satisfy your question?

gabinlm

Thank you for your detailed response! Your explanation about the trusted FE80::/10 range and the use of TTL 255 to ensure a direct connection makes sense. However, my concern is more about a potential attack vector where a malicious device on the same link might insert false Neighbor Advertisements, which could lead to man-in-the-middle attacks or routing issues.

I understand that IPSec can be a solution for securing ND packets, but in practice, it seems challenging to implement and maintain, especially in large networks. Have you had any experience using Secure Neighbor Discovery (SEND) as an alternative, or do you know of any other lightweight methods to prevent these types of attacks?

snarked

There really isn't any way to validate the content of the ND packet itself.  If one already knew where his neighbor(s) connect(s), one wouldn't need the ND packet to begin with (and would populate the local route table manually).

I have not used "SEND."  I don't know of any way to detect that a neighbor was hacked if the packets comprising the hack did not pass through my system or network.  Furthermore, a neighbor could be passing bad routes learnt from its other neighbor(s), so it/they might not be hacked at all.

I simply don't see how the data could be validated.  All one can validate is that a neighbor delivered the data.