IPv6 Source Guard (IPSG for IPv6)

Owned by Tracy Yang
Jul 18, 2024
5 min read

Overview

IPv6 Source Guard, or IPSG for IPv6, is a security feature implemented in network switches to mitigate IPv6 address spoofing attacks. It generally works by ensuring that incoming packets on a network interface have a source IPv6 address that matches an entry in the IPv6 source guard binding table. Traffic from other IPv6 addresses is dropped.

IPv6 source guard binding table contains two types of entries: static entries and dynamic entries.

  • Static entries: IPv6 addresses that have been manually associated with a MAC address.

  • Dynamic entries: IPv6 addresses added through DHCPv6 snooping binding table.

Dynamic table entry aging does not affect static table entries; that is to say, static table entries do not age.

IPv6 source guard filtering items include either IP or IP+MAC based on specific interface and VLAN.

IPv6 source guard permits traffic from the following sources, in addition to packets that match the entries in the IPv6 source guard binding table:

  • When DHCPv6 snooping is enabled, IPv6 source guard allows the reception of DHCPv6 packets.

  • IPv4 packets are not subjected to IPv6 Source Guard checks.

By default, IPv6 source guard is disabled. It must be enabled on each port where guarding is required.

Configuration Notes and Constraints

When configuring IPSG for IPv6, consider the following points:

  • The entries of IPv6 subnet address without mask length in the IPv6 source guard binding table are ineffective for IPSG.

  • IPSG for IPv6 be enabled on a physical interface or a Link Aggregation Group (LAG) interface but cannot be enabled on the member interfaces of a LAG.

  • The interface that enables IPSG for IPv6 cannot be a DHCPv6 snooping trust interface.

  • IPSG for IPv6 has a higher priority than PBR (Policy-Based Routing) and 802.1X (downloadable ACL and dynamic ACL). When IPSG for IPv6 is enabled on the ingress interface and VLAN to which a packet belongs, the packet is subject to IPSG for IPv6 verification. As a result, it bypasses both PBR and 802.1X ACL matching processes.

  • If a packet that matches the IPv6 source guard entry also matches an ACL rule (such as a firewall filter ACL), and the action of the ACL rule is discard, then the packet will be discarded by the ACL regardless of other configurations.

  • After configuring the IPv6 source guard binding entry, it needs to be deployed to the hardware by the system. Therefore, the number of IPv6 source guard binding entries supported by the switch depends on the current utilization of hardware resources. Of course, different switch platforms have different hardware performance, and thus support varying numbers of table entries.

  • IPSG for IPv6 is not supported in MLAG scenarios.

Configuring IPv6 Source Guard

Configuring IPv6 Source Guard involves the following steps:

  1. Configure IPv6 Source Guard binding table entries in the following two ways:

  • Static entries: Manually associate IPv6 addresses with a MAC address.

  • Enable DHCPv6 snooping function to generate dynamic IPv6 Source Guard entries. Dynamic entries are added through the DHCPv6 Snooping binding table.

  1. Enable IPv6 source guard for a specific interface and VLAN.

NOTE:

  • The command set ipv6-source-guard interface <interface-name> vlan <vlan-id> enable <true | false> is used for step 2.

  • The interface and VLAN configured in step 2 should be consistent with the values in the IPv6 source guard binding table.

  • When IPv6 source guard is enabled on a specific interface and VLAN, all IPv6 packets from this interface and VLAN will be dropped except that match the entries in the IPv6 source guard binding table.

  • Packets received from other interfaces or VLANs that do not have IPv6 source guard enabled will not be inspected by the IPv6 source guard module and will be processed normally.

  1. (Optional) Configure IPv6 source guard filtering item for a specific interface and VLAN.

  2. Verify the IPv6 source guard entries.

You can enable both static and dynamic entries for IPv6 source guard, or you can choose to enable only one of them. For users with dynamically assigned IPv6 addresses, enabling DHCPv6 Snooping is necessary.

Configure Static IPv6 Source Guard Binding Entry

Step 1          Configure static IPv6 source guard entries.

set ipv6-source-guard binding ip <ip_address> mac <mac-address> interface <interface-name> vlan <vlan-id>

Step 2          Enable IPv6 source guard based on specific interface and VLAN. Here, the interface and VLAN ID should be consistent with the values configured in the static IPv6 source guard entries.

set ipv6-source-guard interface <interface-name> vlan <vlan-id> enable <true | false>

Step 3          (Optional) Configure IPv6 source guard filtering item based on specific interface and VLAN.

set ipv6-source-guard interface <interface-name> vlan <vlan-id> verify <ip | ip+mac>

Step 4          Commit the configuration.

commit

Step 5          View the IPv6 source guard binding entries.

run show ipv6-source-guard binding [interface <interface-name>]

Configure Dynamic IPv6 Source Guard Binding Entry

Step 1          Enable DHCPv6 snooping.

 set protocols dhcpv6 snooping vlan <vlan-id> disable <true | false>

set protocols dhcpv6 snooping trust-port <interface-name>

Step 2          Enable IPv6 source guard based on specific interface and VLAN. Here, the interface and VLAN ID is the one that enables DHCPv6 snooping.

set ipv6-source-guard interface <interface-name> vlan <vlan-id> enable <true | false>

Step 3          (Optional) Configure IPv6 source guard filtering item based on specific interface and VLAN. Here, the VLAN is the one that enables DHCPv6 snooping.

set ipv6-source-guard interface <interface-name> vlan <vlan-id> verify <ip | ip+mac>

Step 4          Commit the configuration.

commit

Step 5          View the IPv6 source guard binding entries.

run show ipv6-source-guard binding [interface <interface-name>]

Configuration Example

Networking Requirements

Figure 1.     IPv6 Source Guard Configuration Example

fig1.jpg

As shown in Figure 1, on interfaces ge-1/1/1 and ge-1/1/2 of the device named Switch, enable IPv6 Source Guard function to prevent IPv6 address spoofing attacks. Enable both static IPv6 source guard binding entry configuration and dynamic entry originating from the DHCPv6 snooping binding table.

Follow the configuration roadmap below to complete the deployment on the Switch device:

  1. Configure IPv6 source guard binding table static entries for host A.

  2. Enable DHCPv6 Snooping for dynamically assigning IPv6 to host B.

  3. Enable IPv6 source guard function for interfaces ge-1/1/1 and ge-1/1/2.

  4. Configure IPv6 source guard filtering item based on specific interface and VLAN.

  5. Check the IPv6 source guard entries.

Procedure

Step 1          Configure VLAN.

admin@PICOS# set vlans vlan-id 2 admin@PICOS# set vlans vlan-id 3 admin@PICOS# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching native-vlan-id 10 admin@PICOS# set interface gigabit-ethernet ge-1/1/2 family ethernet-switching native-vlan-id 20 admin@PICOS# set interface gigabit-ethernet ge-1/1/3 family ethernet-switching port-mode trunk admin@PICOS#  set interface gigabit-ethernet ge-1/1/3 family ethernet-switching vlan members 10,20

Step 2          Configure IPv6 source guard static entry for host A.

admin@PICOS# set ipv6-source-guard binding ip 10:10::22 mac 22:22:22:22:22:22 interface ge-1/1/1 vlan 10

Step 3          For users with dynamically assigned IPv6 addresses, DHCPv6 snooping needs to be configured.

admin@PICOS# set protocols dhcpv6 snooping vlan 20 disable false admin@PICOS# set protocols dhcpv6 snooping trust-port ge-1/1/3

Step 4          Enable IPv6 source guard.

Step 5          Configure IPv6 source guard filtering item based on specific interface and VLAN.

Step 6          Commit the configuration.

Step 7          View the IPv6 source guard binding entries.

 

Copyright © 2024 Pica8 Inc. All Rights Reserved.