At-A-Glance
IPv6 First Hop Security (FHS)
Enterprise Borderless Network
Last Updated: June 2013
First Hop Overview
What is First Hop Security?
In many modern networks, the Layer 2 domain is playing an increasingly important role,
with large campuses, very large data centers, server virtualization, Overlay Transport
Virtualization (OTV), Layer 2 mobility, etc., all resulting in larger Layer 2 domains. This
change also brings with it an increasing number of challenges, such as security and
scalability. In parallel with this change, IPv6 has been gaining momentum as the next
generation IP, while the IPv4 address space continues to run out.
First Hop Security is a suite of features designed specifically to harden IPv6 link
operation, as well as help with scale in large L2 domains. The base set of functionality
provides solid protection from a wide host of rogue or mis-configured users, and
this can be extended with additional features for different deployment scenarios, or
attack vectors.
Layer 2 (and to some extent Layer 2/3) switches constitute the core of this Layer 2
domain, and their strategic position in the network provides a number of opportunities
to secure this domain, and to optimize link operations. These devices are sometimes
referred to as “first hops”, specifically when they are facing end nodes. For many
years, Cisco has been providing a suite of Catalyst Integrated Security Features (CISF)
running on Catalyst switches, to secure and optimize Layer 2 (L2) operations for IPv4
networks. In order to provide the same level of end node protection on IPv6 or dualstack networks, these L2 switches need to add a similar set of capabilities to address
IPv6 link operations.
A myth and misconception that is frequently stated is that IPv6 is more secure than
IPv4. This assertion stems from the original mandated use of IPSec in host-tohost communication, as specified in RFC 2401. Certainly, if IPSec is implemented,
it would provide confidentiality and integrity between two hosts, but it still would
not address any link operation vulnerabilities, attacks, and most of the Denial-ofService (DoS) attacks. Furthermore, many consider IPv6 to be equivalent to IPv4,
with the only difference being a larger address space, but this is not the case. In
comparison with IPv4, IPv6 has an increased set of capabilities to simplify end-system
auto-configuration, which includes the automated discovery of routers, neighbor
resolution, duplicate address detection and neighbor unreachability detection. These
enhancements bring along with them a different set of security vulnerabilities that must
be addressed. Enter the IPv6 First Hop Security (FHS) solution, whose main role is to
“secure and optimize IPv6 link operations.”
The FHS functionality is supported in Catalyst® 6500, 4500, 3850, 3750 and
2960 Series Switches, 7600 Series Routers and Cisco 5700 Series Wireless
LAN Controllers.
IPv6 DHCP Guard
IPv6 RA Guard
Protection against rogue or malicious DHCP servers
Protection against rogue or malicious routers
My GW is
FE80::1
DHCP requests
I’m your GW
FE80::1
I’m your GW
FE80::BAD
Multicast Router
Advertisement
Router
DHCP responses
IPv6
DHCPserver
Unauthorized
DHCP responses
Multicast Router
Advertisement
IPv6 Snooping
Protection against address theft from rogue or malicious users
My GW is FE80::1
at location
MAC-green
I’m FE80::1 at
location MAC-green
I’m FE80::1 at
location MAC-red
Multicast Neighbor
Advertisement
Router
Existing Binding on
another port
Multicast Neighbor
Advertisement
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
At-A-Glance
FHS features can be classified in three feature categories (core, advanced and
performance scalability) as follows:
IPv6 Destination Guard
Protection against address spoofing from rogue or malicious users
On-link assigned
destinations
I am
2001:DB8::22
• Core:
Destination not
in my binding
table
-- RA Guard—blocks unauthorized Router Advertisements (RAs)
-- DHCP Guard—blocks unauthorized DHCP servers
IPv6 Source/Prefix Guard
Protection against network scanning or DoS attacks
Traffic from authorized
source 2001:DB8::22
2001:DB8::/64
Multicast search
On-link unassigned
destinations
-- IPv6 Snooping—analyzes control/data switch traffic, detects IP address, and
stores/updates them in a binding table.
I’m
2001:DB8::22
Existing Binding
on another port
• Advanced:
-- Source/Prefix Guard—validates source address or a prefix of IPv6 traffic sourced
from the link
-- Destination Guard—validates the destination address of IPv6 traffic reaching
the link
• Performance and scalability:
Scanning prefix 2001:DB8::/64
for unassigned destinations
-- ND Multicast Suppress—controls Neighbor Discovery (ND) traffic necessary for
proper link operations and improves performance
• IPv6 FHS provides effective counter measures for the following types of attacks or
misconfiguration errors that could result in DoS or information theft:
ND Multicast Suppression
RA Throttler
Controls ND traffic necessary to improve performance
Facilitates scale by converting multicast RA traffic into unicast
CAPWAP
CAPWAP
RA
-- RA Throttler—facilitates scale by converting multicast RA traffic into unicast
CAPWAP
Router Solicitation (RS)
Traffic from unauthorized
source BAD::BAD
Triggered (RA)
Unicast RA
NA
Periodic (RA’s)
Router
CAPWAP
Multicast NA
Triggered (NA)
Router
Unicast NA
Neighbor Solicitation (NS)
-- Router impersonation (MiM attacks)
-- Address theft
-- Address spoofing
-- Remote address resolution cache exhaustion (DoS attacks)
• These attacks can come from malicious or mis-configured users and could result
in severe disruption to users of the Layer 2 domain and to the network in general.
Many of the possible attack vectors are now known, with public tools readily
available to exploit these vulnerabilities. With the transition to IPv6 picking up pace,
it’s now time for you to be aware of the vulnerabilities, understand how to mitigate
against them, and to protect your network accordingly.
Why Cisco?
Cisco has the broadest support for IPv6, and IPv6 security in the industry. Cisco
should be your valued business partner to help you securely deploy IPv6 to allow your
organization to continue to thrive in the next wave of IP.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
C45-707354-02 05/13