In a Cisco environment (ISR-G2), how do I prevent, or mitigate, incorrect RA announcements?
I see Cisco has "IPv6 RA Guard"... But does that just run on the router and "fight back" with correct RAs? Wouldn't it make more sense to have switches filtering bogus RAs out of the network? (Or am I being overly-paranoid about bogus RAs?)
This is from the configuration guide for IOS 15.2T. The feature is called RA guard. Basically you create a policy and define if the port that this will applied to leads to a host or to a router. Then you can be more specific and match on hop limit, managed-config-flag and match on an ACL with a range where the trusted sources should come from. You can also make the port trusted and not do any further checks.
In some ways this is very similar to DHCP snooping. The basic steps are:
ipv6 nd raguard policy RA-PROTECT
device-role host
interface x/x
ipv6 nd raguard attach-policy RA-PROTECT
Then you can use this command to verify:
show ipv6 nd raguard policy
If your switches supports the feature then it makes sense to catch the RAs as early as possible. I don't think it's being to paranoid. The same could be said for DHCP. Sometimes it's not even malicious users, it's just a case of people not knowing better or connecting crappy devices to the network.
From RFC 6105: "RA-Guard applies to an environment where all messages between IPv6 end-devices traverse the controlled L2 networking devices." That is, it does what you say it should do; filter out rogue RAs at switchport ingress. It operates on the principle of blocking vs. accepting, not just shouting louder than the other guy.
Cisco offers RA-guard as a means to protect against unprivileged ports sending out rogue RAs.
However, enabling this alone isn't guaranteed to protect you as there are several attack tools in existence (THC springs to mind) which will split the Router Advertisement into fragments, thereby defeating RA guard.
The best protection against this is to drop fragmented ICMPv6 packets since, generally speaking, the odds of legitimately needing to fragment an ICMPv6 datagram (aside from a very large ping) are slim to none.
