RA Guard is an IPv6 security feature that helps protect networks from routing attacks. RA Guard works by blocking unauthorized routing request (RA) messages from routers.
At the end of the article you will find a small test that will allow you assess the knowledge acquired in this reading
RA messages are used to provide routing information to hosts, such as the default router address and subnet masks. RA Guard helps protect networks from routing attacks by blocking unauthorized RA messages, which can help prevent attackers from taking control of network routing.
RA Guard can be enabled on IPv6 routers. When RA Guard is enabled, the router will only send RA messages to hosts that are on its subnet. RA messages from routers that are not on the host's subnet will be blocked by RA Guard.
RA Guard is an important security feature that can help protect networks from routing attacks. RA Guard should be enabled on all IPv6 routers to provide maximum protection.
RA-Guard operation
Here's a detailed explanation of how RA Guard works:
1. Router Discovery
When devices join an IPv6 network, they use Neighbor Discovery Protocol (NDP) to discover the routers on the network segment. Routers periodically send Router Advertisement (RA) messages to announce their presence and provide network configuration information.
2. Protection against router ad poisoning attacks
An attacker could attempt to send spoofed RA messages, posing as a legitimate router. To prevent this, wireless switches or access points that support RA Guard inspect incoming RA messages and verify if they come from a legitimate source.
3. Allowed Routers Table
LWireless switches or access points that implement RA Guard maintain an Allowed Routers Table that contains the IPv6 addresses and MAC interfaces of authorized routers. These legitimate routers are those that have been manually configured or discovered through other secure network auto-configuration methods.
4. Rejection of unauthorized RA messages
When a switch or access point receives an RA message, it checks whether the sender (router) is in the allowed routers table. If the router is not in the table, the RA message is considered unauthorized and is discarded. This ensures that only legitimate routers can send RA messages to the network.
Tips for enabling RA Guard
- See your router's documentation for instructions on how to enable RA Guard.
- Make sure you enable RA Guard on all routers on your network.
- Create a security policy for RA Guard and ensure it adheres to it.
- Monitor your network for any signs of suspicious activity.
Advantages of using RA Guard
- Protection against router ad poisoning attacks: The main advantage of RA Guard is that it protects the network against router ad poisoning attacks. By verifying the authenticity of incoming Router Advertisement (RA) messages, RA Guard prevents unauthorized routers from sending spoofed advertisements that could redirect traffic to malicious routes or divert traffic to unwanted destinations.
- Improves IPv6 network security: By preventing unauthorized access to RA messages, RA Guard strengthens network security and ensures that only legitimate routers can advertise configuration and routing information to local devices.
- Protection against malicious traffic redirection: By ensuring that RA messages come from trusted sources, RA Guard protects against man-in-the-middle attacks and unwanted traffic redirection. This ensures that devices on the network follow the correct routing paths and prevents potential security vulnerabilities.
- Manual configuration of allowed routers: RA Guard allows network administrators to manually configure allowed routers in the authorized routers table. This gives greater control over which routers can send RA messages on the network.
Disadvantages of using RA Guard
- Additional settings: Deploying RA Guard requires additional configuration on network devices, such as switches or wireless access points. This may be an additional process that network administrators must perform to enable and maintain RA Guard functionality.
- Complexity: Some RA Guard implementations can be complex, especially on larger, more complex networks. This might require a deeper understanding of network configuration and security management.
Possible impact on connectivity: If RA Guard configuration is not done properly, it could lead to connectivity issues such as blocking legitimate RA messages. This could negatively affect the normal operation of devices on the network.
Some real-world scenarios where RA Guard can be deployed include
Business and corporate networks
In enterprise networks, RA Guard is used to protect against router ad poisoning attacks. Ensures that only legitimate and authorized routers can send router advertisements to local devices, avoiding the risk of malicious traffic redirection and strengthening network security.
Service Provider (ISP) Networks
Service providers can deploy RA Guard on their networks to protect their customers from router ad poisoning attacks. This ensures that clients only receive routing configuration information from legitimate and trusted routers.
Public wireless networks and WiFi access points
In environments with public wireless networks, such as airports, hotels, or cafes, deploying RA Guard on WiFi access points helps protect users against potential router ad poisoning attacks. This improves connection security and prevents users from being redirected to malicious sites.
Academic and educational networks
In educational and academic institutions, RA Guard can be deployed to protect the networks and devices of students and staff against router ad poisoning attacks. This ensures that network infrastructure and shared resources are safe and secure.
Data center and cloud networks
In data center and cloud environments, RA Guard is used to protect network infrastructure and customer resources from potential attacks. This ensures network integrity and prevents malicious manipulation of router advertisements.
IoT (Internet of Things) Networks
In IoT networks, where many devices automatically communicate using Neighbor Discovery Protocol (NDP), RA Guard is essential to prevent router ad poisoning attacks and ensure the security of devices and the overall network.
Configuration Examples
Next, let's look at an example of how RA Guard could be configured on a switch Cisco Catalyst using the IPv6 protocol and the IOS-XE operating system:
# Acceder al modo de configuración global
configure terminal
# Habilitar RA Guard en una interfaz específica (por ejemplo, GigabitEthernet0/1)
interface GigabitEthernet0/1
ipv6 nd ra guard
# Opcionalmente, configurar el modo de operación de RA Guard
# El modo "strict" (predeterminado) bloqueará todos los paquetes RA entrantes no válidos.
# El modo "loose" permitirá anuncios RA entrantes si la interfaz está configurada para ser un router legítimo.
interface GigabitEthernet0/1
ipv6 nd ra guard mode strict
# Salir del modo de configuración de la interfaz
exit
# Aplicar la configuración a la interfaz y guardar la configuración
end
write memory
In this example, RA Guard is enabled on interface GigabitEthernet0/1. Additionally, the RA Guard operating mode is set to “strict”, which means that it will block all incoming RA packets that are not valid, that is, those that do not come from a legitimate router.
It is important to note that the exact configuration may vary depending on the model and version of the Cisco switch, as well as the specific network topology. It is also essential to ensure that legitimate routers are correctly configured in the Allowed Routers Table to avoid unwanted connectivity issues.
It is always advisable to test and verify network behavior after deploying RA Guard to ensure that it works as expected and does not negatively impact legitimate traffic on the network.
Brief knowledge quiz
What do you think of this article?
Do you dare to evaluate your learned knowledge?
Recommended book for this article
IPv6 book with MikroTik, RouterOS v7
Study material for the MTCIPv6E Certification Course updated to RouterOS v7