IPv6 Stateless Address Auto-configuration (SLAAC) Snooping
Understanding SLAAC Snooping
Dynamic address assignment is an important feature of IPv6 due to the vast increase in address space over IPv4. In addition to static addressing, IPv6 provides two options for clients to obtain addresses dynamically: DHCPv6 (stateful) and stateless address auto-configuration (SLAAC).
SLAAC simplifies IPv6 address management by providing plug-and-play IP connectivity with no manual configuration of hosts. SLAAC enables an IPv6 client to generate its own addresses using a combination of locally-available information and information advertised by routers through Neighbor Discovery Protocol (NDP).
NDP messages are unsecured, which makes SLAAC susceptible to attacks that involve the spoofing (or forging) of link-layer addresses. You must configure SLAAC snooping to validate IPv6 clients using SLAAC before allowing them to access the network.
The client begins auto-configuration by generating a link-local address for the IPv6-enabled interface. This is done by combining the advertised link-local prefix (first 64 bits) with the interface identifier (last 64 bits). The address is generated according to the following format: [fe80 (10 bits) + 0 (54 bits)] + interface ID (64 bits).
Before assigning the link-local address to its interface, the client verifies the address by running Duplicate Address Detection (DAD). DAD sends a Neighbor Solicitation message destined to the new address. If there is a reply, then the address is a duplicate and the process stops. If the address is unique, it is assigned to the interface.
To generate a global address, the client sends a Router Solicitation message to prompt all routers on the link to send Router Advertisement (RA) messages. Routers that are enabled to support SLAAC send an RA that contains a subnet prefix for use by neighboring hosts. The client appends the interface identifier to the subnet prefix to form a global address, and again runs DAD to confirm its uniqueness.
SLAAC is subject to the same security vulnerabilities found in NDP. You can configure SLAAC snooping to secure traffic from IPv6 clients using SLAAC for dynamic address assignment. For more information on NDP, see IPv6 Neighbor Discovery Inspection.
SLAAC snooping is similar to DHCP snooping, in that it snoops packets to build a table of IP-MAC address bindings. SLAAC snooping extracts address information from DAD packets exchanged during the SLAAC process to build the SLAAC snooping table. The address bindings in this table are used to inspect and validate NDP/IP packets sent by IPv6 clients using SLAAC.
Configuring SLAAC Snooping
SLAAC snooping is enabled on a per-VLAN basis. By default, SLAAC snooping is disabled for all VLANs.
To enable SLAAC, use the following commands:
- To enable SLAAC on a specific VLAN:
user@switch# set forwarding-options access-security slaac-snooping vlans vlan-name
- To enable SLAAC on all VLANs:
user@switch# set forwarding-options access-security slaac-snooping vlans all
If DAD is disabled on the client side, or DAD packets are dropped due to traffic congestion, SLAAC snooping will perform auto-DAD on behalf of the client. The client-generated address is in a tentative state until the DAD process is completed.
Auto-DAD sends a Neighbor Solicitation message with the client-generated address as a target, and waits for a Neighbor Advertisement in response. If there is a response, then the address is a duplicate and cannot be assigned to the client. If there is no response, then the address is confirmed.
The amount of time that auto-DAD waits for a response is 1 second by default, with no retries. You can configure the number of retries and the length of the interval between transmissions.
During a MAC move, the first Neighbor Solicitation packet will result in a SLAAC entry flush from the old port and the second will result in the creation of a SLAAC entry for the new port.
To configure the number of retries for auto-DAD parameters, use the following commands:
- For a specific interface:
user@switch# set forwarding-options access-security slaac-snooping interface interface-name auto-dad retries retry-count
- For all interfaces:
user@switch# set forwarding-options access-security slaac-snooping interface all auto-dad retries retry-count
To configure the interval between auto-DAD transmissions, use the following commands:
- For a specific interface:
user@switch# set forwarding-options access-security slaac-snooping interface interface-name auto-dad retrans-interval seconds
- For all interfaces:
user@switch# set forwarding-options access-security slaac-snooping interface all auto-dad retrans-interval seconds
Configuring the Link-Local Address Expiration
The link-local address learned by SLAAC has a default expiration period of 1 day. When the lease for the address expires, the snooping device sends a DAD message with the client address as the target. If the client is still reachable, the lease is renewed.
To configure the length of the expiration period, use the following command:
user@switch# set forwarding-options access-security slaac-snooping link-local expiry interval seconds
Configuring the Allowed DAD Contentions
You can configure the maximum number of DAD contentions (Neighbor Solicitation or Neighbor Advertisement) messages for an interface. If the maximum number of contentions is exceeded during the allowed time interval, the interface is considered invalid and the SLAAC snooping table is not updated with any bindings for that client.
Maximum allowed contentions is configured on a per-interface basis, to allow for interfaces that belong to more than one VLAN.
To configure the maximum number of DAD contentions and the allowed time interval, use the following command:
user@switch# set forwarding-options access-security slaac-snooping interface interface-name max-allowed-contention count integer duration seconds
Configuring an Interface as Trusted for SLAAC Snooping
When you configure an interface as trusted, the binding entry for the interface is added to the SLAAC snooping table using the same process as for untrusted interfaces.
When a DAD request is received on a trusted port with an IP/MAC entry that already exists on an untrusted port, SLAAC snooping sends a unicast DAD towards the untrusted port to see whether the host is live.
If the host responds with an NA message on the untrusted port, the lease time is renewed for the existing binding entry.
If there is no response (NA) on the untrusted port, the corresponding binding entry is deleted.
If the entry for the untrusted port is deleted, the binding for the trusted port is not created immediately. When the trusted port starts to send data traffic, it will send an NS message. At that time, SLAAC snooping adds the new binding on the trusted port.
Router advertisement packets received on a trusted port are flooded to all the ports in that VLAN irrespective of the SLAAC entry for the receiving port.
Maximum number of DAD contentions is not applicable to trusted interfaces.
To configure an interface as trusted for SLAAC snooping, use the following command:
user@switch# set forwarding-options access-security slaac-snooping interface interface-name mark-interface trusted
Configuring Persistent SLAAC Snooping Bindings
The IP-MAC bindings in the DHCP snooping database file are not persistent. If the switch is rebooted, the bindings are lost. You can configure persistent bindings by specifying a local pathname or a remote URL for the storage location of the SLAAC snooping database file.
To configure persistent bindings for SLAAC snooping, use the following command:
user@switch# set system processes slaac-snooping persistent-file (local-pathname | remote-url) write-interval seconds