Configuring Nd Attack Defense; Overview - HP 12500 Series Configuration Manual

Configuring ND attack defense

Overview

The IPv6 Neighbor Discovery (ND) protocol uses five types of ICMPv6 messages to implement five
functions: address resolution, neighbor reachability detection, duplicate address detection, router/prefix
discovery and address autoconfiguration, and redirection. For more information about the five functions
of the ND protocol, see Layer 3—IP Services Configuration Guide.
The five types of ICMPv6 messages are as follows:
Neighbor Solicitation (NS)
•
• Neighbor Advertisement (NA)
Router Solicitation (RS)
•
Router Advertisement (RA)
•
• Redirect (RR)
Despite its rich functions, the ND protocol is easy to be exploited by attackers for the absence of security
mechanisms.
As shown in
Send forged NS/NA/RS packets with the IPv6 address of a victim host. The ND entry maintained
•
by the gateway and other hosts for the victim host will be updated with the wrong address
information. As a result, all packets intended for the victim host will be sent to the attacking host
rather than the victim host.
Send forged RA packets with the IPv6 address of a victim gateway. This can cause all hosts
•
attached to the victim gateway to maintain incorrect IPv6 configuration parameters and ND entries.
Figure 98 ND attack diagram
Host A
IP_ A
MAC_ A
Forged ND packets
A forged ND packet has two features:
Figure 98, attackers can exploit the ND protocol as follows:
Switch
Forged ND packets
Host B
IP_B
MAC_B
Host C
IP_C
MAC_C
282