Configuring ND attack defense
Overview
The IPv6 ND protocol provides many functions, such as address resolution, neighbor reachability
detection, duplicate address detection, router/prefix discovery and address auto-configuration, and
redirection. However, it does not provide security mechanisms. Attackers can easily exploit the ND
protocol to attack hosts and gateways by sending forged packets. For more information about ND, see
Layer 3—IP Services Configuration Guide.
ND uses the following types of ICMPv6 messages:
•
Neighbor Solicitation (NS)
Neighbor Advertisement (NA)
•
•
Router Solicitation (RS)
Router Advertisement (RA)
•
Redirect (RR)
•
An attacker can attack a network by sending forged ICMPv6 messages, as shown in
Sending forged NS/NA/RS packets with the IPv6 address of a victim host. The gateway and other
•
hosts update the ND entry for the victim host with incorrect address information. As a result, all
packets intended for the victim host go instead to the attacking host.
•
Sending forged RA packets with the IPv6 address of a victim gateway. As a result, all hosts attached
to the victim gateway maintain incorrect IPv6 configuration parameters and ND entries.
Figure 103 ND attack diagram
All forged ND packets have these common features:
•
The Ethernet frame header and the source link layer address option of the ND packet contain
different source MAC addresses.
266
Figure
103: