Security: IPv6 First Hop Security
Attack Protection
Attack Protection
Cisco 500 Series Stackable Managed Switch Administration Guide
The section describes attack protection provided by IPv6 First Hop Security
Protection against IPv6 Router Spoofing
An IPv6 host can use the received RA messages for:
•
IPv6 router discovery
•
Stateless address configuration
A malicious host could send RA messages advertising itself as an IPv6 router and
counterfeit prefixes for
providing
RA Guard provides protection against such attacks by configuring the interface
role as a host interface for all interfaces where IPv6 routers cannot be connected.
Protection against IPv6 Address Resolution Spoofing
A malicious host could send NA messages advertising itself as an IPv6 Host
having the given IPv6 address.
NB Integrity provides protection against such attacks in the following ways:
•
If the given IPv6 address is unknown, the Neighbor Solicitation (NS)
message is forwarded only on inner interfaces.
•
If the given IPv6 address is known, the NS message is forwarded only on
the interface to which the IPv6 address is bound.
•
A Neighbor Advertisement (NA) message is dropped if the target IPv6
address is bound with another interface.
Protection against IPv6 Duplication Address Detection
Spoofing
An IPv6 host must perform Duplication Address Detection for each assigned IPv6
address by sending a special NS message (Duplicate Address Detection
Neighbor Solicitation message (DAD_NS) message).
A malicious host could send reply to a DAD_NS message advertising itself as an
IPv6 host having the given IPv6 address.
stateless address configuration.
23
522