Policies, Global Parameters And System Defaults - Cisco 500 Series Administration Manual

23

Policies, Global Parameters and System Defaults

523
NB Integrity provides protection against such attacks in the following ways:
• If the given IPv6 address is unknown, the DAD_NS message is forwarded
only on inner interfaces.
• If the given IPv6 address is known, the DAD_NS message is forwarded only
on the interface where the IPv6 address is bound.
• An NA message is dropped if the target IPv6 address is bound with another
interface.
Protection against DHCPv6 Server Spoofing
An IPv6 host can use the DHCPv6 protocol for:
• Stateless Information configuration
• Statefull address configuration
A malicious host could send DHCPv6 reply messages advertising itself as a
DHCPv6 server and providing counterfeit stateless information and IPv6
addresses. DHCPv6 Guard provides protection against such attacks by
configuring the interface role as a client port for all ports to which DHCPv6 servers
cannot be connected.
Protection Against NBD Cache Spoofing
An IPv6 router supports the Neighbor Discovery Protocol (NDP) cache that maps
the IPv6 address to the MAC address for the last hop routing.
A malicious host could send IPv6 messages with a different destination IPv6
address for the last hop forwarding, causing overflow of the NBD cache.
An embedded mechanism in the NDP implementation limits the number of entries
allowed in the INCOMPLETE state in the Neighbor Discovery cache. This provides
protection against the table being flooded by hackers.
Each feature of FHS can be enabled or disabled individually. No feature is enabled
by default.
Security: IPv6 First Hop Security
Policies, Global Parameters and System Defaults
Cisco 500 Series Stackable Managed Switch Administration Guide