Configuring Nd Attack Defense - HP A5830 Series Configuration Manual
Security switch
Hide thumbs
Also See for A5830 Series:
- Command reference manual (249 pages) ,
- Configuration manual (246 pages) ,
- Configuration manual (207 pages)
Table of Contents
Advertisement
Configuring ND attack defense
The IPv6 ND protocol provides rich functions, such as address resolution, neighbor reachability
detection, duplicate address detection, router/prefix discovery and address autoconfiguration, and
redirection. However, it does not provide any security mechanisms. Attackers can easily exploit the ND
protocol to attack hosts and gateways by sending forged packets.
The ND protocol implements its function by using these types of ICMPv6 messages:
NS
•
NA
•
RS
•
RA
•
RR
•
An attacker can attack a network by sending forged ICMPv6 messages, as shown in
Sends forged NS/NA/RS packets with the IPv6 address of a victim host. The gateway and other
•
hosts update the ND entry for the victim host with incorrect address information. As a result, all
packets intended for the victim host are sent to the attacking host rather than the victim host.
Sends forged RA packets with the IPv6 address of a victim gateway. As a result, all hosts attached
•
to the victim gateway maintain incorrect IPv6 configuration parameters and ND entries.
Figure 78 ND attack diagram
Host A
IP_ A
MAC_ A
Forged ND packets
All forged ND packets have these common features:
The Ethernet frame header and the source link layer address option of the ND packet contain
•
different source MAC addresses.
The mapping between the source IPv6 address and the source MAC address in the Ethernet frame
•
header is invalid.
Switch
Forged ND packets
Host B
IP_B
MAC_B
239
Host C
IP_C
MAC_C
Figure
78:
Advertisement
Table of Contents
Troubleshooting
