IPv6 network defense ND snooping and detection

Enabling the ND Snooping feature on your switches prevents ND attacks. ND Snooping does not just snoop but also detect attacks by default. ND Snooping drops invalid ND packets and, together with DIPLDv6, blocks data traffic from invalid hosts.

Figure 29: ND Snooping enabled on a device

ND Snooping provides the following:

  • Drops ND packets if the Ethernet source MAC-address is mismatched with the one contained in the ND packet’s link-layer address field.

  • Drops ND packets where the global IPv6 address in the source address field is mismatched with the ND Snooping prefix filter table.

  • Drops ND packets where the global IPv6 address or the link-local IPv6 address in the source IP address field is mismatched with the ND Snooping binding table.

  • Drops the router advertisement on the untrusted ports. This is similar to RA Guard. To block RAs and RRs on a particular port using the RA Guard feature, RA Guard must be enabled on each of those ports. When ND Snooping is enabled with a trusted port configuration, RAs and RRs are dropped on all ports that ND Snooping enabled VLAN, other than the trusted port.

  • Dynamic IPv6 lockdown is performed for ND snooping entries. Based on the DAD NS received from the hosts by the switch, ND Snooping entries are programmed to the SAVI BST and the hardware (as allowed). Hence, data packets from invalid hosts and transit traffic are blocked.

Dynamic IP Lockdown for IPv6 (DIPLDv6) is an existing feature that adds a static or a dynamic binding based on the dsnoopv6 database. RA guard is an existing feature that can be configured per port on which the router advertisements and router redirects are blocked. Together with DIPLDv6 and RA guard, NDSnoop provides a very high level of Network Defense at the hands of the Network administrator and makes the network more secure.

ICMPv6 messages

The IPv6 Neighbor Discovery Protocol (ND) consists of five types of ICMPv6 messages:

  • Neighbor Solicitation (NS) - An IPv6 node (a host or network device running IPv6) sends NS packets to obtain the link-layer addresses of its neighbors and to detect neighbor reachability and duplicate addresses.

  • Neighbor Advertisement (NA) - An IPv6 host sends an NA packet in response to an NS packet. An IPv6 node also sends NA packets when the link-layer topology changes.

  • Router Solicitation (RS) - When an IPv6 node starts, it sends an RS packet to a router to request prefixes and other configuration information, and waits for the router to respond with an RA packet.

  • Router Advertisement (RA) - A router periodically advertises RA packets, including network configurations such as network prefix to IPv6 nodes. The router also returns RA packets as the responses to RS packets.

  • Redirect (RR) - When detecting that the inbound or outbound interface and outbound interface of a packet are the same, a router sends a Redirect packet to request the IPv6 node to select a better next hop address.

These ICMPv6 messages help to achieve these five functions:

  • address resolution

  • neighbor reachability detection

  • router/prefix discovery

  • address auto-configuration

  • redirection

ND attacks

ND messages are easy to be exploited by the spoofers/attackers in the IPv6 network if there are no security mechanisms. The attackers could send forged ND packets to redirect the traffic meant for a host from a router/gateway to them. The ND attacks include the following types:

  • Address Spoofing Attack: An attacker could send forged NS/NA packets with the IPv6 address of a victim host. The ND entry maintained by the gateway and other hosts for the victim host will be updated with the wrong address information (of that of the attacker). As a result, all packets intended for the victim host will be sent to the attacking host rather than the victim host. In figure 14, the gateway sends a Neighbor Solicitation for the IPv6 address 2002::10. An attacker could send a Neighbor Advertisement as a reply causing the gateway to learn 2002::10 is at Mac B. The traffic gets redirected to the attacker.There can be other kind of DOS Attacks where the spoofer sends Neighbor Advertisement packets with different source IPv6 addressess to fill up the neighbor cache of the device, resulting in no room for valid clients.

Figure 30: ND attack on device
  • RA Attack: An attacker could send forged RA packets with the IPv6 address of a victim gateway. This can cause all hosts attached to the victim gateway to maintain incorrect IPv6 configuration parameters and ND entries.In Figure 15, when the victim host sends a router solicitation, the attacker could send a route advertisement as a reply causing the victim host to receive the wrong network parameters. Hence the legitimate traffic to the victim hosts gets blocked.

Figure 31: RA attack on device