Overview
IPv6 Neighbor Discovery (ND) attack defense is able to identify forged ND messages to prevent ND attacks.
The IPv6 ND protocol does not provide any security mechanisms and is vulnerable to network attacks. An attacker can send the following forged ICMPv6 messages to perform ND attacks:
Forged NS/NA/RS messages with an IPv6 address of a victim host. The gateway and other hosts update the ND entry for the victim with incorrect address information. As a result, all packets intended for the victim are sent to the attacking terminal.
Forged RA messages with the IPv6 address of a victim gateway. As a result, all hosts attached to the victim gateway maintain incorrect IPv6 configuration parameters and ND entries.
For information about the IPv6 ND protocol, see Layer 3–IP Services Configuration Guide.
Table 23: ND attack defense features at a glance
ND attack defense feature | To block |
---|---|
Source MAC consistency check | ND messages in which the Ethernet frame header and the source link-layer address option of the ND message contain different source MAC addresses. |
ND attack detection | ND messages in which the mapping between the source IPv6 address and the source MAC address is invalid. |
RA guard | RA messages incompliant with the RA guard policy or identified to be sent from hosts. |