Configuring Nd Attack Defense; Overview - HP 3600 v2 Series Configuration Manual

Configuring ND attack defense

Overview

The IPv6 Neighbor Discovery (ND) protocol provides rich functions, such as address resolution, neighbor
reachability
autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can
easily exploit the ND protocol to attack hosts and gateways by sending forged packets. For more
information about the five functions of the ND protocol, see Layer 3—IP Services Configuration Guide.
The ND protocol implements its function by using five types of ICMPv6 messages:
Neighbor Solicitation (NS)
•
• Neighbor Advertisement (NA)
Router Solicitation (RS)
•
Router Advertisement (RA)
•
Redirect (RR)
•
As shown in
Sends forged NS/NA/RS packets with the IPv6 address of a victim host. The gateway and other
•
hosts update the ND entry for the victim host with incorrect address information. As a result, all
packets intended for the victim host are sent to the attacking host rather than the victim host.
Sends forged RA packets with the IPv6 address of a victim gateway. As a result, all hosts attached
•
to the victim gateway maintain incorrect IPv6 configuration parameters and ND entries.
Figure 123 ND attack diagram
Host A
IP_ A
MAC_ A
Forged ND packets
All forged ND packets have two common features:
detection, duplicate
Figure 123, an attacker can attack a network by sending forged ICMPv6 messages:
Switch
Forged ND packets
Host B
IP_B
MAC_B
address detection,
Host C
IP_C
MAC_C
392
router/prefix discovery and address