Cisco 350 Series Administration Manual page 592

26
451
• If the given IPv6 address is known, the NS message is forwarded only on the interface
to which the IPv6 address is bound.
• A Neighbor Advertisement (NA) message is dropped if the target IPv6 address is
bound with another interface.
Protection against IPv6 Duplication Address Detection Spoofing
An IPv6 host must perform Duplication Address Detection for each assigned IPv6 address by
sending a special NS message (Duplicate Address Detection Neighbor Solicitation message
(DAD_NS) message).
A malicious host could send reply to a DAD_NS message advertising itself as an IPv6 host
having the given IPv6 address.
NB Integrity provides protection against such attacks in the following ways:
• If the given IPv6 address is unknown, the DAD_NS message is forwarded only on
inner interfaces.
• If the given IPv6 address is known, the DAD_NS message is forwarded only on the
interface where the IPv6 address is bound.
• An NA message is dropped if the target IPv6 address is bound with another interface.
Protection against DHCPv6 Server Spoofing
An IPv6 host can use the DHCPv6 protocol for:
• Stateless Information configuration
• Statefull address configuration
A malicious host could send DHCPv6 reply messages advertising itself as a DHCPv6 server
and providing counterfeit stateless information and IPv6 addresses. DHCPv6 Guard provides
protection against such attacks by configuring the interface role as a client port for all ports to
which DHCPv6 servers cannot be connected.
Protection Against NBD Cache Spoofing
An IPv6 router supports the Neighbor Discovery Protocol (NDP) cache that maps the IPv6
address to the MAC address for the last hop routing.
A malicious host could send IPv6 messages with a different destination IPv6 address for the
last hop forwarding, causing overflow of the NBD cache.
Cisco 350, 350X and 550X Series Managed Switches, Firmware Release 2.4, ver 0.4
Security: IPv6 First Hop Security
Attack Protection