Overview
The IPv6 Neighbor Discovery (ND) protocol provides rich functions, such as address resolution, neighbor reachability detection, duplicate address detection, router/prefix discovery and address autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending forged packets. For more information about the five functions of the ND protocol, see Layer 3—IP Services Configuration Guide.
The ND protocol implements its function by using five types of ICMPv6 messages:
Neighbor Solicitation (NS)
Neighbor Advertisement (NA)
Router Solicitation (RS)
Router Advertisement (RA)
Redirect (RR)
As shown in Figure 112, an attacker can attack a network by sending forged ICMPv6 messages:
Sends forged NS/NA/RS packets with the IPv6 address of a victim host. The gateway and other hosts update the ND entry for the victim host with incorrect address information. As a result, all packets intended for the victim host are sent to the attacking host rather than the victim host.
Sends forged RA packets with the IPv6 address of a victim gateway. As a result, all hosts attached to the victim gateway maintain incorrect IPv6 configuration parameters and ND entries.
Figure 112: ND attack diagram
All forged ND packets have two common features:
The Ethernet frame header and the source link layer address option of the ND packet contain different source MAC addresses.
The mapping between the source IPv6 address and the source MAC address in the Ethernet frame header is invalid.
To identify forged ND packets, Hewlett Packard Enterprise developed the source MAC consistency check and ND detection features.