Overview

The IPv6 Neighbor Discovery (ND) protocol provides rich functions, such as address resolution, neighbor reachability detection, duplicate address detection, router/prefix discovery and address autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending forged packets. For more information about the five functions of the ND protocol, see Layer 3IP Services Configuration Guide.

The ND protocol implements its function by using five types of ICMPv6 messages:

As shown in Figure 112, an attacker can attack a network by sending forged ICMPv6 messages:

Figure 112: ND attack diagram

All forged ND packets have two common features:

To identify forged ND packets, Hewlett Packard Enterprise developed the source MAC consistency check and ND detection features.