IPv6 Neighbor Discovery (ND) Inspection mitigates NDP security vulnerability by checking detailed information of message and verifying them against DHCPv6 snooping binding table or neighbor discovery snooping binding table.

The detailed information referred to the following points:

The HostB (Attacker) spoofs the IPv6 address of the victim’s (Host A) by sending NS/NA/RS messages. As a result, the gateway and other hosts update the neighbor incorrect address information. All messages intended for the victim are sent to the attacking terminal.

The HostB (Attacker) spoofs the gateway by sending NA messages. As a result, all hosts attached to the victim gateway maintain an incorrect IPv6 configuration.

Figure 1.    ND Attack Diagram

Open

Terminology

Neighbor Solicitation (NS)

IPv6 nodes (a host or network device using IPv6 protocol) send NS messages primarily to get the link-layer addresses of their neighbors and detect neighbor reachability and duplicate addresses.

Neighbor Advertisement (NA)

IPv6 hosts respond to NS messages by sending. Additionally, IPv6 nodes, including hosts and network devices, send NA messages when the link-layer topology changes.

Router Solicitation (RS)

When an IPv6 node starts, it sends an RS packet to a router to request prefixes and other essential configuration details. It then waits for RA packet from the router in response.

Router Advertisement (RA)

A router periodically advertises RA messages, including network configurations such as network prefix to IPv6 nodes. The router also returns RA messages as the responses to RS messages.

Redirect (RR)

When detecting that the inbound interface and outbound interface of a packet are the same, a router sends a Redirect message to request the IPv6 node to select a better next hop address.

DHCPv6 Snooping

DHCPv6 snooping is a security feature that establishes DHCPv6 snooping binding table to record client information by capturing messages between server and client. DHCP snooping creates a binding table, which includes the client IP address, MAC address, VLAN ID, physical port and the lease time.

Duplicate Address Detection (DAD)

In an IPv6 network, when an interface attempts to configure a unicast IPv6 address, it first performs DAD to ensure that the address is unique on the link.

The purpose of DAD is to prevent address conflicts and ensure smooth network communication.

ND Inspection Trusted port

This type of port is used to connect to trusted IPv6 nodes. After the user configures the port as a trusted port, the device will no longer check NS/NA/RS/RA messages in the table entries.

ND Inspection Untrusted port

All ports are untrusted by default without modifying port properties.

ND Inspection Operation Mechanism

ND inspection is mainly for filtering illegal messages, the forged ND message has the following characteristics:

The source MAC address and the MAC address in the source link layer address in the forged ND message do not match.

The mapping relationship between the source IPv6 address and the source MAC address in the forged ND message is not real for the legal user.

According to the characteristics of the attack messages, the device can check ND messages to effectively prevent ND attacks.

Binding Entry Check

With ND inspection enabled, after a device receives an ND message, the device will verify the NS/NA/RS/RA message with the DHCPv6 snooping table entry already generated.

Verify if the source MAC address and source IP address exists in ND message, if the ND message fields match with the source IPv6 address and source MAC address in the table, the device will consider ND message is legal and forward the message. Otherwise, the device discards the message.

Figure 2. IPv6 Message Diagram

Open

Source MAC Address Validation

After configuring source MAC address validation, the device will check if the source MAC address in the ND message is consistent with the Link-Layer Address (for example: 22:22:22: 22:22:21), if they are not the same, the device will discard the message. The diagram is shown below.

Figure 3. ND Message Diagram

If the user specifies a trusted port, the system will no longer check the ND message and directly forward the message, but still check source MAC consistency.