Overview of ND Snooping

Owned by Tracy Yang
Nov 18, 2024
4 min read

The IPv6 ND (Neighbor Discovery) protocol is a key protocol in IPv6 networks that combines and enhances the ARP (Address Resolution Protocol), ICMP (Internet Control Message Protocol) route discovery, and ICMP redirection protocols of IPv4. The ND protocol plays a critical role in IPv6 networks, providing several important functions to ensure that devices in the network can communicate with each other and maintain network stability.

The IPv6 ND protocol is powerful but does not have a relevant security mechanism. ND snooping is a security feature for IPv6 ND, which allows users to configure the port type. The port will capture messages from the corresponding ports and generate prefix management or dynamic binding tables to defend against ND attacks from bogus hosts or gateways.

Terminology

IPv6 ND

The ND protocol is a key protocol for IPv6, which combines the protocols of ARP, ICMP route discovery, and ICMP redirection from IPv4 and improves them. As a fundamental protocol for IPv6, ND provides multiple functions as show in the following figure.

Figure 1.    Neighbor Discovery Protocol Function Diagram

image-20241010-041457.png

Neighbor Solicitation (NS)

IPv6 nodes (hosts or network devices using the IPv6 protocol) can get the link-layer addresses of their neighbors through NS messages to check whether the neighbors are reachable or not, and they can also perform DAD (Duplicate Address Detect).

Neighbor Advertisement (NA)

IPv6 hosts respond to NS message by sending NA packets. Additionally, IPv6 nodes, including hosts and network devices, send NA message when the link-layer topology changes.

Router Solicitation (RS)

Upon starting, an IPv6 node sends an RS message to a router to request prefixes and other essential configuration details. It waits for a RA message from the router in response.

Router Advertisement (RA)

A router periodically advertises RA message, including network configurations such as network prefix to IPv6 nodes. The router also returns RA message as the responses to RS message.

Duplicate Address Detection (DAD)

In an IPv6 network, when an interface attempts to configure a unicast IPv6 address, it first performs DAD to ensure that the address is unique on the link.

The purpose of DAD is to prevent address conflicts and ensure smooth network communication.

Redirect (RR)

When detecting that the inbound interface and outbound interface of a packet are the same, a router sends a redirect packet to request the IPv6 node to select a better next hop address.

ND Snooping Trusted Port

This type of port is used to connect to trusted IPv6 nodes, for ND messages received from this type of port, the device forwards them normally, and at the same time, the device will build a prefix management table based on the received RA messages.

Users can execute set protocols neighbour snooping trust-port command to specify ports connected to IPv6 nodes into trusted ports. By default, all ports of the device are untrusted

ND Snooping Untrusted port

This type of port is used to connect untrusted IPv6 nodes, and the device considers RA messages received from this type of port as illegal messages and directly discards them.

ND protocol provides powerful functions, but it is easier to be utilized by the attacker for its weaker security mechanism, ND protocol attacks include the following types.

ND Attacks

ND protocol provides powerful functions, but it is easier to be utilized by the attacker for its weaker security mechanism, ND protocol attacks include the following types.

Address Spoofing Attack

Attacker uses the IP of Host A and sends NA/NS/RS message to the gateway, which modifies the ND entries of the gateway and records the incorrect entries of Host A. The attacker easily gets the data that the gateway communicates with Host A.

Attacker uses the IP of gateway and sends forged NA/NS/RS message to Host A, Host A records wrong entry. As a result, Host A cannot receive message from the gateway, Host A and the gateway cannot communicate with each other, and the attacker can easily get the data that intended to be sent to the gateway.

Figure 2.  Address Spoofing Attack

image-20241010-041042.png

RA Attack

Attacker sends forged RA messages.

  • Forges non-existent prefixes, modifies Host A's routing table.

  • Forges the gateway's MAC and router lifetime, modifies the host's default gateway.

  • Forges the DHCP server, and at the same time, forges the flag bit in the RA message, which made Host A being assigned a false address using the DHCP server.

Figure 3.    RA Attack

image-20241010-041320.png

In summary, getting the real IPv6 address-MAC of the device and filtering out the illegal ND messages are the keys to solve the anti-attack of the ND protocol. ND snooping is proposed at this point. This feature enables the filtering of illegal messages by checking the fields of the established table entries. For a detailed description, please refer to https://pica8-fs.atlassian.net/wiki/x/IwIdDQ

 

 

 

Copyright © 2024 Pica8 Inc. All Rights Reserved.