Security: IPV6 First Hop Security
Attack Protection
420 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
20
• A Neighbor Advertisement (NA) message is dropped if the target IPv6
address is bound with another interface.
Protection against IPv6 Duplication Address Detection
Spoofing
An IPv6 host must perform Duplication Address Detection for each assigned IPv6
address by sending a special NS message (Duplicate Address Detection
Neighbor Solicitation message (DAD_NS) message).
A malicious host could send reply to a DAD_RS message advertising itself as an
IPv6 host having the given IPv6 address.
NB Integrity provides protection against such attacks in the following ways:
• If the given IPv6 address is unknown, the DAD_NS message is forwarded
only on inner interfaces.
• If the given IPv6 address is known, the DAD_NS message is forwarded only
on the interface where the IPv6 address is bound.
• An NA message is dropped if the target IPv6 address is bound with another
interface.
Protection against DHCPv6 Server Spoofing
An IPv6 host can use the DHCPv6 protocol for:
• Stateless Information configuration
• Statefull address configuration
A malicious host could send DHCPv6 reply messages advertising itself as a
DHCPv6 server and providing counterfeit stateless information and IPv6
addresses. DHCPv6 Guard provides protection against such attacks by
configuring the interface role as a client port for all ports to which DHCPv6 servers
cannot be connected.
Protection Against NBD Cache Spoofing
An IPv6 router supports the Neighbor Discovery Protocol (NDP) cache that maps
the IPv6 address to the MAC address for the last hop routing.
To Next Page
Loading...
Need help?
General
