Security: IPv6 First Hop Security
Attack Protection
Cisco 350, 350X and 550X Series Managed Switches, Firmware Release 2.4, ver 0.4 450
26
• NA messages, if the source IPv6 address equals the target address.
IPv6 Source Guard drops all other IPv6 messages whose source IPv6 address equals the
unspecified IPv6 address.
IPv6 Source Guard runs only on untrusted interfaces belonging to the perimeter.
IPv6 Source Guard drops an input IPv6 message if:
• The Neighbor Binding table does not contain the IPv6 address
• The Neighbor Binding table contains the IPv6 address, but it is bound to another
interface.
IPv6 Source Guard initiates the Neighbor Recovery process by sending DAD_NS messages
for the unknown source IPv6 addresses.
Attack Protection
The section describes attack protection provided by IPv6 First Hop Security
Protection against IPv6 Router Spoofing
An IPv6 host can use the received RA messages for:
• IPv6 router discovery
• Stateless address configuration
A malicious host could send RA messages advertising itself as an IPv6 router and providing
counterfeit prefixes for stateless address configuration.
RA Guard provides protection against such attacks by configuring the interface role as a host
interface for all interfaces where IPv6 routers cannot be connected.
Protection against IPv6 Address Resolution Spoofing
A malicious host could send NA messages advertising itself as an IPv6 Host having the given
IPv6 address.
NB Integrity provides protection against such attacks in the following ways:
• If the given IPv6 address is unknown, the Neighbor Solicitation (NS) message is
forwarded only on inner interfaces.
To Next Page
Loading...
Need help?
General
