320
Figure 111 ND attack diagram
All forged ND packets have two common features:
• The Ethernet frame header and the source link layer address option of the ND packet contain
different source MAC addresses.
• The mapping between the source IPv6 address and the source MAC address in the Ethernet frame
header is invalid.
To identify forged ND packets, HP developed the source MAC consistency check and ND detection
features.
Enabling source MAC consistency check for ND
packets
Use source MAC consistency check on a gateway to filter out ND packets that carry different source
MAC addresses in the Ethernet frame header and the source link layer address option.
Follow these steps to enable source MAC consistency check for ND packets:
To do… Use the command…
Remarks
Enter system view system-view —
Enable source MAC consistency check for
ND packets
ipv6 nd mac-check enable
Required
Disabled by default.
Configuring the ND detection function
Introduction to ND detection
Use the ND detection function on access devices to verify the source of ND packets. If an ND packet
comes from a spoofing host or gateway, it is discarded.
Switch
Host A
Host B
IP_A
MAC_A
IP_B
MAC_B
IP_C
MAC_C
Host C
Forged ND packetsForged ND packets
To Next Page
Loading...
