Overview of IPv6 RA Guard

The IPv6 Neighbor Discovery (ND) protocol uses five types of ICMPv6 messages to implement the following functions: address resolution, neighbor reachability detection, duplicate address detection, router discovery, prefix discovery, automatic address configuration, and redirection. The following lists the five types of ICMPv6 messages used by ND:

• Neighbor Solicitation (NS) message
• Neighbor Advertisement (NA) message
• Router Solicitation (RS) message
• Router Advertisement (RA) message
• Redirect message

For details about ND, see Neighbor Discovery in "Basic IPv6 Configuration" in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - IP Services.

ND provides powerful functions but lacks security mechanisms. Attackers often use ND to attack network devices. For example, in an RA attack, an attacker sends RA messages advertising itself as a gateway to hosts. The hosts then modify their ND entries or record incorrect IPv6 parameters. As a result, the hosts cannot communicate normally.

Based on the characteristics of RA attacks, the IPv6 RA guard function uses the following methods to prevent malicious RA attacks on Layer 2 access devices:

The two methods are mutually exclusive, and only one method can be configured on a Layer 2 interface.

• Configure an interface role for the interface that receives RA messages. The system then determines whether to forward or discard RA messages based on the interface role.
  • If the interface role of the interface is a router interface, the system forwards RA messages.
  • If the interface role of the interface is a host interface, the system discards RA messages.
• Configure an IPv6 RA guard policy on the interface that receives RA messages to filter RA messages based on the matching rules configured in the policy.
  • If no matching rule is configured in the IPv6 RA guard policy, the interface forwards RA messages.
  • If matching rules are configured in the IPv6 RA guard policy, the interface forwards RA messages only when the messages match all the rules. Otherwise, the interface discards RA messages.