< Home

IPv6 ND Security

Attack Behavior

Common ND attacks are as follows:
  • Address spoofing attack: An attacker uses the IP address of host A to send Neighbor Solicitation (NS), Neighbor Advertisement (NA), or Router Solicitation (RS) packets to host B or the gateway. Host B or the gateway then modifies their ND entries. As a result, host B cannot receive packets or communicate with other hosts. In addition, the attacker can intercept the packets of host A to obtain the game, bank, and other accounts and passwords of host A, incurring a huge loss of host A.
  • Router Advertisement (RA) attack: An attacker uses the IP address of the gateway to send RA packets to hosts. The hosts then modify their ND entries or record incorrect IPv6 parameters. As a result, the hosts cannot communicate with each other.

Security Policy

Switches provide the ND snooping function to prevent ND attacks. ND snooping is a security feature of IPv6 ND and applies to Layer 2 networks. After ND snooping is enabled on a switch, the switch listens to NS packets in the Duplicate Address Detection (DAD) process to establish an ND snooping dynamic binding table. The table records source IPv6 addresses, source MAC addresses, VLANs, and inbound interfaces of NS packets to defend against ND attacks from bogus hosts or gateways.

Configuration Method

Before enabling ND snooping on an interface or VLAN, enable it globally.

After ND snooping is enabled in the interface view, ND snooping takes effect only on this interface. After ND snooping is enabled in the VLAN view, ND snooping takes effect on all interfaces in the VLAN.

If an interface is configured as a trusted interface, ND snooping is automatically enabled on this interface.

Using ND snooping configuration in the VLAN view as an example, configure ND snooping as follows:

<HUAWEI> system-view
[HUAWEI] nd snooping enable  //Enable ND snooping globally.
[HUAWEI] vlan 10
[HUAWEI-vlan10] nd snooping enable  //Enable ND snooping in VLAN 10.
[HUAWEI-vlan10] nd snooping check ns enable  //Enable NS packet validity check.
[HUAWEI-vlan10] nd snooping check na enable  //Enable NA packet validity check.
[HUAWEI-vlan10] nd snooping check rs enable  //Enable RS packet validity check.
[HUAWEI-vlan10] quit
[HUAWEI] interface gigabitethernet 1/0/3
[HUAWEI-GigabitEthernet1/0/3] nd snooping trusted  //Configure GE1/0/3 as a trusted interface.
[HUAWEI-GigabitEthernet1/0/3] quit

In V200R010 and later versions, ND snooping can be configured in the DHCPv6 Only scenario. In this scenario, users can obtain IPv6 addresses only using DHCPv6. IPv6 addresses configured by users or automatically generated using Prefix Delegation (PD) are considered as invalid addresses. To prevent the generation of ND snooping binding tables for invalid addresses, ND snooping is disabled in this scenario. In this case, ND packet validity check is unavailable, and address spoofing attacks may occur on the network. To resolve this problem, run the nd snooping enable dhcpv6 only command to enable ND snooping in the DHCPv6 Only scenario and the nd snooping trusted dhcpv6 only command to configure interfaces in the DHCPv6 Only scenario as trusted interfaces.

Parent Topic: Control Plane
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic