402
Configuring ND attack defense
Overview
Neighbor Discovery (ND) attack defense is able to identify forged ND packets to prevent ND attacks.
The IPv6 ND protocol does not provide any security mechanisms and is vulnerable to network attacks. An
attacker can send the following forged ICMPv6 messages to perform ND attacks:
• Forged NS/NA/RS messages with an IPv6 address of a victim host. The gateway and other hosts
update the ND entry for the victim with incorrect address information. As a result, all packets
intended for the victim are sent to the attacking host.
• Forged RA packets with the IPv6 address of a victim gateway. As a result, all hosts attached to the
victim gateway maintain incorrect IPv6 configuration parameters and ND entries.
For information about the IPv6 ND protocol, see Layer 3–IP Services Configuration Guide.
Configuring source MAC consistency check for ND
packets
The source MAC consistency check feature is typically configured on gateways to prevent ND attacks.
This feature checks the source MAC address and the source link-layer address for consistency for each
arriving ND packet.
• If source MAC address and the source link-layer address are not the same, the device drops the
packet.
• If the addresses are the same, the device continues learning ND entries.
The ND logging feature logs source MAC inconsistency events, and it sends the log messages to the
information center. You can configure the information center module to set the log output rules. For more
information about the information center, see Network Management and Monitoring Configuration
Guide.
To configure source MAC consistency check for ND packets:
Ste
Command
Remarks
1. Enter system view. system-view N/A
2. Enable source MAC
consistency check for
ND packets.
ipv6 nd mac-check enable
By default, source MAC consistency check is
disabled for ND packets.
3. (Optional.) Enable
the ND logging
feature.
ipv6 nd check log enable
By default, the ND logging feature is disabled.
HP recommends that you disable the ND logging
feature to avoid excessive ND logs.
To Next Page
Loading...
Need help?
General