11-Security Configuration Guide

HomeSupportResource CenterRoutersH3C SR6600-X Router SeriesH3C SR6600-X Router SeriesTechnical DocumentsConfigure & DeployConfiguration GuidesH3C SR6602-X Routers Configuration Guides-R7607-6W10011-Security Configuration Guide
Table of Contents
Related Documents
21-ND attack defense configuration
Title Size Download
21-ND attack defense configuration 34.03 KB

Configuring ND attack defense

Overview

IPv6 Neighbor Discovery (ND) attack defense is able to identify forged ND messages to prevent ND attacks.

The IPv6 ND protocol does not provide any security mechanisms and is vulnerable to network attacks. An attacker can send the following forged ICMPv6 messages to perform ND attacks:

·     Forged NS/NA/RS messages with an IPv6 address of a victim host. The gateway and other hosts update the ND entry for the victim with incorrect address information. As a result, all packets intended for the victim are sent to the attacking host.

·     Forged RA messages with the IPv6 address of a victim gateway. As a result, all hosts attached to the victim gateway maintain incorrect IPv6 configuration parameters and ND entries.

For information about the IPv6 ND protocol, see Layer 3IP Services Configuration Guide.

Configuring source MAC consistency check for ND messages

The source MAC consistency check feature is typically configured on gateways to prevent ND attacks.

This feature checks the source MAC address and the source link-layer address for consistency for each arriving ND message.

·     If the source MAC address and the source link-layer address are not the same, the device drops the packet.

·     If the addresses are the same, the device continues learning ND entries.

The ND logging feature logs source MAC inconsistency events, and it sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see Network Management and Monitoring Configuration Guide.

To configure source MAC consistency check for ND messages:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable source MAC consistency check for ND messages.

ipv6 nd mac-check enable

By default, source MAC consistency check is disabled for ND messages.

3.     (Optional.) Enable the ND logging feature.

ipv6 nd check log enable

By default, the ND logging feature is disabled.

As a best practice, disable the ND logging feature to avoid excessive ND logs.

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网