14-Security Configuration Guide

HomeSupportSwitchesS12500R SeriesConfigure & DeployConfiguration GuidesH3C S12500R Switch Router Series Configuration Guides(R51xx)-6W10114-Security Configuration Guide
10-ND attack defense configuration
Title Size Download
10-ND attack defense configuration 61.03 KB

Configuring ND attack defense

About ND attack defense

IPv6 Neighbor Discovery (ND) attack defense is able to identify forged ND messages to prevent ND attacks.

The IPv6 ND protocol does not provide any security mechanisms and is vulnerable to network attacks. As shown in Figure 1, an attacker can send the following forged ICMPv6 messages to perform ND attacks:

·     Forged NS/NA/RS messages with an IPv6 address of a victim host. The gateway and other hosts update the ND entry for the victim with incorrect address information. As a result, all packets intended for the victim are sent to the attacking terminal.

·     Forged RA messages with the IPv6 address of a victim gateway. As a result, all hosts attached to the victim gateway maintain incorrect IPv6 configuration parameters and ND entries.

Figure 1 ND attack diagram

 

ND attack defense tasks at a glance

The following ND attack defense task is optional.

·     Enabling source MAC consistency check for ND messages

·     Enabling ND scanning

Enabling source MAC consistency check for ND messages

About this task

The source MAC consistency check feature is typically configured on gateways to prevent ND attacks.

This feature checks the source MAC address and the source link-layer address for consistency for each arriving ND message.

·     If the source MAC address and the source link-layer address are not the same, the device drops the packet.

·     If the addresses are the same, the device continues learning ND entries.

The ND logging feature logs source MAC inconsistency events, and it sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see Network Management and Monitoring Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enable source MAC consistency check for ND messages.

ipv6 nd mac-check enable

By default, source MAC consistency check is disabled for ND messages.

3.     (Optional.) Enable the ND logging feature.

ipv6 nd check log enable

By default, the ND logging feature is disabled.

As a best practice, disable the ND logging feature to avoid excessive ND logs.

Enabling ND scanning

About this task

The device automatically creates ND entries by NS and NA messages when triggered by traffic. If no traffic is received or sent in a period of time, the ND entries cannot be created or updated in time.

To resolve this issue, you can enable the automatic ND scanning feature on the device. This feature enables the device to periodically send ND packets (NS requests) at a specified rate to the IPv6 addresses not in the specified ND entries.

Hardware and feature compatibility

Enabling ND scanning and setting ND packet sending rate are supported only in Release 5110P05 and later.

Restrictions and guidelines

You can specify the source address for the sending NS requests when you enable automatic ND scanning on an interface:

·     If you do not specify the source address, the interface uses its IPv6 address as the source address. The interface scans the IPv6 addresses that belong to both the automatic ND scanning range and the subnet of the interface IPv6 address.

If the interface is configured with multiple subnet IPv6 addresses and the addresses are also in the scanning range, the source address is the IPv6 address with the longest prefix. If the prefixes are in the same length, the source address is the primary IPv6 address for the interface.

·     If you specify the source address, the interface uses the specified source address, and it scans all the IPv6 addresses in the automatic ND scanning range.

To avoid any impact on device performance, use automatic ND scanning only on networks where users come online and go offline frequently.

Procedure

1.     Enter system view.

system-view

2.     Set the ND packet sending rate for automatic ND scanning.

ipv6 nd mac-check enable

By default, the device sends ND packets at the rate of 48 pps during automatic ND scanning.

3.     Enter interface view.

interface interface-type interface-number

4.     Enable automatic ND scanning.

ipv6 nd scan auto enable start-ipv6-address to end-ipv6-address [ source-addr source-ipv6-address ]

By default, automatic ND scanning is disabled.

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网