Login
- Table of Contents
-
- 16-Security Configuration Guide
- 00-Preface
- 01-ACL configuration
- 02-Packet filter configuration
- 03-Time range configuration
- 04-User profile configuration
- 05-Password control configuration
- 06-Keychain configuration
- 07-Public key management
- 08-PKI configuration
- 09-IPsec configuration
- 10-IKE configuration
- 11-IKEv2 configuration
- 12-SSH configuration
- 13-SSL configuration
- 14-SSL VPN configuration
- 15-Session management
- 16-Connection limit configuration
- 17-Attack detection and prevention configuration
- 18-IP-based attack prevention configuration
- 19-IP source guard configuration
- 20-ARP attack protection configuration
- 21-ND attack defense configuration
- 22-Protocol packet rate limit configuration
- 23-Security policy configuration
- 24-Object group configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 21-ND attack defense configuration | 83.07 KB |
Contents
Enabling source MAC consistency check for ND messages
Configuring ND attack detection
Restrictions and guidelines for ND attack detection configuration
Configuring ND attack detection for a VLAN
Enabling ND attack detection logging
Verifying and maintaining ND attack detection
Configuring ND attack defense
About ND attack defense
IPv6 Neighbor Discovery (ND) attack defense is able to identify forged ND messages to prevent ND attacks.
The IPv6 ND protocol does not provide any security mechanisms and is vulnerable to network attacks. As shown in Figure 1, an attacker can send the following forged ICMPv6 messages to perform ND attacks:
· Forged NS/NA/RS messages with an IPv6 address of a victim host. The gateway and other hosts update the ND entry for the victim with incorrect address information. As a result, all packets intended for the victim are sent to the attacking terminal.
· Forged RA messages with the IPv6 address of a victim gateway. As a result, all hosts attached to the victim gateway maintain incorrect IPv6 configuration parameters and ND entries.
Enabling source MAC consistency check for ND messages
About this task
The source MAC consistency check feature is typically configured on gateways to prevent ND attacks.
This feature checks the source MAC address and the source link-layer address for consistency for each arriving ND message.
· If the source MAC address and the source link-layer address are not the same, the device drops the packet.
· If the addresses are the same, the device continues learning ND entries.
The ND logging feature logs source MAC inconsistency events, and it sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see System Management Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable source MAC consistency check for ND messages.
ipv6 nd mac-check enable
By default, source MAC consistency check is disabled for ND messages.
3. (Optional.) Enable the ND logging feature.
ipv6 nd check log enable
By default, the ND logging feature is disabled.
As a best practice, disable the ND logging feature to avoid excessive ND logs.
Configuring ND attack detection
About ND attack detection
ND attack detection checks incoming ND messages for user validity to prevent spoofing attacks. It is typically configured on access devices.
ND attack detection is applicable to VLANs.
ND attack detection defines the following types of interfaces on a VLAN network or the following types of ACs:
· ND trusted interface or ND trusted AC—Performs no user validity check on the received ND messages.
· ND untrusted interface or ND untrusted AC—Discards incoming RA and redirect messages, and performs the user validity check on other types of incoming ND messages.
ND attack detection compares the source IPv6 address and the source MAC address in an incoming ND message against security entries from other modules.
· If a match is found, the device verifies the user as legal, and it forwards the packet.
· If no match is found, the device verifies the user as illegal, and it discards the ND message.
ND attack detection uses static IPv6 source guard binding entries, ND snooping entries, and DHCPv6 snooping entries for user validity check.
· Static IPv6 source guard binding entries are created by using the ipv6 source binding command. For information about IPv6 source guard, see "Configuring IP source guard."
· ND snooping entries are automatically generated by the ND snooping feature. For information about ND snooping, see IPv6 neighbor discovery configuration in Network Connectivity Configuration Guide.
· DHCPv6 snooping entries are automatically generated by the DHCPv6 snooping feature. For information about DHCPv6 snooping, see Network Connectivity Configuration Guide.
Restrictions and guidelines for ND attack detection configuration
When you configure ND attack detection, follow these restrictions and guidelines:
· To prevent ND untrusted interfaces from dropping all received ND messages, make sure one or more of the these features are configured: IPv6 source guard static bindings, DHCPv6 snooping, and ND snooping.
· To make the IPv6 source guard static bindings effective for ND attack detection, you must perform the following operations:
¡ Specify the vlan vlan-id option in the ipv6 source binding command.
¡ Enable ND attack detection for the same VLAN.
Configuring ND attack detection for a VLAN
1. Enter system view.
system-view
2. Enter VLAN view.
vlan vlan-id
3. Enable ND attack detection.
ipv6 nd detection enable
By default, ND attack detection is disabled.
4. (Optional.) Configure the interface as ND trusted interface:
a. Return to system view.
quit
b. Enter Layer 2 Ethernet or aggregate interface view.
interface interface-type interface-number
c. Configure the interface as ND trusted interface.
ipv6 nd detection trust
By default, all interfaces are ND untrusted interfaces.
Enabling ND attack detection logging
About this task
This feature allows a device to generate logs when it detects invalid ND packets. The log information helps administrators locate and solve problems. Each log records the following information:
· Victim port numbers in a VLAN.
· Source IP address of the invalid ND packets.
· Source MAC address of the invalid ND packets.
· VLAN ID of the invalid ND packets.
· Total number of dropped ND packets.
Procedure
1. Enter system view.
system-view
2. Enable ND attack detection logging.
ipv6 nd detection log enable
By default, ND attack detection logging is disabled.
Verifying and maintaining ND attack detection
To display statistics for ND messages dropped by ND attack detection, execute the following command in any view:
display ipv6 nd detection statistics [ interface interface-type interface-number ]
To clear ND attack detection statistics, execute the following command in user view:
reset ipv6 nd detection statistics [ interface interface-type interface-number ]
