Login
- Table of Contents
-
- 16-Security Configuration Guide
- 00-Preface
- 01-Keychain configuration
- 02-Public key management
- 03-PKI configuration
- 04-Crypto engine configuration
- 05-SSH configuration
- 06-SSL configuration
- 07-Packet filter configuration
- 08-DHCP snooping configuration
- 09-DHCPv6 snooping configuration
- 10-ARP attack protection configuration
- 11-ND attack defense configuration
- 12-Attack detection and prevention configuration
- 13-IP source guard configuration
- 14-uRPF configuration
- 15-MACsec configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 11-ND attack defense configuration | 94.48 KB |
Contents
Configuring ND packet rate limit
Enabling source MAC consistency check for ND messages
Configuring ND attack detection
Restrictions and guidelines for ND attack detection configuration
Configuring ND attack detection for a VSI
Enabling ND attack detection logging
Verifying and maintaining ND attack detection
Configuring ND attack defense
About ND attack defense
IPv6 Neighbor Discovery (ND) attack defense is able to identify forged ND messages to prevent ND attacks.
The IPv6 ND protocol does not provide any security mechanisms and is vulnerable to network attacks. As shown in Figure 1, an attacker can send the following forged ICMPv6 messages to perform ND attacks:
· Forged NS/NA/RS messages with an IPv6 address of a victim host. The gateway and other hosts update the ND entry for the victim with incorrect address information. As a result, all packets intended for the victim are sent to the attacking terminal.
· Forged RA messages with the IPv6 address of a victim gateway. As a result, all hosts attached to the victim gateway maintain incorrect IPv6 configuration parameters and ND entries.
Configuring ND packet rate limit
About this task
This feature limits the receiving rate of ND packets that are to be delivered to the CPU, preventing the CPU from being overwhelmed by ND packets.
Enabled with ND attack detection, the device redirects the received ND packets to the CPU for security check. If attackers send a large number of forged ND packets to the device, the CPU will be overloaded. As a result, other features might malfunction and the device might crash. To avoid this situation, configure ND packet rate limit on ND packet receiving interfaces. When the receiving rate of ND packets on the interfaces exceeds the rate limit, the packets that exceed the limit will be discarded.
When logging for ND packet rate limit is enabled, the device sends the highest threshold-crossed ND packet rate within the sending interval in a log message to the information center. You can configure the information center module to set the log output rules. For more information about information center, see Network Management and Monitoring Configuration Guide.
Restrictions and guidelines
As a best practice, configure this feature if the device is configured with ND attack detection or ND snooping or has detected ND flood attacks.
To prevent the device from sending log messages frequently, set the log message sending interval to a high value.
On a Layer 2 aggregate interface, if you enable ND packet rate limit and the logging for this feature, the device sends log messages upon limit violations on its member ports.
Procedure
1. Enter system view.
system-view
2. (Optional.) Enable logging for ND packet rate limit.
ipv6 nd rate-limit log enable
By default, logging for ND packet rate limit is disabled.
3. (Optional.) Set the log message sending interval.
ipv6 nd rate-limit log interval interval
By default, the device sends log messages every 60 seconds.
4. Enter interface view.
interface interface-type interface-number
Supported interfaces include Layer 2 Ethernet interfaces, Layer 2 aggregate interfaces, Layer 3 Ethernet interfaces, and Layer 3 aggregate interfaces.
5. Enable ND packet rate limit.
ipv6 nd rate-limit [ pps ]
By default, ND packet rate limit is enabled.
Enabling source MAC consistency check for ND messages
About this task
The source MAC consistency check feature is typically configured on gateways to prevent ND attacks.
This feature checks the source MAC address and the source link-layer address for consistency for each arriving ND message.
· If the source MAC address and the source link-layer address are not the same, the device drops the packet.
· If the addresses are the same, the device continues learning ND entries.
The ND logging feature logs source MAC inconsistency events, and it sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see System Management Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable source MAC consistency check for ND messages.
ipv6 nd mac-check enable
By default, source MAC consistency check is disabled for ND messages.
3. (Optional.) Enable the ND logging feature.
ipv6 nd check log enable
By default, the ND logging feature is disabled.
As a best practice, disable the ND logging feature to avoid excessive ND logs.
Configuring ND attack detection
About ND attack detection
ND attack detection checks incoming ND messages for user validity to prevent spoofing attacks. It is typically configured on access devices.
ND attack detection is applicable to VXLAN networks.
ND attack detection defines the following types of ACs on a VXLAN network:
· ND trusted interface or ND trusted AC—Performs no user validity check on the received ND messages.
· ND untrusted interface or ND untrusted AC—Discards incoming RA and redirect messages, and performs the user validity check on other types of incoming ND messages.
ND attack detection uses static IPv6 source guard binding entries, ND snooping entries, and DHCPv6 snooping entries for user validity check. User validity check compares the source IPv6 address and the source MAC address in an incoming ND message against those entries.
· If a match is found, the device verifies the user as legal, and it forwards the packet.
· If no match is found, the device verifies the user as illegal, and it discards the ND message.
The entries used for user validity check are generated as follows:
· Static IPv6 source guard binding entries are created by using the ipv6 source binding command. For information about IPv6 source guard, see "Configuring IP source guard."
· ND snooping entries are automatically generated by the ND snooping feature. For information about ND snooping, see IPv6 neighbor discovery configuration in Layer 3–IP Services Configuration Guide.
· DHCPv6 snooping entries are automatically generated by the DHCPv6 snooping feature. For information about DHCPv6 snooping, see "Configuring DHCPv6 snooping."
Restrictions and guidelines for ND attack detection configuration
To prevent ND untrusted interfaces from dropping all received ND messages, make sure one or more of the these features are configured: IPv6 source guard static bindings, DHCPv6 snooping, and ND snooping.
Configuring ND attack detection for a VSI
Restrictions and guidelines
Do not configure ND snooping in a VSI where ND attack detection is configured. If they are both configured in one VSI, ND snooping cannot learn snooping entries.
Procedure
1. Enter system view.
system-view
2. Enter VSI view.
vsi vsi-name
3. Enable ND attack detection.
ipv6 nd detection enable
By default, ND attack detection is disabled.
4. (Optional.) Configure the ND trusted AC.
a. Return to system view.
quit
b. Enter interface view.
interface interface-type interface-number
c. Enter Ethernet service instance view.
service-instance instance-id
d. Configure the AC as ND trusted AC.
ipv6 nd detection trust
By default, all ACs are ND untrusted ACs.
Enabling ND attack detection logging
About this task
This feature allows a device to generate logs when it detects invalid ND packets. The log information helps administrators locate and solve problems. Each log records the following information:
· Victim port numbers in a VLAN.
· IDs of the victim Ethernet service instances in a VXLAN.
· Source IP address of the invalid ND packets.
· Source MAC address of the invalid ND packets.
· VLAN ID of the invalid ND packets.
· Total number of dropped ND packets.
Procedure
1. Enter system view.
system-view
2. Enable ND attack detection logging.
ipv6 nd detection log enable
By default, ND attack detection logging is disabled.
Verifying and maintaining ND attack detection
· To display statistics for ND messages dropped by ND attack detection, execute the following command in any view:
display ipv6 nd detection statistics [ interface interface-type interface-number [ service-instance instance-id ] ]
· To clear ND attack detection statistics, execute the following command in user view:
reset ipv6 nd detection statistics [ interface interface-type interface-number [ service-instance instance-id ] ]
Enabling ND scanning
About this task
The device automatically creates ND entries by NS and NA messages when triggered by traffic. If no traffic is received or sent in a period of time, the ND entries cannot be created or updated in time.
To resolve this issue, you can enable the automatic ND scanning feature on the device. This feature enables the device to periodically send ND packets (NS requests) at a specified rate to the IPv6 addresses not in the specified ND entries.
Restrictions and guidelines
You can specify the source address for the sending NS requests when you enable automatic ND scanning on an interface:
· If you do not specify the source address, the interface uses its IPv6 address as the source address. The interface scans the IPv6 addresses that belong to both the automatic ND scanning range and the subnet of the interface IPv6 address.
If the interface is configured with multiple subnet IPv6 addresses and the addresses are also in the scanning range, the source address is the IPv6 address with the longest prefix. If the prefixes are in the same length, the source address is the primary IPv6 address for the interface.
· If you specify the source address, the interface uses the specified source address, and it scans all the IPv6 addresses in the automatic ND scanning range.
To avoid any impact on device performance, use automatic ND scanning only on networks where users come online and go offline frequently.
Procedure
1. Enter system view.
system-view
2. (Optional.) Set the ND packet sending rate for automatic ND scanning.
ipv6 nd scan auto send-rate { ppm ppm | pps }
By default, the device sends ND packets at the rate of 48 pps during automatic ND scanning.
3. Enter interface view.
interface interface-type interface-number
4. Enable automatic ND scanning.
ipv6 nd scan auto enable start-ipv6-address to end-ipv6-address [ source-addr source-ipv6-address ]
By default, automatic ND scanning is disabled.
