Skip to main content

11. Security Considerations

Neighbor Discovery is subject to attacks that can disrupt network operations or redirect traffic. This section analyzes the threats to Neighbor Discovery and describes mechanisms to mitigate them.

11.1. Threat Analysis

The primary security concern for Neighbor Discovery is that nodes on the same link can send spoofed messages to attack other nodes. Possible attacks include:

Redirect Attacks:

  • An attacker sends a Redirect message to a victim, causing the victim to send traffic through the attacker instead of the legitimate first-hop router.
  • The attacker can then intercept, modify, or drop the redirected traffic.

Router Solicitation/Advertisement Attacks:

  • An attacker impersonates a router by sending Router Advertisements with:
    • Invalid prefix information, causing hosts to configure incorrect addresses
    • Short Router Lifetime values, causing hosts to believe no routers are available
    • Modified hop limit, MTU, or reachability parameters

Neighbor Solicitation/Advertisement Attacks:

  • An attacker sends spoofed Neighbor Advertisements to poison the Neighbor Cache of victim nodes.
  • This can redirect traffic intended for another node to the attacker.
  • An attacker can claim to own an IP address that actually belongs to another node.

Duplicate Address Detection (DAD) Attacks:

  • An attacker responds to all DAD Neighbor Solicitations, preventing any node from configuring an address.
  • This constitutes a denial-of-service attack on address configuration.

11.1.2. Denial-of-Service Attacks

Several aspects of Neighbor Discovery can be exploited for denial-of-service:

Cache Exhaustion:

  • An attacker floods a node with packets from numerous spoofed addresses, forcing the node to create Neighbor Cache entries and send Neighbor Solicitations.
  • This consumes memory and network bandwidth.

Neighbor Discovery Message Flooding:

  • An attacker floods the link with Neighbor Discovery messages, consuming bandwidth and processing resources.

Router Solicitation Flooding:

  • Multiple attackers or a single attacker with many spoofed addresses floods routers with Router Solicitations.
  • This can overwhelm routers with the burden of responding.

While Neighbor Discovery messages are link-local and should not be forwarded by routers, attackers with access to the physical medium (e.g., through compromised infrastructure) can launch attacks even if not directly connected to the target link.

11.2. Securing Neighbor Discovery Messages

11.2.1. SEcure Neighbor Discovery (SEND)

SEcure Neighbor Discovery (SEND) [RFC3971] provides cryptographic security for Neighbor Discovery. SEND uses:

  • Cryptographically Generated Addresses (CGA): Addresses that cryptographically bind a public key to an IPv6 address, allowing verification that the sender owns the address.
  • RSA Signatures: All critical Neighbor Discovery messages are signed with the sender's private key.
  • Timestamp Options: Prevent replay attacks.
  • Nonce Options: Provide freshness for solicitation/advertisement exchanges.
  • Authorization Delegation: Allows routers to prove they are authorized to act as routers for a prefix.

SEND provides strong protection against most Neighbor Discovery attacks, including:

  • Redirect attacks
  • Neighbor/Router Advertisement spoofing
  • Prefix information manipulation

Limitations of SEND:

  • SEND requires public key infrastructure and is computationally intensive.
  • It does not protect against all denial-of-service attacks (e.g., message flooding).
  • Deployment has been limited due to complexity.

Link-layer security mechanisms can provide protection for Neighbor Discovery:

IEEE 802.1X Port-Based Authentication:

  • Authenticates devices before allowing network access.
  • Prevents unauthorized devices from sending Neighbor Discovery messages.

MACsec (IEEE 802.1AE):

  • Provides link-layer encryption and authentication.
  • Protects all traffic, including Neighbor Discovery, from eavesdropping and tampering.

Wireless Security (WPA2/WPA3):

  • Encrypts and authenticates wireless traffic.
  • Prevents attackers from injecting spoofed Neighbor Discovery messages over wireless links.

Advantages of Link-Layer Security:

  • Transparent to higher-layer protocols.
  • Can be more efficient than SEND.
  • Protects against a broader range of attacks.

Limitations:

  • Not always available (e.g., on shared Ethernet segments).
  • Does not protect against attacks from compromised devices that have legitimate link access.

11.2.3. Router Advertisement Guard (RA Guard)

RA Guard [RFC6105] is a switch/router-based mechanism that filters Router Advertisement messages:

  • Switches are configured to identify which ports are connected to legitimate routers.
  • Router Advertisements from other ports are dropped.
  • Protects against rogue router attacks.

Limitations:

  • Only protects against rogue Router Advertisements.
  • Can be bypassed using IPv6 extension headers (mitigated by RFC 7113).
  • Requires proper configuration of network infrastructure.

11.2.4. Source Address Validation

Implementing source address validation can mitigate some attacks:

Ingress Filtering:

  • Routers should implement ingress filtering (BCP 38 / RFC 2827) to prevent packets with spoofed source addresses from entering the network.

Reverse Path Forwarding (RPF) Checks:

  • Can help detect and prevent some forms of address spoofing.

Limitations:

  • Primarily protects against off-link attacks.
  • Less effective against on-link spoofing.

11.3. Implementation Considerations

11.3.1. Rate Limiting

Implementations SHOULD (SHOULD) implement rate limiting for:

  • Processing Neighbor Discovery messages
  • Creating new Neighbor Cache entries
  • Sending Neighbor Solicitations in response to traffic

This mitigates denial-of-service attacks based on resource exhaustion.

11.3.2. Neighbor Cache Management

Implementations SHOULD (SHOULD):

  • Implement garbage collection for Neighbor Cache entries to prevent exhaustion.
  • Prioritize reachable entries over stale or incomplete entries when cache space is limited.
  • Limit the rate of Neighbor Cache entry creation from untrusted sources.

11.3.3. Router Advertisement Processing

Hosts SHOULD (SHOULD):

  • Ignore Router Advertisements with suspicious parameters (e.g., extremely short lifetimes, invalid prefix lengths).
  • Implement limits on the number of prefixes, routes, and other information learned from Router Advertisements.
  • Log unusual Router Advertisement patterns for administrative review.

11.3.4. Redirect Message Validation

Hosts MUST (MUST):

  • Validate that Redirect messages come from the current first-hop router.
  • Verify that the target address is on-link.
  • Not process Redirect messages that attempt to redirect traffic off-link.

11.4. Operational Considerations

Network administrators SHOULD (SHOULD):

  1. Deploy Link-Layer Security: Where possible, use 802.1X, MACsec, or wireless security to protect Neighbor Discovery.

  2. Implement RA Guard: On switches and routers to prevent rogue Router Advertisements.

  3. Monitor for Anomalies: Use network monitoring tools to detect unusual patterns in Neighbor Discovery traffic.

  4. Segment Networks: Use VLANs and other segmentation techniques to limit the scope of potential attacks.

  5. Consider SEND: For high-security environments, evaluate deploying SEND despite its complexity.

  6. Keep Systems Updated: Apply security patches and updates that address Neighbor Discovery vulnerabilities.

  7. Educate Users: Train network staff to recognize and respond to Neighbor Discovery attacks.

11.5. Future Directions

Ongoing work in the IETF continues to improve Neighbor Discovery security:

  • Lightweight SEND alternatives
  • Enhanced RA Guard mechanisms
  • Integration with network access control systems
  • Improved denial-of-service protections

Network administrators should stay informed of these developments and deploy new security mechanisms as they become standardized and available.

Last updated on