Contents

Configuring ND attack defense· 1

About ND attack defense· 1

Configuring source MAC-based ND attack detection· 1

About source MAC-based ND attack detection· 1

Hardware compatibility with source MAC-based ND attack detection· 2

Restrictions and guidelines· 3

Procedure· 3

Display and maintenance commands for source MAC-based ND attack detection· 3

Configuring interface-based ND attack suppression· 4

About interface-based ND attack suppression· 4

Hardware compatibility with interface-based ND attack suppression· 4

Restrictions and guidelines· 5

Procedure· 5

Display and maintenance commands for interface-based ND attack suppression· 5

Enabling source MAC consistency check for ND messages· 6

 

Configuring ND attack defense

About ND attack defense

IPv6 Neighbor Discovery (ND) attack defense is able to identify forged ND messages to prevent ND attacks.

The IPv6 ND protocol does not provide any security mechanisms and is vulnerable to network attacks. As shown in Figure 1, an attacker can send the following forged ICMPv6 messages to perform ND attacks:

·     Forged NS/NA/RS messages with an IPv6 address of a victim host. The gateway and other hosts update the ND entry for the victim with incorrect address information. As a result, all packets intended for the victim are sent to the attacking terminal.

·     Forged RA messages with the IPv6 address of a victim gateway. As a result, all hosts attached to the victim gateway maintain incorrect IPv6 configuration parameters and ND entries.

Figure 1 ND attack diagram

 

Configuring source MAC-based ND attack detection

About source MAC-based ND attack detection

Source MAC-based ND attack detection checks the number of ND messages delivered to the CPU on a per source MAC basis. If the number of messages from the same MAC address within 5 seconds exceeds the threshold, the device generates an ND attack entry for the MAC address. The processing of the ND messages matching this entry depends on the detection mode. With ND logging enabled (by using the ipv6 nd check log enable command), source MAC-based ND attack detection processes the messages as follows:

·     Filter mode—Filters out subsequent ND messages sent from the MAC address, and generates log messages.

·     Monitor mode—Only generates log messages.

The device uses the entry aging time (fixed at 300 seconds) and the threshold to calculate a value:

The calculated value = (threshold/5) × 300

The device monitors the number of dropped packets for an entry. When the entry aging time is reached, it compares the number with the calculated value and takes actions accordingly:

·     If the number of dropped packets is higher than or equal to the calculated value, the device resets the aging time for the entry.

·     If the number of dropped packets is lower than the calculated value, the system deletes the entry and marks MAC address in the entry as a common MAC address.

Hardware compatibility with source MAC-based ND attack detection

Series	Models	Source MAC-based ND attack detection compatibility
F50X0 series	F5010, F5020, F5020-GM, F5030, F5030-6GW, F5040, F5060, F5080, F5000-A, F5000-C, F5000-S, F5000-M	Yes
F5000-CN series	F5000-CN30, F5000-CN60	Yes
F5000-AI series	F5000-AI-15, F5000-AI-20, F5000-AI-40	Yes
F5000-V series	F5000-V30	Yes
F1000-AI series	F1000-AI-05, F1000-AI-10, F1000-AI-15, F1000-AI-20, F1000-AI-25, F1000-AI-30, F1000-AI-35, F1000-AI-50, F1000-AI-55, F1000-AI-60, F1000-AI-65, F1000-AI-70, F1000-AI-75, F1000-AI-80, F1000-AI-90	Yes
F1000-L series	F1003-L, F1005-L, F1010-L	Yes
F10X0 series	F1005, F1010, F1020, F1020-GM, F1030, F1030-GM, F1050, F1060, F1070, F1070-GM, F1070-GM-L, F1080, F1090	Yes
F1000-V series	F1000-V50, F1000-V60, F1000-V70, F1000-V90	Yes
F1000-SASE series	F1000-SASE100, F1000-SASE200	Yes
F1000-AK series	F1000-AK108, F1000-AK109, F1000-AK110, F1000-AK115, F1000-AK120, F1000-AK125, F1000-AK130, F1000-AK135, F1000-AK140, F1000-AK145, F1000-AK150, F1000-AK155, F1000-AK160, F1000-AK165, F1000-AK170, F1000-AK175, F1000-AK180, F1000-AK185, F1000-GM-AK370, F1000-GM-AK380, F1000-AK710, F1000-AK711, F1000-AK1010, F1000-AK1020, F1000-AK1030, F1000-AK1110, F1000-AK1120, F1000-AK1130, F1000-AK1140, F1000-AK1150, F1000-AK1160, F1000-AK1170, F1000-AK1180, F1000-AK1212, F1000-AK1222, F1000-AK1232, F1000-AK1242, F1000-AK1252, F1000-AK1262, F1000-AK1272, F1000-AK1312, F1000-AK1322, F1000-AK1332, F1000-AK1342, F1000-AK1352, F1000-AK1362, F1000-AK1414, F1000-AK1424, F1000-AK1434, F1000-AK1514, F1000-AK1524, F1000-AK1534, F1000-AK1614, F1000-AK9110, F1000-AK9210	Yes
Firewall modules	IM-NGFWX-IV, LSPM6FWD, LSPM6FWDB, LSQM1FWDSC0, LSQM2FWDSC0, LSU3FWCEA0, LSUM1FWCEAB0, LSUM1FWDEC0, LSWM1FWD0, LSX1FWCEA1, LSXM1FWDF1	Yes
vFW series	vFW1000, vFW2000	No

‌

Restrictions and guidelines

When you change the detection mode from monitor to filter, the filter mode takes effect immediately.

When you change the detection mode from filter to monitor, the device continues filtering messages that match existing attack entries.

Procedure

1.     Enter system view.

system-view

2.     Enable source MAC-based ND attack detection and set the detection mode.

ipv6 nd source-mac { filter | monitor }

By default, source MAC-based ND attack detection is disabled.

3.     Set the threshold for source MAC-based ND attack detection.

ipv6 nd source-mac threshold threshold-value

The default setting is 30.

4.     Enable the ND logging feature.

ipv6 nd check log enable

By default, the ND logging feature is disabled.

Display and maintenance commands for source MAC-based ND attack detection

Execute display commands in any view and reset commands in user view.

 

Task	Command
Display the configuration of source MAC-based ND attack detection.	display ipv6 nd source-mac configuration
Display source MAC-based ND attack detection entries.	display ipv6 nd source-mac interface interface-type interface-number [ slot slot-number ] [ verbose ] display ipv6 nd source-mac { mac mac-address | vlan vlan-id } slot slot-number [ verbose ] display ipv6 nd source-mac slot slot-number [ count | verbose ]
Delete source MAC-based ND attack detection entries.	reset ipv6 nd source-mac [ interface interface-type interface-number | mac mac-address | vlan vlan-id ] [ slot slot-number ]

‌

Configuring interface-based ND attack suppression

About interface-based ND attack suppression

This feature rate limits ND request on each Layer 3 interface to prevent ND spoofing attacks. It monitors the number of ND requests that each Layer 3 interface received within 5 seconds. If the number on an interface exceeds the threshold, the device creates an ND attack suppression entry for the interface. During the suppression period (fixed at 300 seconds), the device drops ND messages received on this interface.

When the suppression time expires, the system examines the number of dropped ND messages on the interface within the suppression time:

·     If the number is higher than or equal to the calculated value, the device resets the suppression time for the entry and continues ND suppression on the interface.

The calculated value = (threshold/5) × 300

·     If the number is lower than the calculated value, the device deletes the suppression entry.

Hardware compatibility with interface-based ND attack suppression

Series	Models	Interface-based ND attack suppression compatibility
F50X0 series	F5010, F5020, F5020-GM, F5030, F5030-6GW, F5040, F5060, F5080, F5000-A, F5000-C, F5000-S, F5000-M	Yes
F5000-CN series	F5000-CN30, F5000-CN60	Yes
F5000-AI series	F5000-AI-15, F5000-AI-20, F5000-AI-40	Yes
F5000-V series	F5000-V30	Yes
F1000-AI series	F1000-AI-05, F1000-AI-10, F1000-AI-15, F1000-AI-20, F1000-AI-25, F1000-AI-30, F1000-AI-35, F1000-AI-50, F1000-AI-55, F1000-AI-60, F1000-AI-65, F1000-AI-70, F1000-AI-75, F1000-AI-80, F1000-AI-90	Yes
F1000-L series	F1003-L, F1005-L, F1010-L	Yes
F10X0 series	F1005, F1010, F1020, F1020-GM, F1030, F1030-GM, F1050, F1060, F1070, F1070-GM, F1070-GM-L, F1080, F1090	Yes
F1000-V series	F1000-V50, F1000-V60, F1000-V70, F1000-V90	Yes
F1000-SASE series	F1000-SASE100, F1000-SASE200	Yes
F1000-AK series	F1000-AK108, F1000-AK109, F1000-AK110, F1000-AK115, F1000-AK120, F1000-AK125, F1000-AK130, F1000-AK135, F1000-AK140, F1000-AK145, F1000-AK150, F1000-AK155, F1000-AK160, F1000-AK165, F1000-AK170, F1000-AK175, F1000-AK180, F1000-AK185, F1000-GM-AK370, F1000-GM-AK380, F1000-AK710, F1000-AK711, F1000-AK1010, F1000-AK1020, F1000-AK1030, F1000-AK1110, F1000-AK1120, F1000-AK1130, F1000-AK1140, F1000-AK1150, F1000-AK1160, F1000-AK1170, F1000-AK1180, F1000-AK1212, F1000-AK1222, F1000-AK1232, F1000-AK1242, F1000-AK1252, F1000-AK1262, F1000-AK1272, F1000-AK1312, F1000-AK1322, F1000-AK1332, F1000-AK1342, F1000-AK1352, F1000-AK1362, F1000-AK1414, F1000-AK1424, F1000-AK1434, F1000-AK1514, F1000-AK1524, F1000-AK1534, F1000-AK1614, F1000-AK9110, F1000-AK9210	Yes
Firewall modules	IM-NGFWX-IV, LSPM6FWD, LSPM6FWDB, LSQM1FWDSC0, LSQM2FWDSC0, LSU3FWCEA0, LSUM1FWCEAB0, LSUM1FWDEC0, LSWM1FWD0, LSX1FWCEA1, LSXM1FWDF1	Yes
vFW series	vFW1000, vFW2000	No

‌

Restrictions and guidelines

As a best practice, enable this feature on the gateway.

Procedure

1.     Enter system view.

system-view

2.     Enable interface-based ND attack suppression.

ipv6 nd attack-suppression enable per-interface

By default, interface-based ND attack suppression is disabled.

3.     Set the threshold for triggering ND attack suppression.

ipv6 nd attack-suppression threshold threshold-value

By default, the threshold for triggering ND attack suppression is 1000.

Display and maintenance commands for interface-based ND attack suppression

Execute display commands in any view.

 

Task	Command
Display the configuration of interface-based ND attack suppression.	display ipv6 nd attack-suppression configuration
Display interface-based ND attack suppression entries.	display ipv6 nd attack-suppression per-interface slot slot-number [ count | verbose ]
Display interface-based ND attack suppression entries on an interface.	display ipv6 nd attack-suppression per-interface interface interface-type interface-number [ verbose ]
Delete interface-based ND attack suppression entries.	reset ipv6 nd attack-suppression per-interface [ interface interface-type interface-number ] [ slot slot-number ]
Clear statistics for ND messages dropped by interface-based ND attack suppression.	reset ipv6 nd attack-suppression per-interface statistics [ interface interface-type interface-number ] [ slot slot-number ]

‌

Enabling source MAC consistency check for ND messages

About this task

The source MAC consistency check feature is typically configured on gateways to prevent ND attacks.

This feature checks the source MAC address and the source link-layer address for consistency for each arriving ND message.

·     If the source MAC address and the source link-layer address are not the same, the device drops the packet.

·     If the addresses are the same, the device continues learning ND entries.

The ND logging feature logs source MAC inconsistency events, and it sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see Network Management and Monitoring Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enable source MAC consistency check for ND messages.

ipv6 nd mac-check enable

By default, source MAC consistency check is disabled for ND messages.

3.     (Optional.) Enable the ND logging feature.

ipv6 nd check log enable

By default, the ND logging feature is disabled.

As a best practice, disable the ND logging feature to avoid excessive ND logs.