
Security: IPV6 First Hop Security
Attack Protection
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 419
NBI-NDP supports a lifetime timer. A value of the timer is configurable in the
Neighbor Binding Settings page. The timer is restarted each time that the bound
IPv6 address is confirmed. If the timer expires, the device sends up to 2 DAD-NS
messages with short intervals to validate the neighbor.
NB Integrity Policy
In the same way that other IPv6 First Hop Security features function, NB Integrity
behavior on a interface is specified by an NB Integrity policy attached to an
interface. These policies are configured in the Neighbor Binding Settings page.
Attack Protection
The section describes attack protection provided by IPv6 First Hop Security
Protection against IPv6 Router Spoofing
An IPv6 host can use the received RA messages for:
IPv6 router discovery
Stateless address configuration
A malicious host could send RA messages advertising itself as an IPv6 router and
counterfeit prefixes for stateless address configuration.
RA Guard provides protection against such attacks by configuring the interface
role as a host interface for all interfaces where IPv6 routers cannot be connected.
Protection against IPv6 Address Resolution Spoofing
A malicious host could send NA messages advertising itself as an IPv6 Host
having the given IPv6 address.
NB Integrity provides protection against such attacks in the following ways:
If the given IPv6 address is unknown, the Neighbor Solicitation (NS)
message is forwarded only on inner interfaces.
If the given IPv6 address is known, the NS message is forwarded only on
the interface to which the IPv6 address is bound.