中文网站
  Advanced Search
Read the latest Blogs from IT professionals in the field. Read and write community created documents. Need IT help? Ask our staff. Connect with your peers. Check our Tech Shop for posters, books and software tools. Home
HomeNetworking TechnologiesNetworking TCP/IPAn IPv6 Deployment Guide Chapter 9: Security issues in an IPv6 based networking environment

9.3.5 Prevention techniques

A technique similar to the one that prevents ARP cache poisoning (in IPv6 ND cache poisoning) is ossible but it requires DHCPv6 snooping. Firewalls can enforce the DHCPv6 usage and make the HCPv6 address assignment the default method, thus making DHCPv6 snooping easier to mplement.Currently no DHCPv6 snooping support is available for any networking device.

IPv6 can provide an option to prevent ND cache poisoning in the case of stateless autoconfiguration ia snooping the Neighbour Solicitation and Neighbour Advertisement messages: Neighbour olicitation messages contain an informational pair [source_IPv6, source_MAC] that can be stored, hile Neighbour Advertisement messages contain two informational pairs: [source_IPv6, ource_MAC] and [destination_IPv6, destination_MAC] which can be also stored. Any case of a ismatch can be diagnosed from the previously stored ND entry and the switch can disable the busing port. A "light version" of the above protocol can be implemented in Firewalls: detect and eport ND entry changes i.e. different IP address with same MAC address etc.
‹ 9.3.4 Static Address Assignmentup9.3.6 Fake router advertisements ›