Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

IPv6 Neighbor Discovery Protocol (NDP) Security Risk

0

0

Article ID: JSA10389 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 2.0
Legacy Advisory Id:
PSN-2008-09-036
Product Affected:
NA
Problem:

IPv6 Neighbor Discovery Protocol (NDP) (RFC 4861) has a number of security issue which should be considered when deploying the protocol. On Oct 2nd, CERT/CC will be publishing a "Vulnerability Note" (VU#472363) on one of several known and documented issues with IPv6 NDP titled IPv6 NDP Routing Vulnerability.

JUNOS's current implementation of IPv6 Neighbor Discovery Protocol (NDP) allows a directly connected node to spoof and insert a off-link IPv6 address into the router's forwarding table. This exposes the nodes directly connected to the router to the equivalent of IPv4 ARP Spoofing - allowing another node to pretend to be another node. Like ARP Spoofing, this exposure allows the attacker to execute man-in-the-middle, DOS, or hijacking attacks.

This behavior was added to JUNOS to comply with strict RFC behavior requirements during the IPv6 Forum's certification test .

JUNOSe and ScreenOS implementations are not exposed to this issue.

We would like to thank David Miles for validating and reporting this issue to Juniper and other CSIRT agencies.

CVE Name: CVE-2008-2476

Solution:

Juniper has added new configuration option for the IPv6 Neighbor Discovery Protocol (NDP). This option will not allow a "Neighbor Solicitation (NS) from a prefix which was not covered under one of our interface prefixes see RFC (4861 7.2.3)." The new command is

set protocol neighbor-discovery onlink-subnet-only

Note: The RE needs to be reloaded after setting this knob to remove the any possibility of a malicious IPv6 entry from the forwarding-table.

A review RFC 3756 "IPv6 Neighbor Discovery (ND) Trust Models and Threats" would help operators understand the range of risk with IPv6 Neighbor Discovery.

Today, IPv6 Unicast Reverse Path Forwarding (RPF) is a highly effective mitigation tool for this security risk.

Severity Level:
Low
Severity Assessment:
Today this is a low risk exploit. This is not a "remote" exploit which can happen several router hops away from the target. Like IPv4 ARP Spoofing, it must happen on a interface which is directly connected to the router. The core difference between IPv6 NDP and IPv4 ARP Spoofing is that most people turn off the ARP features which allow for spoofing across the router's interfaces.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search