IPv6 neighbor detection Protocol Vulnerability Analysis

The IPv6 Neighbor Discovery Protocol Neighbor Discovery replaces the ARP protocol in IPv4 to obtain the Mac address of machines in the LAN. This is a prerequisite for communication between hosts in the LAN. The Neighbor Discovery Protocol consists of two formats: the neighbor request NSNeighbor Solicitation) and the neighbor request NANeighbor Advertisement ).

How IPv6 Neighbor Discovery works:

Before communication between two hosts A and B in the LAN, A must first obtain the MAC address of B. The main steps are as follows:

(1) A sends an ICMPv6 NS message to FE02: 1 in broadcast mode and asks B about its MAC address.

(2) Each node in the LAN can receive this NS request. When a node receives this NS request, it compares the target MAC address with its own MAC address. If they are inconsistent, otherwise, if the requested MAC address is the same as its own MAC address, the system responds to a neighbor's message NA, indicating that it is the node to be requested. In this example, under normal circumstances, only B responds to the NS request, and the response packet contains the MAC address of B.

Option of neighbor message announcement

Note that NA has three special signs. R indicates whether it is a route, S indicates whether it is a declaration made by the target machine, and O indicates whether it overwrites the original cache. The main purpose of setting these signs was originally to improve the efficiency of LAN nodes.

Analysis of Security Risks of IPv6 neighbor Detection protocol

Through the above analysis, we can see that IPv6 Neighbor Discovery protocol is not improved in terms of security compared with ARP Protocol under IPv4. It is mainly reflected in the following aspects:

First, for NS ICMP6 packets, any node in the LAN can reply as long as it is listened to in the LAN, without authentication. Therefore, ARP spoofing in IPv4 can be replaced by NA spoofing in IPv6. The principle is the same and will not be repeated here.

Second, compared with the ARP response packet under IPv4, NA, as the IPv6 response packet, has three more signs mentioned above. It is undeniable that when all nodes in the LAN work normally, these three signs can undoubtedly improve the efficiency of LAN nodes, but once a malicious node exists, these three signs will undoubtedly become a powerful tool for malicious nodes.

First, through the R flag, malicious nodes can be disguised as ro, and through the S flag, malicious nodes can disguise the cost machine, which is the most favorable for malicious attacks, malicious nodes can insert false route information into the route table of the attacker. Because in IPv4, the neighbor cache table is refreshed once every certain time, malicious nodes may need to send a large number of false responses to overwrite the correct cache, which is easy to detect, however, to use the O flag to overwrite the correct cache in IPv6, you only need to send a small number of false NA packets, which is difficult to detect.