Mitigating ND and RA Attacks
When you arrange IPv6, affairs are, you will charge to abate ND and RA attacks. At least
one apparatus exists to run this attack: parasite6 from The Hacker Choice3. Although few
mitigation techniques abide at the time of autograph this book (2007), it’s accepted that
techniques will be accessible in the abreast future, abnormally back Microsoft Vista SP1 ships.
In Hosts
If the hosts await mainly on changeless agreement (for example, their servers), the attacks based
on RA and spoofed DHCPv6 are mitigated. However, ND bluffing is still accessible because
an antagonist can still bluff the router’s IPv6 abode (similar to the ARP bluffing attack
described in Chapter 6, “Exploiting IPv4 ARP”). IETF has connected a defended adaptation of
ND, which will be explained shortly.
In Switches
Currently, no techniques are accessible in switches to abate these types of attacks.
Hopefully, these attacks are bound aural one distinct subnet, so there’s the achievability of
reducing abeyant accident by allocation the subnet to accommodate alone a few hosts or by using
different subnets for trusted and nontrusted hosts.
This damage-control address can be deployed added calmly than in IPv4 because with IPv6
the enterprises accept abounding added IPv6 prefixes from their ISP.
Expect that techniques agnate to DHCP concern will be accessible for IPv6 in modern
switches. An admission ascendancy account (ACL) activated for the cartage aural a VLAN (VLAN ACL)
should additionally become accessible for IPv6. VLAN ACLs again can bead all RA and DHCP offers
coming from nontrusted host.