Neighbour Discovery Protocol (NDP) & Automatic tunnelling

With neighbours like these....

The Neighbor Discovery Protocol (NDP) was originally designed to do the equivalent of ARP in IPv4. That is, to resolve layer three addresses into layer two addresses. Later the protocol was extended to handle other functions, like duplicate address discovery, router redirects, router advertisements and neighbor reachability.

In its normal form, NDP has almost no built-in security. It does some basic sanity checks on itself, and it requires that the hop limit in packets be 255, but that's it. This means that it is very easy to spoof, at least for an on-link attacker. It is much harder (though not impossible) to get a valid NDP packet onto a link through a router.

A hand-crafted neighbor advertisement, for example, could map an incorrect layer two address to a layer three address, causing traffic for the layer three address to be delivered to the wrong host. A malicious router advertisement could invalidate a prefix, leaving hosts on the link with no addresses. A more subtle attack might spoof duplicate address responses, blocking autoconfiguration. Hours and hours of fun!

These types of issues are not entirely new to IPv6. ARP spoofing can do much the same things in IPv4. Sometimes these techniques can be useful – consider proxy ARP, for example, or its IPv6 equivalent, ND proxy.

So what to do?

The original NDP specification called for IPSec to be used to secure every NDP transaction. This was quickly seen to be way too hard, and in its stead a protocol called SEND was specified – SEcure Neighbor Discovery. SEND uses cryptographically generated addresses and signs NDP packets, making it impossible to spoof them. SEND cannot prevent an on-link node from misbehaving, but it can prevent one on-link node from pretending to be another.

In the next installment we'll look at two specific NDP problems – rogue router advertisements and ND flooding.

Now to another kind of insider problem – automatic tunnelling. When Microsoft Vista was released, it came with Teredo, 6-to-4 and ISATAP tunnel drivers ready to go. Given the right environment, these protocols automatically provide IPv6 connectivity by tunnelling out to the IPv6 Internet over the existing IPv4 infrastructure – look Mum, no hands!

Tunnelling is not new – given ssh, an outside host and an open port, you can tunnel pretty much anything to anywhere. But automatic tunnels are different. An automatic tunnel means that an innocent user can, simply by starting his or her machine, set up with a new path between the outside world and your network, bypassing your security arrangements. The user doesn't even know it's happened. There is a good chance that any local firewall configurations are not set up to take this unexpected IPv6 connectivity into account, either. All this sounds bad, but luckily it's not as bad as it sounds.

Automatic tunnels are not deliberately trying to bypass your security; that's just a side-effect of their over-enthusiastic attempts to connect the user to the IPv6 Internet. They are not malicious or tricky. They can generally be stopped with a simple filter – for example, 6-to-4 tunnels can be interrupted by blocking the use of Internet protocol number 41, IP-in-IP. And if you have a standard operating environment (SOE), you can disable these unwanted features.

©Copyright 2011 Karl Auer

About the author: Karl is technical manager at IPv6Now , a company specialising in helping organisations get into and get the most out of IPv6. This is the second in a four-part series of articles on IPv6 security issues.

More articles from this author

IPv6 - The devil you don't know

Join the CSO newsletter!

Error: Please check your email address.

Tags microsoft vistaipv4IP in IPAutomatic tunnellingNDP (Neighbour Discovery Protocol)rogue routersproxy ARP

More about etworkMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Karl Auer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place