When designing a network, which two security features should be added to the design to protect hosts from potential IPv6 neighbor discovery denial of service attacks at the access layer? (Choose two.)
Click on the arrows to vote for the correct answer
A. B. C. D. E.AB.
IPv6 neighbor discovery protocol is used by nodes on a link to discover the link-layer addresses of other nodes that are neighbors, learn neighboring routers, and maintain reachability information about the paths to active neighbors. The IPv6 neighbor discovery protocol uses several message types, including the neighbor solicitation (NS) and neighbor advertisement (NA) messages, to perform these functions.
IPv6 neighbor discovery protocol can be vulnerable to various types of attacks, including denial-of-service (DoS) attacks. In a DoS attack, an attacker sends a flood of IPv6 NS messages to a target node, causing it to spend significant amounts of time and resources processing these messages and possibly rendering it unable to function correctly.
To protect hosts from potential IPv6 neighbor discovery DoS attacks at the access layer, the following two security features should be added to the design:
RA Guard: Router Advertisement (RA) Guard is a security feature that can be used to prevent rogue routers from sending unauthorized RA messages on a network. RA Guard can also protect against DoS attacks that use forged RA messages to flood nodes with false network information. RA Guard filters RA messages received on untrusted ports and allows only legitimate RA messages to be processed. RA Guard is typically implemented on Layer 2 switches.
SEND: The Secure Neighbor Discovery (SEND) protocol is a security extension to IPv6 neighbor discovery that provides cryptographic protection to neighbor discovery messages, making it more difficult for attackers to launch DoS attacks or impersonate other nodes. SEND can help ensure that a node is communicating with the intended neighbor and not an attacker who is impersonating the neighbor. SEND requires the use of public key cryptography and digital certificates to secure neighbor discovery messages.
IKEv2, IPsec, and DM VPNv6 are not directly related to mitigating IPv6 neighbor discovery DoS attacks. IKEv2 is a protocol used for setting up virtual private networks ( VPNs), IPsec is a protocol used for securing IP communication, and DM VPNv6 is a technology used for creating dynamic VPNs. While these technologies can provide security for IPv6 traffic, they do not directly address the specific threat of IPv6 neighbor discovery DoS attacks.