Configuration Files

NDMon uses two configuration files which default locations are:

• /usr/local/etc/ndpmon/config_ndpmon.xml
• /var/local/ndpmon/neighbor_list.xml

Note that these paths can be modified on the command line at execution. You can also modify these paths at building, via the configure script:

• --sysconfdir to modify the directory where to put the configuration file. Note that modifying the --prefix also modifies this path, as the sysconfdir stands for $(prefix)/etc. If you change the prefix, it is recommended to ajust the sysconfdir.
• --with-var-datadir to modify the directory containing the neighbor cache. By default, it is derived from prefix: if the prefix is /usr/local, this directory is /var/local, if prefix is /usr, it is /var, otherwise it is recommended to define its value.

DTDs have been written for these two files:

• config_ndpmon.dtd
• neighbor_list.dtd

The Neighbor List is filled by the program itself, while running or during a learning period. The configuration file itself has to be filled by the administrator.

config_ndpmon.xml

• Basic configuration example
• Configuring the Router Advertisement parameter check
• Configuring the countermeasures plugin

Basic configuration example

Here follows an example of a configuration file for NDMon:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE config_ndpmon SYSTEM "/usr/local/etc/ndpmon/config_ndpmon.dtd">
<config_ndpmon>
    <ignor_autoconf>1</ignor_autoconf>
    <syslog_facility>LOG_LOCAL1</syslog_facility>
    <admin_mail>frederic.beck@loria.fr</admin_mail>
    <actions_low_pri>
      <sendmail>1</sendmail>
      <syslog>1</syslog>
      <exec_pipe_program>/usr/local/ndpmon/demopipeprogram.pl</exec_pipe_program>
    </actions_low_pri>
    <actions_high_pri>
      <sendmail>1</sendmail>
      <syslog>1</syslog>
      <exec_pipe_program>/usr/local/ndpmon/demopipeprogram.pl</exec_pipe_program>
    </actions_high_pri>
    <use_reverse_hostlookups>1</use_reverse_hostlookups>
    <routers>
      <router>
        <mac>00:13:72:14:C4:58</mac>
        <lla>fe80::213:72ff:fe14:c458</lla>
        <prefixes>
          <prefix>
            <address>2001:660:4501:32:</address>
            <mask>64</mask>
          </prefix>
        </prefixes>
        <addresses>
          <address>2001:660:4501:32::1</address>
        </addresses>
      </router>
    </routers>
</config_ndpmon>

ignor_autoconf

• /proc/sys/net/ipv6/conf/all/autoconf
• /proc/sys/net/ipv6/conf/all/accept_ra
• /proc/sys/net/ipv6/conf/all/accept_ra_defrtr
• /proc/sys/net/ipv6/conf/all/accept_ra_pinfo
• /proc/sys/net/ipv6/conf/all/accept_redirects

By putting 0, the host will ignor all Router Advertisements or IPCMv6 Redirects, and will thus not be sensitive to attacks on these messages, and should still be able to send the alerts to the monitoring station. But, the administrator must be aware that this will disable the possibility for the host to use the IPv6 Address Autoconfiguration, which could cause troubles in case of a renumbering or a modification in the network's topology.

syslog_facility

Choose the facility Syslog will use for logging, can be used to redirect the messages in a dedicated log file thanks to the syslog daemon itself.

admin_mail

The Email address to which the daemon will send the alerts. By default, is set to root@localhost

actions_low_pri/actions_high_pri

Enable or disable the alerts

• sendmail: send an email to the administrator mail address
• syslog: syslmog the message
• exec_pipe_program: the program to call to capture the reports and do whatever you what with it (see demopipeprogram.pl in the sources)

routers

A router is defined with its MAC and Link Local addresses. It also contains the list of prefixes advertised byt this router, and eventually the global addresses set on its interfaces. This new definition makes possible to check the tuple (MAC,LLA,PREFIX) in the received in Router Advertisements, instead of checking them separately in version 0.1.
In version 1.4.0, additional tags, which are not shown in the above configuration example where introduced to check the parameters of a Router Advertisement. For details see below.

Configuring the Router Advertisement parameter check

In version 1.4.0, further checks for Router Advertisements (RAs) where introduced which assume that the RA parameters do not change during operation. Those values may be learned during the learning phase of NDPMon or they may be configured manually. This behavior is optional: If you do not include the additional paramaters, no checks will be performed.

Below you find an example of a more complex router definition:

<router>
  <mac>00:11:22:33:44:55</mac>
  <lla>fe80:0:0:0:211:22ff:fe33:4455</lla>
  <param_curhoplimit>64</param_curhoplimit>
  <param_flags_reserved>0</param_flags_reserved>
  <param_router_lifetime>10800</param_router_lifetime>
  <param_reachable_timer>0</param_reachable_timer>
  <param_retrans_timer>0</param_retrans_timer>
  <param_mtu>0</param_mtu>
  <params_volatile>0</params_volatile>
  <prefixes>
    <prefix>
      <address>2001:db8:1234:5678:0:0:0:0</address>
      <mask>64</mask>
      <param_flags_reserved>224</param_flags_reserved>
      <param_valid_time>2592000</param_valid_time>
      <param_preferred_time>604800</param_preferred_time>
    </prefix>
  </prefixes>
  <addresses/>
</router>

params_volatile

Indicates if the router params may change during operation. A value of 0 means that values do not change, a non-zero value means parameters may change. If this tag is not present its value is assumed to be non-zero (1).
If you want NDPMon to check RA parameters for this router, include the tag params_volatile with a value of zero.
If params_volatile is set to zero, you should at least include the router param_flags_reserved tag and the param_ tags for each prefix.

param_flags_reserved

The flags of a RA or a RA prefix information option, stored as an unsigned integer. If this tag is not present, it does not indicate that this is unspecified but that no flags are set!

param_curhoplimit, param_router_lifetime, param_reachable_timer, param_retrans_timer, param_mtu

Contain the values of the corresponding RA fields (or the MTU option). If those tags are not present, this indicates that they are not specified, and the corresponding value of a RA will not be checked.

prefix: param_flags_reserved, param_valid_time, param_preferred_time

The parameters of prefixes advertised. Those tags should be present for each prefix if parameters are checked, because prefix parameters cannot be unspecified. If they are not present, their value is assumed to be zero (which is, concerning the prefix lifetimes, usually not desired).

Configuring the countermeasures plugin

Below you find an example configuration for the countermeasures plugin. If the tag countermeasures is not present, all countermeasures are suppressed.

<countermeasures>
  <kill_illegitimate_router>RESPOND</kill_illegitimate_router>
  <kill_wrong_prefix>LAUNCH AFTER 10</kill_wrong_prefix>
  <propagate_router_params>CEASE AFTER 10</propagate_router_params>
  <indicate_ndpmon_presence>SUPPRESS</indicate_ndpmon_presence>
</countermeasures>

SUPPRESS

The countermeasure is turned off (default value for each configuration tag not present).

RESPOND

Each call to this countermeasure results in a reaction.

CEASE AFTER max

For max calls, each call to this countermeasure results in a reaction. After the max'th call, the countermeasure is suppressed. max may be a number up to 255. This may be used to prevent NDPMon from contributing to Denial of Service, but to have a "first response" countermeasure.

LAUNCH AFTER min

For min calls, this countermeasure is suppressed. After the min'th call, each call to the countermeasure results in a reaction. min may be a number up to 255.