Latest version: 2.1.0

NDPMon in the press

Downloads

Documentation

Plugins

Training

Community

edit SideBar

Router Advertisement Parameters

In order to check Ra parameters, we set the params_volatile flag to 0 for router1, meaning that these parameters are not allowed to change.

Thus, all parameters that do not have a value of 0 will be checked:

  • Router parameters: hoplimit, flags, lifetime, retransmission timer, lifetimes...
  • Prefix parameters: lifetimes, flags...
  • the MTU option if set

We send a RA with an invalid parameters

  1. ra_params = Ether(src="02:fd:00:00:01:02")/IPv6(src="fe80::fd:ff:fe00:102", dst="ff02::1")/ICMPv6ND_RA(chlim=48)/ICMPv6NDOptPrefixInfo(prefix="fd75:7c74:2274:1::", prefixlen=64)/ICMPv6NDOptSrcLLAddr(lladdr="02:fd:00:00:01:02")/ICMPv6NDOptMTU()

NDPMon detects the wrong parameters and raises alerts:

  • wrong RA params alert
  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: wrong RA params: curhoplimit=48;flags=8;router_lifetime=1800;
  3. Date: Mon,  9 Jul 2012 17:01:20 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  :wrong RA params
  7. MAC:     :2:fd:0:0:1:2
  8. MAC2:    :n/a
  9. IPv6:    :fe80::fd:ff:fe00:102
  10. DNS:     :n/a
  • wrong RA prefix option params alert
  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: wrong RA prefix option params: flags=192;valid_time=4294967295;preferred_time=4294967295;
  3. Date: Mon,  9 Jul 2012 17:01:20 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  :wrong RA prefix option params
  7. MAC:     :2:fd:0:0:1:2
  8. MAC2:    :n/a
  9. IPv6:    :fe80::fd:ff:fe00:102
  10. DNS:     :n/a
  • wrong RA mtu option alert
  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: wrong RA mtu option: mtu=1280
  3. Date: Mon,  9 Jul 2012 17:01:20 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  :wrong RA mtu option
  7. MAC:     :2:fd:0:0:1:2
  8. MAC2:    :n/a
  9. IPv6:    :fe80::fd:ff:fe00:102
  10. DNS:     :n/a