Latest version: 2.1.0

NDPMon in the press

Downloads

Documentation

Plugins

Training

Community

edit SideBar

Rogue Router Advertisements Route Information Options

We have configured NDPMon to expect 2 routes:

  • 2001:db8:1:2::/64 with preference 'High and a lifetime of 2592000'' seconds
  • 2001:db8:2:2::/64 with preference 'Low and a lifetime of 3600'' seconds

wrong RA Route Info option

We advertise a route which was not expected:

  1. ra_ri_wrong_route = Ether(src="02:fd:00:00:01:02")/IPv6(src="fe80::fd:ff:fe00:102", dst="ff02::1")/ICMPv6ND_RA(chlim=64, routerlifetime=30528, prf=0)/ICMPv6NDOptPrefixInfo(prefix="fd75:7c74:2274:1::", prefixlen=64, R=1, validlifetime=2592000, preferredlifetime=604800)/ICMPv6NDOptSrcLLAddr(lladdr="02:fd:00:00:01:02")/ICMPv6NDOptRouteInfo(prf=8, rtlifetime=2592000, prefix="2001:db8:1111:2222::", plen=64)

When receiving the rogue RA, NDPMon complained about an advertised route different from what it learned during learning phase:

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: wrong RA Route Info option 2001:db8:1111:2222/64
  3. Date: Wed, 25 Jul 2012 12:34:02 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  wrong RA Route Info option
  7. MAC:     2:fd:0:0:1:2
  8. Vendor:  unknown
  9. MAC2:    n/a
  10. Vendor2: n/a
  11. IPv6:    fe80::fd:ff:fe00:102
  12. DNS:     n/a

wrong RA Route Info lifetime

We advertise a route with a wrong lifetime value:

  1. ra_ri_wrong_lifetime = Ether(src="02:fd:00:00:01:02")/IPv6(src="fe80::fd:ff:fe00:102", dst="ff02::1")/ICMPv6ND_RA(chlim=64, routerlifetime=30528, prf=0)/ICMPv6NDOptPrefixInfo(prefix="fd75:7c74:2274:1::", prefixlen=64, R=1, validlifetime=2592000, preferredlifetime=604800)/ICMPv6NDOptSrcLLAddr(lladdr="02:fd:00:00:01:02")/ICMPv6NDOptRouteInfo(prf=1, rtlifetime=25920, prefix="2001:db8:1:2::", plen=64)

When receiving the RA, NDPMon detects the wrong parameter and raises an alert:

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: wrong RA Route Info Lifetime 2001:db8:1:2/64 25920
  3. Date: Wed, 25 Jul 2012 15:05:16 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  wrong RA Route Info lifetime
  7. MAC:     2:fd:0:0:1:2
  8. Vendor:  unknown
  9. MAC2:    n/a
  10. Vendor2: n/a
  11. IPv6:    fe80::fd:ff:fe00:102
  12. DNS:     n/a

wrong RA Route Info preference

We advertise a route with a wrong lifetime value:

  1. ra_ri_wrong_pref = Ether(src="02:fd:00:00:01:02")/IPv6(src="fe80::fd:ff:fe00:102", dst="ff02::1")/ICMPv6ND_RA(chlim=64, routerlifetime=30528, prf=0)/ICMPv6NDOptPrefixInfo(prefix="fd75:7c74:2274:1::", prefixlen=64, R=1, validlifetime=2592000, preferredlifetime=604800)/ICMPv6NDOptSrcLLAddr(lladdr="02:fd:00:00:01:02")/ICMPv6NDOptRouteInfo(prf=0, rtlifetime=2592000, prefix="2001:db8:1:2::", plen=64)

When receiving the RA, NDPMon detects the wrong parameter and raises an alert:

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: wrong RA Route Info preference 2001:db8:1:2/64 0
  3. Date: Wed, 25 Jul 2012 15:04:20 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  wrong RA Route Info preference
  7. MAC:     2:fd:0:0:1:2
  8. Vendor:  unknown
  9. MAC2:    n/a
  10. Vendor2: n/a
  11. IPv6:    fe80::fd:ff:fe00:102
  12. DNS:     n/a