NDPMon
The Neighbor Discovery Protocol[1] Monitor (NDPMon) is a diagnostic software application used by Internet Protocol version 6[2] network administrators for monitoring ICMPv6 packets.[3] NDPMon observes the local network for anomalies in the function of nodes using Neighbor Discovery Protocol (NDP) messages, especially during the Stateless Address Autoconfiguration.[4] When an NDP message is flagged, it notifies the administrator by writing to the syslog or by sending an email report. It may also execute a user-defined script. For IPv6, NDPMon is an equivalent of Arpwatch for IPv4, and has similar basic features with added attacks detection.[5]
NDPMon runs on Linux distributions (available in Debian repositories[6] and in Ubuntu 12.10[7]), Mac OS X, FreeBSD (available as port[8]), NetBSD and OpenBSD. It uses a configuration file containing the expected and valid behavior for nodes and routers on the link. This includes the routers' addresses (MAC and IP) and the prefixes, flags and parameters announced.
NDPMon also maintains an up-to-date a list of neighbors on the link and watches all advertisements and changes. It permits tracking the usage of cryptographically generated interface identifiers or temporary global addresses when Privacy extensions are enabled (default behavior in Ubuntu and Windows for example).
NDPMon is free software under the GNU LGPL 2.1.[9]
Alerts and reports
NDPMon generates various reports and alerts, including:
- wrong couple MAC/IP: the MAC address is valid, so is the IP address, but not both of them together
- wrong router MAC: invalid MAC address
- wrong router IP address, invalid IP address
- wrong prefix: invalid IPv6 prefix
- wrong RA flags: invalid flags in the RA
- wrong RA params: wrong parameter in the RA (lifetimes, timers...)
- wrong router redirect: the router which emitted the redirect is not valid
- router flag in Neighbor Advertisement: a node not declared as a router announced itself as one
- Duplicate Address Detection DOS: duplicate address detection denial of service
- changed ethernet address: a Global IPv6 address has a new MAC address
- flip flop: a node uses two MAC addresses one after the other
- reused old Ethernet address: reuse of an old MAC address
- Unknown MAC Manufacturer: MAC vendor unknown, might be a forged one
- new station: new node on the link
- new IPv6 Global Address: new IPv6 Global address for a node
- new IPv6 Link Local Address: new IPv6 Link Local address for a node
- wrong couple MAC/LLA: wrong couple source Ethernet and source LLA addresses, i.e. Ethernet and Link Local Addresses are found but in different neighbors
- Ethernet mismatch: link layer Ethernet address and address in ICMPv6 option do not match
- IP Multicast
- Ethernet Broadcast
Available plugins
A set of plugins are available for NDPMon:
- MAC vendor resolution: compares the vendor part of a MAC address with a known base
- Web interface: caches and alerts are converted to HTML files using XSLT for real time display in a Web server
- Countermeasures: packets are forged and sent to deprecated rogue RAs or NAs
- Syslog filtering: logrotate and logs redirection to /var/log/ndpmon.log
- Remote probes (Experimental): distributed monitoring and logging to a central instance using SOAP/TLS
- Custom rules (Experimental): lets users define their own rules for raising alerts
See also
References
- ↑ RFC 4861, Neighbor Discovery for IP version 6 (IPv6), T. Narten et al. (September 2007)
- ↑ RFC 2460 Internet Protocol, Version 6 (IPv6) Specification S. Deering, R. Hinden (December 1998)
- ↑ Monitoring the Neighbor Discovery Protocol F. Beck, T. Cholez, I. Chrisment and O. Festor - The Second International Workshop on IPv6 Today - Technology and Deployment - IPv6TD 2007 (2007)
- ↑ RFC 4862 IPv6 Stateless Address Autoconfiguration, S. Thomson, T. Narten, T. Jinmei (September 2007)
- ↑ RFC 3756 IPv6 Neighbor Discovery (ND) Trust Models and Threats P. Nikander, Ed.,J. Kempf, E. Nordmark (May 2004)
- ↑ Debian packages
- ↑ Ubuntu binary package
- ↑ FreeBSD port
- ↑ See COPYING in the tarball.
