Details
NDP should be protected.
Rationale:
One of the primary functions of NDP is to resolve Network Layer (IP) addresses to Link Layer (eg Ethernet) addresses, a function performed in IPv4 by ARP. An attacker who has access to the broadcast segment may abuse NDP or ARP to trick hosts into sending the attacker traffic destined for someone else, a technique known as ARP Poisoning.
To protect IPv6 networks against this, and other attacks against NDP functions, Secure Neighbor Discovery (SEND) should be deployed where preventing access to the broadcast segment may not be possible or in sensitive environments with a requirement for increased protection.
Support for SEND was added to JUNOS in version 9.3. SEND utilizes public/private RSA key pairs to produce Cryptographically Generated Addresses (as defined in RFC3972), which ensures that the claimed source of an NDP message is the owner of the claimed address.
NOTE: IPv6 does not appear to be configured on the target. This check is not applicable.
Solution
If you have deployed IPv6 you can configure SEND by issuing the following commands from the [edit protocols neighbor-discovery] hierarchy: If you have not already done so, you will need to generate or install an RSA key pair, to generate a new pair enter the following command:
[email protected]>request pki generate-key-pair
Next, set the security level to define how unsecure NDP messages should be handled. If only a subset of devices will be configured to use SEND, then use the default option. If all nodes on the segment require protection, which is recommended, use the secure-messages-only option:
[edit protocols neighbor-discovery]
[email protected]#set secure security-level secure-messages-only
Finally, specify the key pair and details you generated/installed earlier:
[edit protocols neighbor-discovery]
[email protected]#set secure cryptographic-address key-pair
[email protected]#set secure cryptographic-address key-length
For more details on configuring Public/Private Key Pairs in JUNOS please refer to: Generating a Public-Private Key Pair, JUNOS Software Security Configuration Guide, Juniper Networks
Default Value:
SEND is not configured by default.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Juniper.