4.9.1 Ensure Secure Neighbor Discovery is configured

Information

NDP should be protected.

Rationale:

One of the primary functions of NDP is to resolve Network Layer (IP) addresses to Link Layer (eg Ethernet) addresses, a function performed in IPv4 by ARP. An attacker who has access to the broadcast segment may abuse NDP or ARP to trick hosts into sending the attacker traffic destined for someone else, a technique known as ARP Poisoning.

To protect IPv6 networks against this, and other attacks against NDP functions, Secure Neighbor Discovery (SEND) should be deployed where preventing access to the broadcast segment may not be possible or in sensitive environments with a requirement for increased protection.

Support for SEND was added to JUNOS in version 9.3. SEND utilizes public/private RSA key pairs to produce Cryptographically Generated Addresses (as defined in RFC3972), which ensures that the claimed source of an NDP message is the owner of the claimed address.

NOTE: IPv6 does not appear to be configured on the target. This check is not applicable.

Solution

If you have deployed IPv6 you can configure SEND by issuing the following commands from the [edit protocols neighbor-discovery] hierarchy: If you have not already done so, you will need to generate or install an RSA key pair, to generate a new pair enter the following command:

user@host>request pki generate-key-pair <name> <ca-profile>

Next, set the security level to define how unsecure NDP messages should be handled. If only a subset of devices will be configured to use SEND, then use the default option. If all nodes on the segment require protection, which is recommended, use the secure-messages-only option:

[edit protocols neighbor-discovery]
user@host#set secure security-level secure-messages-only

Finally, specify the key pair and details you generated/installed earlier:

[edit protocols neighbor-discovery]
user@host#set secure cryptographic-address key-pair <name>
user@host#set secure cryptographic-address key-length <length>

For more details on configuring Public/Private Key Pairs in JUNOS please refer to: Generating a Public-Private Key Pair, JUNOS Software Security Configuration Guide, Juniper Networks

Default Value:

SEND is not configured by default.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv7|16.4

Plugin: Juniper

Control ID: 5f51b04c35934651d31eb7855332f6abe9cac38da9d444815e2eae086b5d4e35