Problem Description
IPv6 routers may allow "on-link" IPv6 nodes to create and
update the router's neighbor cache and forwarding
information. A malicious IPv6 node sharing a common router
but on a different physical segment from another node may be
able to spoof Neighbor Discovery messages, allowing it to
update router information for the victim node.
Impact:
An attacker on a different physical network connected to the
same IPv6 router as another node could redirect IPv6 traffic
intended for that node. This could lead to denial of service
or improper access to private network traffic.
Workaround:
Firewall packet filters can be used to filter incoming
Neighbor Solicitation messages but may interfere with normal
IPv6 operation if not configured carefully.
Reverse path forwarding checks could be used to make
gateways, such as routers or firewalls, drop Neighbor
Solicitation messages from nodes with unexpected source
addresses on a particular interface.
IPv6 router administrators are encouraged to read RFC 3756
for further discussion of Neighbor Discovery security
implications.