LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What security weaknesses does IPv6 stateless autoconfiguration / Neighbor Discovery have?

Neighbor Discovery has no built-in way to verify who's a legitimate router or neighbor, so it can be spoofed — enabling rogue routers, traffic redirection, address theft, and DoS.

The original Neighbor Discovery Protocol was designed without authentication:

  • No mechanism to determine authorised neighbors — any host can answer
  • Rogue router: anyone can send Router Advertisements pretending to be the gateway → traffic gets redirected through the attacker (a man-in-the-middle)
  • Other threats: address theft, denial of service, and advertisement/parameter spoofing
  • No security measures were built for the ARP/DHCP-equivalent functions, so spoofing stateless autoconfiguration messages is possible

Mitigations developed later include SEND (Secure Neighbor Discovery) and switch features like RA Guard.

Tip: A rogue Router Advertisement is the IPv6 equivalent of ARP spoofing — and it's a real attack, which is why managed switches offer "RA Guard" to block RAs from untrusted ports.

Go deeper:

From Quiz: INTROL / IPv6 – Das Netz der Zukunft | Updated: Jul 05, 2026