Quiz Entry - updated: 2026.07.05
What security weaknesses does IPv6 stateless autoconfiguration / Neighbor Discovery have?
Neighbor Discovery has no built-in way to verify who's a legitimate router or neighbor, so it can be spoofed — enabling rogue routers, traffic redirection, address theft, and DoS.
The original Neighbor Discovery Protocol was designed without authentication:
- No mechanism to determine authorised neighbors — any host can answer
- Rogue router: anyone can send Router Advertisements pretending to be the gateway → traffic gets redirected through the attacker (a man-in-the-middle)
- Other threats: address theft, denial of service, and advertisement/parameter spoofing
- No security measures were built for the ARP/DHCP-equivalent functions, so spoofing stateless autoconfiguration messages is possible
Mitigations developed later include SEND (Secure Neighbor Discovery) and switch features like RA Guard.
Tip: A rogue Router Advertisement is the IPv6 equivalent of ARP spoofing — and it's a real attack, which is why managed switches offer "RA Guard" to block RAs from untrusted ports.
Go deeper:
RFC 4861 §11 — Security Considerations — the threat analysis (rogue routers, spoofing) and why NDP lacks built-in authentication.