NDPMon

Last updated

The Neighbor Discovery Protocol Monitor (NDPMon) is a diagnostic software application used by network administrators for monitoring ICMPv6 packets in Internet Protocol version 6 (IPv6) networks. [1] [2] NDPMon observes the local network for anomalies in the function of nodes using Neighbor Discovery Protocol (NDP) messages, especially during the Stateless Address Autoconfiguration. [3] When an NDP message is flagged, it notifies the administrator by writing to the syslog or by sending an email report. It may also execute a user-defined script. For IPv6, NDPMon is an equivalent of Arpwatch for IPv4, and has similar basic features with added attacks detection. [4]

Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of IPv4 address exhaustion. IPv6 is intended to replace IPv4. In December 1998, IPv6 became a Draft Standard for the IETF, who subsequently ratified it as an Internet Standard on 14 July 2017.

The Neighbor Discovery Protocol is a protocol in the Internet protocol suite used with Internet Protocol Version 6 (IPv6). It operates at the link layer of the Internet model, and is responsible for gathering various information required for internet communication, including the configuration of local connections and the domain name servers and gateways used to communicate with more distant systems.

In computing, syslog is a standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the software type generating the message, and assigned a severity level.

Contents

NDPMon runs on Linux distributions, Mac OS X, FreeBSD, NetBSD and OpenBSD. It uses a configuration file containing the expected and valid behavior for nodes and routers on the link. This includes the router addresses (MAC and IP) and the prefixes, flags and parameters announced.

Linux Family of free and open-source software operating systems based on the Linux kernel

Linux is a family of free and open-source software operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution.

FreeBSD free Unix-like operating system

FreeBSD is a free and open-source Unix-like operating system descended from the Berkeley Software Distribution (BSD), which was based on Research Unix. The first version of FreeBSD was released in 1993. In 2005, FreeBSD was the most popular open-source BSD operating system, accounting for more than three-quarters of all installed BSD systems.

NetBSD open-source Unix-like operating system

NetBSD is a free and open-source Unix-like operating system based on the Berkeley Software Distribution (BSD). It was the first open-source BSD descendant officially released after 386BSD was forked. It continues to be actively developed and is available for many platforms, including servers, desktops, handheld devices, and embedded systems.

NDPMon also maintains a list of neighbors on the link and monitors all advertisements and network changes. It permits tracking the usage of cryptographically generated interface identifiers or temporary global addresses when Privacy extensions are enabled.

NDPMon is free software published under the GNU Lesser General Public License version 2.1.

Free software software licensed to preserve user freedoms

Free software or libre software is computer software distributed under terms that allow users to run the software for any purpose as well as to study, change, and distribute it and any adapted versions. Free software is a matter of liberty, not price: users—individually or in cooperation with computer programmers—are free to do what they want with their copies of a free software regardless of how much is paid to obtain the program. Computer programs are deemed free insofar as they give users ultimate control over the first, thereby allowing them to control what their devices are programmed to do.

GNU Lesser General Public License variant of the free software license GPL to allow a piece of software to be used in proprietary software

The GNU Lesser General Public License (LGPL) is a free-software license published by the Free Software Foundation (FSF). The license allows developers and companies to use and integrate a software component released under the LGPL into their own software without being required by the terms of a strong copyleft license to release the source code of their own components. However, any developer who modifies an LGPL-covered component is required to make their modified version available under the same LGPL license. For proprietary software, code under the LGPL is usually used in the form of a shared library, so that there is a clear separation between the proprietary and LGPL components. The LGPL is primarily used for software libraries, although it is also used by some stand-alone applications.

Alerts and reports

NDPMon generates various reports and alerts, including:

A media access control address of a device is a unique identifier assigned to a network interface controller (NIC). For communications within a network segment, it is used as a network address for most IEEE 802 network technologies, including Ethernet, Wi-Fi, and Bluetooth. Within the Open Systems Interconnection (OSI) model, MAC addresses are used in the medium access control protocol sublayer of the data link layer. As typically represented, MAC addresses are recognizable as six groups of two hexadecimal digits, separated by hyphens, colons, or no separator.

Available plugins

A set of plugins are available for NDPMon:

See also

Related Research Articles

The Internet Protocol (IP) is the principal communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet.

The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address. This mapping is a critical function in the Internet protocol suite. ARP was defined in 1982 by RFC 826, which is Internet Standard STD 37.

Subnetwork logically visible subdivision of an IP network

A subnetwork or subnet is a logical subdivision of an IP network. The practice of dividing a network into two or more networks is called subnetting.

A broadcast address is a network address at which all devices connected to a multiple-access communications network are enabled to receive datagrams. A message sent to a broadcast address may be received by all network-attached hosts.

Mobile IP is an Internet Engineering Task Force (IETF) standard communications protocol that is designed to allow mobile device users to move from one network to another while maintaining a permanent IP address. Mobile IP for IPv4 is described in IETF RFC 5944, and extensions are defined in IETF RFC 4721. Mobile IPv6, the IP mobility implementation for the next generation of the Internet Protocol, IPv6, is described in RFC 6275.

The Secure Neighbor Discovery (SEND) protocol is a security extension of the Neighbor Discovery Protocol (NDP) in IPv6 defined in RFC 3971 and updated by RFC 6494.

6over4 is an IPv6 transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of a multicast-enabled IPv4 network. IPv4 is used as a virtual data link layer on which IPv6 can be run.

ISATAP is an IPv6 transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of an IPv4 network.

The Dynamic Host Configuration Protocol version 6 (DHCPv6) is a network protocol for configuring Internet Protocol version 6 (IPv6) hosts with IP addresses, IP prefixes and other configuration data required to operate in an IPv6 network. It is the IPv6 equivalent of the Dynamic Host Configuration Protocol for IPv4.

Internet Control Message Protocol version 6 (ICMPv6) is the implementation of the Internet Control Message Protocol (ICMP) for Internet Protocol version 6 (IPv6). ICMPv6 is defined in RFC 4443. ICMPv6 is an integral part of IPv6 and performs error reporting and diagnostic functions, and has a framework for extensions to implement future changes.

In a computer network, a link-local address is a network address that is valid only for communications within the network segment or the broadcast domain that the host is connected to. Link-local addresses are most often assigned automatically through a process known as stateless address autoconfiguration or link-local address autoconfiguration.

The Router Advertisement Daemon (radvd) is an open-source software product that implements link-local advertisements of IPv6 router addresses and IPv6 routing prefixes using the Neighbor Discovery Protocol (NDP) as specified in RFC 2461.

IPv6 address label to identify a network interface of a computer or other network node

An Internet Protocol Version 6 address is a numerical label that is used to identify a network interface of a computer or a network node participating in an IPv6 computer network.

An IPv6 packet is the smallest message entity exchanged via the Internet Protocol across an Internet Protocol version 6 (IPv6) network.

The Identifier/Locator Network Protocol (ILNP) (RFCs) is a network protocol designed to separate the two functions of network addresses, the identification of network endpoints, and assisting routing by separating topological information from node identity. ILNP is backwards-compatible with existing IP, and is incrementally-deployable.

A Solicited-Node multicast address is an IPv6 multicast address valid within the local-link. Every IPv6 host will have at least one such address per interface. Solicited-Node multicast addresses are used in Neighbor Discovery Protocol for obtaining the layer 2 link-layer addresses of other nodes.

In computer networking, the link layer is the lowest layer in the Internet Protocol Suite, the networking architecture of the Internet. It is described in RFC 1122 and RFC 1123. The link layer is the group of methods and communications protocols that only operate on the link that a host is physically connected to. The link is the physical and logical network component used to interconnect hosts or nodes in the network and a link protocol is a suite of methods and standards that operate only between adjacent network nodes of a local area network segment or a wide area network connection.

References

  1. RFC 4861, Neighbor Discovery for IP version 6 (IPv6), T. Narten et al. (September 2007)
  2. Monitoring the Neighbor Discovery Protocol F. Beck, T. Cholez, I. Chrisment and O. Festor - The Second International Workshop on IPv6 Today - Technology and Deployment - IPv6TD 2007 (2007)
  3. RFC 4862 IPv6 Stateless Address Autoconfiguration, S. Thomson, T. Narten, T. Jinmei (September 2007)
  4. RFC 3756 IPv6 Neighbor Discovery (ND) Trust Models and Threats P. Nikander, Ed.,J. Kempf, E. Nordmark (May 2004)
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.