›› What is NDPMon ?

NDPMon is an equivalent of ArpWatch for IPv6 and was developped within the MADYNES Project, a research team from the Inria Nancy Grand Est Research center in France. It is currently maintained by Frederic Beck.

NDPMon, Neighbor Discovery Protocol Monitor, is a tool working with ICMPv6 packets. NDPMon observes the local network to see if nodes using neighbor discovery messages behave properly. When it detects a suspicious Neighbor Discovery message, it notifies the administrator by writing in the syslog and in some cases by sending an email report.

Please refer to the website for more information and documentation.

›› Plugins

Available

• MAC Vendor Resolution: compares the vendor part of a MAC address with a know base
• WEB interface: caches and alerts are converted to HTML files using XSLT for real time display in a WEB server
• Countermeasures:packets are forged and sent to deprecated rogue RAs or NAs
• Syslog filtering:logrotate and logs redirection to /var/log/ndpmon.log

Experimental

• Remote probes:distributed monitoring and logging to a central instance using SOAP/TLS
• Custom rules:lets the user define its own rules for raising alerts

›› Alerts and Reports

NDPMon generates various reports and alerts, including:

• wrong couple MAC/IP: the MAC address is valid, so is the IP address, but not both of them together
• wrong router MAC: invalid MAC address
• wrong router IP address: invalid IP address
• wrong prefix: invalid IPv6 prefix
• wrong RA flags: invalid flags in the RA
• wrong RA params: wrong paameter in the RA (lifetimes, timers...)
• wrong router redirect: the router which emitted the redirect is not valid
• router flag in Neighbor Advertisement: a node not declared as a router announced itself as one
• Duplicate Address Detection DOS: duplicate address detection denial of service
• changed ethernet address: a Global IPv6 address has a new MAC address
• flip flop: a node uses two MAC addresses one after the other
• reused old Ethernet address: reuse of an old MAC address
• Unknown MAC Manufacturer: MAC vendor unknown, might be a forged one
• new station: new node on the link
• new IPv6 Global Address: new IPv6 Global address for a node
• new IPv6 Link Local Address: new IPv6 Link Local address for a node
• wrong couple MAC/LLA in icmp6: wrong couple source Ethernet and source LLA addresses, i.e. Ethernet and Link Local Addresses are found but in different neighbors
• Ethernet mismatch: link layer Ethernet address and address in ICMPv6 option do not match
• IP Multicast
• Ethernet Broadcast
Copyright © 2012 (- MADYNES Project -)   Design by pogy366