IPv6 "snooping," feature bundles several Layer 2 IPv6 first-hop
security features, which operates at Layer 2, or between Layer 2 and Layer 3,
and provides IPv6 features with security and scalability. This feature
mitigates some of the inherent vulnerabilities for the neighbor discovery
mechanism, such as attacks on duplicate address detection (DAD), address
resolution, device discovery, and the neighbor cache.
IPv6 snooping learns and secures bindings for stateless
autoconfiguration addresses in Layer 2 neighbor tables and analyzes snooping
messages in order to build a trusted binding table. IPv6 snooping messages that
do not have valid bindings are dropped. An IPv6 snooping message is considered
trustworthy if its IPv6-to-MAC mapping is verifiable.
When IPv6 snooping is configured on a target (which varies depending on
platform target support and may include device ports, switch ports, Layer 2
interfaces, Layer 3 interfaces, and VLANs), capture instructions are downloaded
to the hardware to redirect the snooping protocol and Dynamic Host
Configuration Protocol (DHCP) for IPv6 traffic up to the switch integrated
security features (SISF) infrastructure in the routing device. For snooping
traffic, messages such as NS, NA, RS, RA, and REDIRECT are directed to SISF.
For DHCP, UDP messages sourced from port 546 or 547 are redirected.
IPv6 snooping registers its "capture rules" to the classifier, which
aggregates all rules from all features on a given target and installs the
corresponding ACL down into the platform-dependent modules. Upon receiving
redirected traffic, the classifier calls all entry points from any registered
feature (for the target on which the traffic is being received), including the
IPv6 snooping entry point. This entry point is the last to be called, so any
decision (such as drop) made by another feature supersedes the IPv6 snooping
decision.
IPv6 snooping provides IPv6 host liveness tracking so that a neighbor
table can be immediately updated when an IPv6 host disappears.
Additionally, IPv6 snooping is the foundation for many other IPv6
features that depend on an accurate binding table. It inspects snooping and
DHCP messages on a link to glean addresses, and then populates the binding
table with these addresses. This feature also enforces address ownership and
limits the number of addresses any given node is allowed to claim.