NDPMon
   HOME

TheInfoList



Click Here for Items Related To - NDPMon
OR:
NDPMon on:   [Wikipedia]   [Google]   [Amazon]

The Neighbor Discovery Protocol Monitor (NDPMon) is a diagnostic software application used by network administrators for monitoring
ICMPv6 Internet Control Message Protocol version 6 (ICMPv6) is the implementation of the Internet Control Message Protocol (ICMP) for Internet Protocol version 6 (IPv6). ICMPv6 is an integral part of IPv6 and performs error reporting and diagnostic fu ...
packets in Internet Protocol version 6 (IPv6) networks. NDPMon observes the local network for anomalies in the function of nodes using
Neighbor Discovery Protocol The Neighbor Discovery Protocol (NDP), or simply Neighbor Discovery (ND), is a protocol of the Internet protocol suite used with Internet Protocol Version 6 (IPv6). It operates at the link layer of the Internet model, and is responsible for gat ...
(NDP) messages, especially during the Stateless Address Autoconfiguration. When an NDP message is flagged, it notifies the administrator by writing to the
syslog In computing, syslog is a standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, i ...
or by sending an email report. It may also execute a user-defined script. For IPv6, NDPMon is an equivalent of Arpwatch for IPv4, and has similar basic features with added attacks detection.RFC 3756
IPv6 Neighbor Discovery (ND) Trust Models and Threats P. Nikander, Ed.,J. Kempf, E. Nordmark (May 2004) NDPMon runs on
Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, w ...
distributions,
Mac OS X macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac computers. Within the market of desktop and la ...
, FreeBSD, NetBSD and OpenBSD. It uses a configuration file containing the expected and valid behavior for nodes and routers on the link. This includes the router addresses (MAC and IP) and the prefixes, flags and parameters announced. NDPMon also maintains a list of neighbors on the link and monitors all advertisements and network changes. It permits tracking the usage of cryptographically generated interface identifiers or temporary global addresses when Privacy extensions are enabled. NDPMon is
free software Free software or libre software is computer software distributed under terms that allow users to run the software for any purpose as well as to study, change, and distribute it and any adapted versions. Free software is a matter of liberty, no ...
published under the
GNU Lesser General Public License The GNU Lesser General Public License (LGPL) is a free-software license published by the Free Software Foundation (FSF). The license allows developers and companies to use and integrate a software component released under the LGPL into their own ...
version 2.1.


Alerts and reports

NDPMon generates various reports and alerts, including: *wrong couple MAC/IP: the
MAC address A media access control address (MAC address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. This use is common in most IEEE 802 networking tec ...
is valid, so is the IP address, but not both of them together *wrong router MAC: invalid MAC address *wrong router IP address, invalid IP address *wrong prefix: invalid IPv6 prefix *wrong RA flags: invalid flags in the RA *wrong RA params: wrong parameter in the RA (lifetimes, timers...) *wrong router redirect: the router which emitted the redirect is not valid *router flag in Neighbor Advertisement: a node not declared as a router announced itself as one *Duplicate Address Detection DOS: duplicate address detection denial of service *changed ethernet address: a Global IPv6 address has a new MAC address *flip flop: a node uses two MAC addresses one after the other *reused old Ethernet address: reuse of an old MAC address *Unknown MAC Manufacturer: MAC vendor unknown, might be a forged one *new station: new node on the link *new IPv6 Global Address: new IPv6 Global address for a node *new IPv6 Link Local Address: new IPv6 Link Local address for a node *wrong couple MAC/LLA: wrong couple source Ethernet and source LLA addresses, i.e. Ethernet and Link Local Addresses are found but in different neighbors *Ethernet mismatch: link layer Ethernet address and address in ICMPv6 option do not match *IP Multicast *Ethernet Broadcast


Available plugins

A set of plugins are available for NDPMon: *MAC vendor resolution: compares the vendor part of a MAC address with a known base *Web interface: caches and alerts are converted to HTML files using XSLT for real time display in a Web server *Countermeasures: packets are forged and sent to deprecated rogue RAs or NAs *Syslog filtering: logrotate and logs redirection to /var/log/ndpmon.log *Remote probes (Experimental): distributed monitoring and logging to a central instance using SOAP/TLS *Custom rules (Experimental): lets users define their own rules for raising alerts


See also

*
Internet Protocol Suite The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the set of communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the sui ...


References


External links


Sourceforge project site
{{DEFAULTSORT:Ndpmon Internet Protocol based network software