nerdexam
Cisco

352-001 · Question #367

Which three techniques can be used to provide IPv6 first-hop security to prevent man-in-the- middle attacks? (Choose three.)

The correct answer is A. DHCP snooping C. RA Guard D. ND Inspection. RA Guard, ND Inspection, and DHCPv6 snooping are the IPv6 first-hop security features that together prevent man-in-the-middle attacks by controlling which devices can advertise routes, resolve addresses, or assign IPs.

Designing Security

Question

Which three techniques can be used to provide IPv6 first-hop security to prevent man-in-the- middle attacks? (Choose three.)

Options

  • ADHCP snooping
  • BDynamic ARP Inspection
  • CRA Guard
  • DND Inspection
  • EBPDU guard
  • FIPv6 provider-independent address space

How the community answered

(43 responses)
  • A
    77% (33)
  • B
    7% (3)
  • E
    2% (1)
  • F
    14% (6)

Why each option

RA Guard, ND Inspection, and DHCPv6 snooping are the IPv6 first-hop security features that together prevent man-in-the-middle attacks by controlling which devices can advertise routes, resolve addresses, or assign IPs.

ADHCP snoopingCorrect

DHCPv6 snooping validates DHCPv6 messages and builds a binding table of legitimate host-to-address mappings, preventing rogue DHCPv6 servers from redirecting traffic to an attacker.

BDynamic ARP Inspection

Dynamic ARP Inspection operates on IPv4 ARP, not IPv6 Neighbor Discovery, so it provides no protection against IPv6 MitM attacks.

CRA GuardCorrect

RA Guard filters unauthorized Router Advertisement messages on switch ports, blocking an attacker from advertising a rogue default gateway and redirecting IPv6 traffic.

DND InspectionCorrect

ND Inspection validates Neighbor Discovery (Neighbor Solicitation and Advertisement) messages against the DHCPv6 snooping binding table, preventing the IPv6 equivalent of ARP spoofing used in MitM attacks.

EBPDU guard

BPDU Guard prevents unauthorized switches from participating in Spanning Tree and does not address IPv6 address resolution or routing advertisement spoofing.

FIPv6 provider-independent address space

Provider-independent IPv6 address space is an addressing policy concept related to ISP portability and has no bearing on layer-2 or first-hop security.

Concept tested: IPv6 first-hop security mechanisms preventing MitM attacks

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16/ip6f-xe-16-book.html

Topics

#IPv6 first-hop security#RA Guard#ND Inspection#DHCP snooping

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice