352-001 · Question #367
Which three techniques can be used to provide IPv6 first-hop security to prevent man-in-the- middle attacks? (Choose three.)
The correct answer is A. DHCP snooping C. RA Guard D. ND Inspection. RA Guard, ND Inspection, and DHCPv6 snooping are the IPv6 first-hop security features that together prevent man-in-the-middle attacks by controlling which devices can advertise routes, resolve addresses, or assign IPs.
Question
Which three techniques can be used to provide IPv6 first-hop security to prevent man-in-the- middle attacks? (Choose three.)
Options
- ADHCP snooping
- BDynamic ARP Inspection
- CRA Guard
- DND Inspection
- EBPDU guard
- FIPv6 provider-independent address space
How the community answered
(43 responses)- A77% (33)
- B7% (3)
- E2% (1)
- F14% (6)
Why each option
RA Guard, ND Inspection, and DHCPv6 snooping are the IPv6 first-hop security features that together prevent man-in-the-middle attacks by controlling which devices can advertise routes, resolve addresses, or assign IPs.
DHCPv6 snooping validates DHCPv6 messages and builds a binding table of legitimate host-to-address mappings, preventing rogue DHCPv6 servers from redirecting traffic to an attacker.
Dynamic ARP Inspection operates on IPv4 ARP, not IPv6 Neighbor Discovery, so it provides no protection against IPv6 MitM attacks.
RA Guard filters unauthorized Router Advertisement messages on switch ports, blocking an attacker from advertising a rogue default gateway and redirecting IPv6 traffic.
ND Inspection validates Neighbor Discovery (Neighbor Solicitation and Advertisement) messages against the DHCPv6 snooping binding table, preventing the IPv6 equivalent of ARP spoofing used in MitM attacks.
BPDU Guard prevents unauthorized switches from participating in Spanning Tree and does not address IPv6 address resolution or routing advertisement spoofing.
Provider-independent IPv6 address space is an addressing policy concept related to ISP portability and has no bearing on layer-2 or first-hop security.
Concept tested: IPv6 first-hop security mechanisms preventing MitM attacks
Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16/ip6f-xe-16-book.html
Topics
Community Discussion
No community discussion yet for this question.