nerdexam
Cisco

352-001 · Question #651

Company ABC has started to implement IPv6 in their network and has rolled out dual-stack endpoint devices to their employees. Which security measure prevents ABC from replay attacks?

The correct answer is D. SeND with Nonce. SeND (Secure Neighbor Discovery) with the Nonce option prevents replay attacks in IPv6 by embedding a unique random value in each Neighbor Discovery message.

Designing Security

Question

Company ABC has started to implement IPv6 in their network and has rolled out dual-stack endpoint devices to their employees. Which security measure prevents ABC from replay attacks?

Options

  • AIPv6 Source Guard
  • BRouter Advertisement Guard
  • CIPv6 Destination Guard
  • DSeND with Nonce

How the community answered

(28 responses)
  • A
    7% (2)
  • B
    4% (1)
  • C
    18% (5)
  • D
    71% (20)

Why each option

SeND (Secure Neighbor Discovery) with the Nonce option prevents replay attacks in IPv6 by embedding a unique random value in each Neighbor Discovery message.

AIPv6 Source Guard

IPv6 Source Guard validates source IP and MAC address bindings to prevent spoofing, but it does not provide any mechanism to detect or reject replayed packets.

BRouter Advertisement Guard

Router Advertisement Guard filters unauthorized RA messages to protect against rogue routers, but it does not address replay attacks against Neighbor Discovery.

CIPv6 Destination Guard

IPv6 Destination Guard limits neighbor cache exhaustion attacks by filtering NDP for unknown destinations, but it does not prevent replay attacks.

DSeND with NonceCorrect

SeND uses cryptographically generated addresses (CGAs) and RSA signatures to secure IPv6 Neighbor Discovery messages. The Nonce option specifically counters replay attacks by including a unique random value that must match between request and reply - a replayed captured message will carry a stale nonce that fails validation and is discarded. No other listed option provides this per-message uniqueness guarantee.

Concept tested: SeND Nonce option for IPv6 replay attack prevention

Source: https://www.rfc-editor.org/rfc/rfc3971

Topics

#IPv6 security#replay attacks#SeND#first-hop security

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice