352-001 · Question #651
Company ABC has started to implement IPv6 in their network and has rolled out dual-stack endpoint devices to their employees. Which security measure prevents ABC from replay attacks?
The correct answer is D. SeND with Nonce. SeND (Secure Neighbor Discovery) with the Nonce option prevents replay attacks in IPv6 by embedding a unique random value in each Neighbor Discovery message.
Question
Company ABC has started to implement IPv6 in their network and has rolled out dual-stack endpoint devices to their employees. Which security measure prevents ABC from replay attacks?
Options
- AIPv6 Source Guard
- BRouter Advertisement Guard
- CIPv6 Destination Guard
- DSeND with Nonce
How the community answered
(28 responses)- A7% (2)
- B4% (1)
- C18% (5)
- D71% (20)
Why each option
SeND (Secure Neighbor Discovery) with the Nonce option prevents replay attacks in IPv6 by embedding a unique random value in each Neighbor Discovery message.
IPv6 Source Guard validates source IP and MAC address bindings to prevent spoofing, but it does not provide any mechanism to detect or reject replayed packets.
Router Advertisement Guard filters unauthorized RA messages to protect against rogue routers, but it does not address replay attacks against Neighbor Discovery.
IPv6 Destination Guard limits neighbor cache exhaustion attacks by filtering NDP for unknown destinations, but it does not prevent replay attacks.
SeND uses cryptographically generated addresses (CGAs) and RSA signatures to secure IPv6 Neighbor Discovery messages. The Nonce option specifically counters replay attacks by including a unique random value that must match between request and reply - a replayed captured message will carry a stale nonce that fails validation and is discarded. No other listed option provides this per-message uniqueness guarantee.
Concept tested: SeND Nonce option for IPv6 replay attack prevention
Source: https://www.rfc-editor.org/rfc/rfc3971
Topics
Community Discussion
No community discussion yet for this question.