Switches are required to be more and more IPv6 aware in order to protect the network against rogue or uncontrolled behaviors, particularly in secure environments. For instance, IPv6 (Internet Protocol version 6) “first hop security” is a switch feature that protects the layer-2 (L2) network against misuse of IPv6 protocols such as the neighbor discovery protocol (NDP) and the dynamic host configuration protocol (DHCP).
One well-known attack is a scanning attack from the outside, where an attacker will send a packet to a large number of IPv6 addresses that are derived from a same subnet. Neighbor discovery (ND) requires that a receiving router creates an ND cache entry for each of these scanned addresses and keeps the entry for multiple seconds, which can result in a memory depletion in the router and limit the capability by the router to serve existing hosts in the subnet. This attack is a big concern in IPv6 (and exists in IPv4 as well) because of the size of the subnet (allowing the attacker to crate more state in the router) and because the router is expected to store packets that triggered the resolution.