It may be desirable for switches and/or other network devices to be more and more IPv6 (Internet Protocol version 6)-aware in order to protect the network against rogue or uncontrolled behaviors, particularly in secure environments. For instance, IPv6 “First Hop Security (FHS)” is a suite of features that operates on a switch to protect the layer-2 (L2) network against misuse of IPv6 protocols such as the neighbor discovery (ND) protocol (NDP) and the dynamic host configuration protocol (DHCP).
ND is a multicast intensive protocol that can create substantial control plane overhead and is susceptible to various forms of misuse, such as a scanning-type attack. For example, in order to support virtual local area networks (VLANs) in IEEE Std. 802.11, a controller usually unicasts a packet to all wireless devices that are members of a subnet, one by one. This poses a significant security risk in IPv6 with respect to a scanning attack, in which an outside attacker sends a packet to a large number of IPv6 addresses that are derived from the same subnet, because the effect will be multiplied with respect to the wireless network, effectively creating a denial of service (DOS) attack on the wireless network.