An IPv6 router implements neighbor discovery, described in RFC 2461, based on storing Neighbor Cache Entries (NCEs) within a Neighbor Cache. Each neighbor cache entry is configured for storing reachability information for a neighboring network node that is identified by its IP address. If the IPv6 router receives a packet having an IP destination address within the address prefix assigned to the router but specifying an unresolved IP address value (i.e., the reachability of the IP destination address via a link layer address has not been resolved), the IPv6 router according to RFC 2461 creates a neighbor cache entry that specifies the unresolved IP destination address and a corresponding reachability state indicating an incomplete status; the router also initiates Neighbor Discovery by outputting a Neighbor Solicitation (NS) message specifying the unresolved IP destination address, and waiting for a corresponding solicited Neighbor Advertisement (NA) message that provides link layer information for reaching the unresolved IP destination address. If the solicited NA message is not received after a prescribed minimum waiting interval (e.g., 2 seconds), the received message is discarded and the neighbor cache entry is removed from memory.
The commitment of storing the unresolved IP destination address in the neighbor cache entry for the prescribed minimum waiting interval (e.g., 2 seconds) creates a vulnerability in the router that enables a remote attacking node to initiate a neighbor discovery denial of service (DoS) attack against the router, described in detail in Section 4.3.2 of RFC 3756. In summary, an attacking node fabricates IP destination addresses within the subnet prefix assigned to the router, and sends the packets with the fabricated IP destination addresses to the router: the router must attempt to resolve the fabricated IP destination addresses by committing neighbor cache entries for the fabricated IP destination addresses, and outputting neighbor solicitation (NS) messages for determining reachability of the fabricated IP destination addresses. Hence, the neighbor cache will become filled with neighbor cache entries of unresolved IP addresses (fabricated by the attacking node) having valid subnet prefixes but invalid suffixes, depleting available resources for performing neighbor discovery for legitimate host nodes attempting to reach a destination node in the network served by the router.