The Neighbor Discovery Protocol Monitor (NDPMon) is a diagnostic software application used by network administrators for monitoring ICMPv6 packets in Internet Protocol version 6 (IPv6) networks. NDPMon observes the local network for anomalies in the function of nodes using Neighbor Discovery Protocol (NDP) messages, especially during the Stateless Address Autoconfiguration. When an NDP message is flagged, it notifies the administrator by writing to the syslog or by sending an email report. It may also execute a user-defined script. For IPv6, NDPMon is an equivalent of Arpwatch for IPv4, and has similar basic features with added attacks detection.
NDPMon runs on Linux distributions, Mac OS X, FreeBSD, NetBSD and OpenBSD. It uses a configuration file containing the expected and valid behavior for nodes and routers on the link. This includes the router addresses (MAC and IP) and the prefixes, flags and parameters announced.
NDPMon also maintains a list of neighbors on the link and monitors all advertisements and network changes. It permits tracking the usage of cryptographically generated interface identifiers or temporary global addresses when Privacy extensions are enabled.
NDPMon is free software published under the GNU Lesser General Public License version 2.1.
Alerts and reports
NDPMon generates various reports and alerts, including:
wrong couple MAC/IP: the MAC address is valid, so is the IP address, but not both of them together
wrong router MAC: invalid MAC address
wrong router IP address, invalid IP address
wrong prefix: invalid IPv6 prefix
wrong RA flags: invalid flags in the RA
wrong RA params: wrong parameter in the RA (lifetimes, timers...)
wrong router redirect: the router which emitted the redirect is not valid
router flag in Neighbor Advertisement: a node not declared as a router announced itself as one
Duplicate Address Detection DOS: duplicate address detection denial of service
changed ethernet address: a Global IPv6 address has a new MAC address
flip flop: a node uses two MAC addresses one after the other
reused old Ethernet address: reuse of an old MAC address
Unknown MAC Manufacturer: MAC vendor unknown, might be a forged one
new station: new node on the link
new IPv6 Global Address: new IPv6 Global address for a node
new IPv6 Link Local Address: new IPv6 Link Local address for a node
wrong couple MAC/LLA: wrong couple source Ethernet and source LLA addresses, i.e. Ethernet and Link Local Addresses are found but in different neighbors
Ethernet mismatch: link layer Ethernet address and address in ICMPv6 option do not match
IP Multicast
Ethernet Broadcast
A set of plugins are available for NDPMon:
MAC vendor resolution: compares the vendor part of a MAC address with a known base
Web interface: caches and alerts are converted to HTML files using XSLT for real time display in a Web server
Countermeasures: packets are forged and sent to deprecated rogue RAs or NAs
Syslog filtering: logrotate and logs redirection to /var/log/ndpmon.log
Remote probes (Experimental): distributed monitoring and logging to a central instance using SOAP/TLS
Custom rules (Experimental): lets users define their own rules for raising alerts