| Allowing neighbor discovery messages to reach external network nodes is dangerous as it provides an attacker a method to obtain information about the network infrastructure that can be useful to plan an attack. In addition, responding to the sending node that a packet cannot be forwarded as the destination host is unreachable provides network mapping information. Furthermore, if a router receives a large number of packets that cannot be forwarded, the router processor could be overloaded if it must generate a high volume of unreachable messages.
To mitigate the risk of reconnaissance or a Denial of Service (DoS) attack, all external-facing interfaces must be configured to silently drop unreachable traffic, not announce network address information, and to ignore neighbor solicitation messages. This requirement is applicable to network device management and is not applicable to the routing function. |
