Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Secure IPv6 Neighbor Discovery

SUMMARY The Secure Neighbor Discovery (SEND) Protocol for IPv6 traffic prevents an attacker who has access to the broadcast segment from abusing NDP or ARP to trick hosts into sending the attacker traffic destined for someone else, a technique known as ARP poisoning.

Understanding Secure IPv6 Neighbor Discovery

One of the functions of the IPv6 Neighbor Discovery Protocol (NDP) is to resolve network layer (IP) addresses to link layer (for example, Ethernet) addresses, a function performed in IPv4 by Address Resolution Protocol (ARP). The Secure Neighbor Discovery (SEND) Protocol prevents an attacker who has access to the broadcast segment from abusing NDP or ARP to trick hosts into sending the attacker traffic destined for someone else, a technique known as ARP poisoning.

To protect against ARP poisoning and other attacks against NDP functions, SEND should be deployed where preventing access to the broadcast segment might not be possible.

SEND uses RSA key pairs to produce cryptographically generated addresses, as defined in RFC 3972, Cryptographically Generated Addresses (CGA). This ensures that the claimed source of an NDP message is the owner of the claimed address.

Example: Configuring Secure IPv6 Neighbor Discovery

This example shows how to configure IPv6 Secure Neighbor Discovery (SEND).


This example has the following requirements:

  • Junos OS Release 9.3 or later

  • IPv6 deployed in your network

  • If you have not already done so, you must generate or install an RSA key pair.

    To generate a new RSA key pair, enter the following command:


To configure SEND, include the following statements:

Specify default to send and receive both secure and unsecured Neighbor Discovery Protocol (NDP) packets. To configure SEND to accept secured NDP messages only and to drop unsecured ones. specify secure-messages-only.

All nodes on the segment need to be configured with SEND if the secure-messages-only option is used, which is recommended unless only a small subset of devices require increased protection. Failure to configure SEND for all nodes might result in loss of connectivity.




CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a secure IPv6 neighbor discovery:

  1. Configure the security level.

  2. (Optional) Enable the key length.

    The default key length is 1024.

  3. (Optional) Specify the directory path of the public-private key file generated for the cryptographic address.

    The default location of the file is the /var/etc/rsa_key directory.

  4. (Optional) Configure a timestamp to ensure that solicitation and redirect messages are not being replayed.


From configuration mode, confirm your configuration by entering the show protocols command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.


Confirm that the configuration is working properly.

Checking the IPv6 Neighbor Cache


Display information about the IPv6 neighbors.


From operational mode, enter the show ipv6 neighbors command.


In IPv6, the Address Resolution Protocol (ARP) has been replaced by the NDP. The IPv4 command show arp is replaced by the IPv6 command show ipv6 neighbors. The key pieces of information displayed by this command are the IP address, the MAC (Link Layer) address, and the interface.

Tracing Neighbor Discovery Events


Perform additional validation by tracing SEND.

  1. Configure trace operations.

  2. Run the show log command.


The output shows that because the packet does not have a cryptographically generated address, the packet is dropped.