Skip to main content

Neighbor Discovery Shield (ND-Shield): Protecting against Neighbor Discovery Attacks

Document Type Expired Internet-Draft (individual)
Expired & archived
Author Fernando Gont
Last updated 2012-12-07 (Latest revision 2012-06-05)
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This document specifies a mechanism that can be implemented in layer-2 devices to mitigate attack vectors based on Neighbor Discovery messages. It is meant to complement other mechanisms implemented in layer-2 devices such as Router Advertisement Guard (RA-Guard) and DHCPv6-Shield, with the goal of achieving a comprehensive IPv6 First Hop Security solution. This document is motivated by the desire to achieve feature parity with IPv4 with respect to First Hop Security mechanisms.


Fernando Gont

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)