3.1.3.2 ndpd-host

Information

This entry starts ndpd-host on system startup. This is the Neighbor Discovery Protocol (NDP) daemon.

The ndpd-host command handles the default route, which includes the default router, the default interface, and the default interface address. However, the ndpd-host command does not overwrite the static default routes that are set on the host. When the daemon is stopped, the daemon cleans up the prefix addresses and the routes that are created during its lifetime.

Rationale:

The ndpd-host performs the client function of the NDP protocol.

Unless the server utilizes (dynamic) IPv6 this utility is not required and should be disabled.

Ipv6 static configuration is not affected by ndpd-host.

Impact:

When IPv6 is active and NDP is used to get a non-link-local IPv6 address (link-local addresses begin with fe80::) it is also likely that the MTU size of the interface will change from 1500 to 1492. Additionally, it may add default route to the IPv6 router it received it's address from. For example:

BEFORE NDP

netstat -ni

Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll

...

en0 1500 192.168.129 192.168.129.71 105156791 0 49249083 1 0

en0 1500 fe80::dead:beef:fef7:6204 105156791 0 49249083 1 0

netstat -rn

Routing tables

Destination Gateway Flags Refs Use If Exp Groups

Route tree for Protocol Family 2 (Internet):

default 192.168.129.1 UG 23 35660110 en0 - -

127/8 127.0.0.1 U 2 22988 lo0 - -

192.168.129.0 192.168.129.71 UHSb 0 0 en0 - - =>

192.168.129/24 192.168.129.71 U 12 13578475 en0 - -

192.168.129.71 127.0.0.1 UGHS 0 21471 lo0 - -

192.168.129.255 192.168.129.71 UHSb 0 0 en0 - -

Route tree for Protocol Family 24 (Internet v6):

default link#2 UC 0 0 en0 - -

::1%1 ::1%1 UH 0 19154 lo0 - -

...

After NDP

netstat -ni

Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll

...

en0 1492 192.168.129 192.168.129.71 105190883 0 49267729 1 0

en0 1492 BEEF:980:a9ea:1:deed:beef:fef7:6204 105190883 0 49267729 1 0

en0 1492 fe80::deed:beef:fef7:6204 105190883 0 49267729 1 0

netstat -nr

Routing tables

Destination Gateway Flags Refs Use If Exp Groups

Route tree for Protocol Family 2 (Internet):

default 192.168.129.1 UG 17 35724295 en0 - -

127/8 127.0.0.1 U 2 23044 lo0 - -

192.168.129.0 192.168.129.71 UHSb 0 0 en0 - - =>

192.168.129/24 192.168.129.71 U 14 13622746 en0 - -

192.168.129.71 127.0.0.1 UGHS 0 21576 lo0 - -

192.168.129.255 192.168.129.71 UHSb 0 0 en0 - -

Route tree for Protocol Family 24 (Internet v6):

default fe80::dead:beef:fefa:4bfe UG 0 0 en0 - -

::1%1 ::1%1 UH 0 19198 lo0 - -

Note: the IPv6 destination address is the link-local (fe80::) address of the IPv6 router.

Solution

In /etc/rc.tcpip, comment out the ndpd-host entry:

chrctcp -d ndpd-host

Default Value:

Commented out

See Also

https://workbench.cisecurity.org/files/4119

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: 440997cf616a0978b0233a7e10bc58590a631613709bb10d72ff66fb71543d29