IPv6 NDP DoS issue

You can address the IPv6 Neighbor Discovery Protocol (NDP) denial-of-service (DoS) issue at the Routing Engine. Unlike IPv4 subnets, IPv6 subnets have large address spaces in which a majority of them remain unassigned. When a network scan tool or an attacker initiates traffic to nonexistent hosts through a router on a subnet that is directly connected to the router, the router attempts to perform address resolution on a large number of destinations. This condition can cause the inability to resolve new neighbors, unreachability to the existing neighbors, and can also result in a DoS attack. NDP inspection or protection addresses the NDP DoS issue by implementing the prioritization of NDP activities on the Routing Engine. At the ingress router, neighbor discovery (ND) packets are classified and handled according to a predefined priority with multiple ingress queues. On the egress path, neighbor solicitations (NS) sent for previously not seen hosts are handled with a lower priority by deferring the process of next-hop creation and sending out the packet.