Provided by: ndpmon_1.4.0-2_amd64
NAME
config_ndpmon.xml - Configuration file for ndpmon
DESCRIPTION
This manual page documents briefly the various options for configuring ndpmon. NDPMon uses two configuration files, whose locations are: /etc/ndpmon/config_ndpmon.xml /var/lib/ndpmon/neighbor_list.xml DTDs have been written for these two files: config_ndpmon.dtd neighbor_list.dtd The Neighbor List is filled by the program itself, while running or during a learning period. The configuration file itself has to be filled in by the administrator. Basic configuration example Here is an example of a configuration file for NDPMON: <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE config_ndpmon SYSTEM "/etc/ndpmon/config_ndpmon.dtd"> <config_ndpmon> <ignor_autoconf>1</ignor_autoconf> <syslog_facility>LOG_LOCAL1</syslog_facility> <admin_mail>frederic.beck@loria.fr</admin_mail> <actions_low_pri> <sendmail>1</sendmail> <syslog>1</syslog> <exec_pipe_program>/usr/lib/ndpmon/demopipeprogram.pl</exec_pipe_program> </actions_low_pri> <actions_high_pri> <sendmail>1</sendmail> <syslog>1</syslog> <exec_pipe_program>/usr/lib/ndpmon/demopipeprogram.pl</exec_pipe_program> </actions_high_pri> <use_reverse_hostlookups>1</use_reverse_hostlookups> <routers> <router> <mac>00:13:72:14:C4:58</mac> <lla>fe80:213:72ff:fe14:c458</lla> <prefixes> <prefix> <address>2001:660:4501:32:</address> <mask>64</mask> </prefix> </prefixes> <addresses> <address>2001:660:4501:32::1</address> </addresses> </router> </routers> </config_ndpmon> ignor_autoconf /proc/sys/net/ipv6/conf/all/autoconf /proc/sys/net/ipv6/conf/all/accept_ra /proc/sys/net/ipv6/conf/all/accept_ra_defrtr /proc/sys/net/ipv6/conf/all/ra_pinfo /proc/sys/net/ipv6/conf/all/accept-ra_redirects By setting this parameter to 0, the host will ignore all Router Advertisements or ICMPv6 Redirects, and will thus not be sensitive to attacks on these messages, but should still be able to send the alerts to the monitoring station. Caution: the administrator must be aware that this will disable the possibility for the host to use IPv6 Address Autoconfiguration, which could cause trouble in case of a renumbering or a modification in the network's topology. syslog_facility This parameter sets the facility Syslog will use for logging. To redirect messages to a dedicated log file, reconfigure the syslog daemon itself. admin_mail The email address to which the ndpmon daemon will send alerts. The default is set to root@localhost. actions_low_pri/actions_high_pri Enable or disable the alerts sendmail: send an email to the administrator email address syslog: syslog the message exec_pipe_program: the program to call to capture the reports and do whatever you want with it (see demopipeprogram.pl in the source code) routers A router is defined with its MAC and Link Local addresses. It also contains the list of prefixes advertised by this router, and eventually the global addresses set on its interfaces. This new definition makes possible to check the tuple (MAC, LLA, PREFIX) in the received Router Advertisements, instead of checking them separately in version 0.1. In version 1.4.0, additional tags were introduced to check the parameters of a Router Advertisement. For details see below. Configuring the Router Advertisement parameter check In version 1.4.0, further checks for Router Advertisements (RAs) were introduced which assume that the RA parameters do not change during operation. Those values may be learned during the learning phase of NDPMon or they may be configured manually. This behavior is optional. If you do not include the additional parameters, no checks will be performed. Below you will find an example of a more complex router definition: <router> <mac>00:11:22:33:44:55</mac> <lla>fe80:0:0:0:211:22ff:fe33:4455</lla> <param_curhoplimit>64</param_curhoplimit> <param_flags_reserved>0</param_flags_reserved> <param_router_lifetime>10800</param_router_lifetime> <param_reachable_timer>0</param_reachable_timer> <param_retrans_timer>0</param)retrans_timer> <param_mtu>0</param_mtu> <params_volatile>0</params_volatile> <prefixes> <prefix> <address>2001:db8:1234:5678:0:0:0:0</address> <mask>64</mask> <param_flags_reserved>224</param_flags_reserved> <param_valid_time>2592000</param_valid_time> <param_preferred_time>604800</param_preferred_time> </prefix> </prefixes> <addresses/> </router> params_volatile Indicates if the router params may change during operation. A value of 0 means that values do not change, a non-zero values means parameters may change. If this tag is not present, its value is assumed to be non-zer0 (1). If you want NDPMon to check RA parameters for this router, include the tag param_voltile with a value of zero. If param_volatile is set to zero, you should at least include the router param_flags_reserved tag and the param_tags for each prefix. param_flags_reserved The flags of a RA or a RA prefix information option, stored as an unsigned integer. If this tag is not present, it does not indicate that this is unspecified, but that no flags are set! param_curhoplimit, param_router_lifetime, param_reachable_timer, param_retrans_timer, param_mtu Contains the values of the corresponding RA fields (or the MTU option). If those tags are not present, this indicates that they are not specified, and the corresponding value of a RA will not be checked. prefix: param_flags_reserved, param_valid_time, param_preferred_time The parameters of prefixes advertised. These tags should be present for each prefix if parameters are checked, because prefix parameters cannot be unspecified. If they are not present, their value is assumed to be zero (which is, concerning the prefix lifetimes, usually not desired). Configuring the countermeasures plugin Below you will find an example configuration for the countermeasures plugin. If the tag countermeasures is not present, all countermeasures are suppressed. <countermeasures> <kill_illegitimate_router>RESPOND</kill_illegitimate_router> <kill_wrong_prefix>LAUNCH AFTER 10</kill_wrong_prefix> <propagate_router_params>CEASE AFTER 10</propagate_router_params> <indicate_ndpmon_presence>SUPPRESS</indicate_ndpmon_presence> </countermeasures> SUPPRESS The countermeasure is turned off (default value for each configuration tag not present). RESPOND Each call to this countermeasure result in a reaction. CEASE AFTER max For max calls, each call to this countermeasure results in a reaction. After the max'th call, the countermeasure is suppressed. max may be a number up to 255. This may be used to precent NDPMon from contributing to a Denial of Service attack, but to have a "first response" countermeasure. LAUNCH AFTER min For min calls, this countermeasure is suppressed. After the min'th call, each call to the countermeasure results in a reaction. min may be a number up to 255.
AUTHOR
ndpmon was written by Thibault Cholez. This manual page was copied from the configuration web page (http://ndpmon.sourceforge.net/configuration.html) by John R. Baskwill <jrb28@psu.edu>, for the Debian project (and may be used by others). July 31, 2011 CONFIG_NDPMON.XML(8)