ipv6mon v1.0 released! (IPv6 address monitoring daemon)

Jeroen Massar jeroen at unfix.org
Thu Sep 13 12:31:00 UTC 2012

On 2012-09-13 14:21 , Fernando Gont wrote:
> Folks,
> We are pleased to announce the release of ipv6mon v1.0!
> ** Description **
> ipv6mon (<http://www.si6networks.com/tools/ipv6mon>) is a tool for
> monitoring IPv6 address usage on a local network. It is meant to be
> particularly useful in networks that employ IPv6 Stateless Address
> Auto-Configuration (as opposed to DHCPv6), where address assignment is
> decentralized and there is no central server that records which IPv6
> addresses have been assigned to which nodes during which period of time.
> ipv6mon employs active probing to discover IPv6 addresses in use, and
> determine whether such addresses remain active.

You mean, like what NDPMon has been delivering for several years already:

>From http://ndpmon.sourceforge.net/
The Neighbor Discovery Protocol Monitor (NDPMon) is a diagnostic
software application used by Internet Protocol version 6 network
administrators for monitoring ICMPv6 packets. NDPMon observes the local
network for anomalies in the function of nodes using Neighbor Discovery
Protocol (NDP) messages, especially during the Stateless Address
Autoconfiguration. When an NDP message is flagged, it notifies the
administrator by writing to the syslog or by sending an email report. It
may also execute a user-defined script. For IPv6, NDPMon is an
equivalent of Arpwatch for IPv4, and has similar basic features with
added attacks detection.

NDPMon runs on Linux distributions (available in Debian repositories and
in Ubuntu 12.10 and later), Mac OS X, FreeBSD (available as port),
NetBSD and OpenBSD. It uses a configuration file containing the expected
and valid behavior for nodes and routers on the link. This includes the
routers addresses (MAC and IP) and the prefixes, flags and parameters

NDPMon also maintains up-to-date a list of neighbors on the link and
watches all advertisements and changes. It permits to track the usage of
cryptographically generated interface identifiers or temporary global
addresses when Privacy extensions are enabled (default behavior in
Ubuntu and Windows for example), or Cryptographically Generated
Addresses are in use.

arpwatch + ndpmon are kind of a requirement in a network where you are
not sure who can plug-in to it (especially when not using 802.1x on
links or when having a 'weak'/known password for the wireless), are they
not? :)


More information about the NANOG mailing list