On the MikroTik wiki, under Securing Your Router, MikroTik recommends turning off IPv6 Neighbor Discovery (ND). What security risk exists with having ND turned on? What will break when it is turned off?

Hi.

Is a best practice in IPv4 too. It is the way to avoid sending network discovery packets to interfaces. A premise for security is meanwhile people now you less is better for your security.

Through ND packets you send information like routerOS version, software ID, plataform, interface name, uptime, IP address, etc. So it is not a good idea tell everybody this info.

You can active only in interface you trust like between your routers (administrate by you) interface, but in public interface it is not a good idea.

Hi.

Is a best practice in IPv4 too. It is the way to avoid sending network discovery packets to interfaces. A premise for security is meanwhile people now you less is better for your security.

Through ND packets you send information like routerOS version, software ID, plataform, interface name, uptime, IP address, etc. So it is not a good idea tell everybody this info.

You can active only in interface you trust like between your routers (administrate by you) interface, but in public interface it is not a good idea.

I think you're thinking of the RouterOS based discovery (CDP and their own version or LLDP I can't remember).
The OP is talking about the IPv6 Neighbor Discovery protocol. Now my viewpoint is that disabling IPv6 ND especially in RouterOS would be a pretty dimwitted thing to do. At least if you have upstream IPv6. If you don't then, yes it's probably a smart thing to do. The reason for the dimwittedness remark is because RouterOS does not have a DHCPv6 server implementation. Also, even if it did certain devices, namely Android phones, require IPv6 ND to function.

TLDR; don't disable it unless you have a good reason to. Even in a LAN without upstream IPv6 local communications via link-local addressing could still take place over it. From a security stand-point you'd catch a lot more bees with honey and that honey should be RA Guard. It's a feature in Cisco-land that acts a lot like ARP protection but it can be applied with an ACL (possible a bridge filter), you'd want to prevent host ports from sending RA messages (a type of IPv6 ND message) which can cause a man-in-the-middle attack.

Yes, I'm talking about IPv6 Neighbor Discovery, not anything specific to RouterOS.

The reason for the dimwittedness remark is because RouterOS does not have a DHCPv6 server implementation. Also, even if it did certain devices, namely Android phones, require IPv6 ND to function.

RouterOS does have a DHCPv6 server implementation. I don't know for how long but at least since 6.37.

It seems to me rather than turn ND off altogether, we should just block damaging traffic. But in any case I'd like an explanation (links to articles would be fine) about what the security risk is of leaving it on.

RouterOS does have a DHCPv6 server implementation. I don't know for how long but at least since 6.37.

Negative ghost-rider. It has a DHCPv6 server but is limited to prefix delegation. It's completely useless for issuing individual addresses to hosts.

It seems to me rather than turn ND off altogether, we should just block damaging traffic. But in any case I'd like an explanation (links to articles would be fine) about what the security risk is of leaving it on.

I'd agree. ND should be left on and only disabled when it is sensible. Ideally, left on for all real router ports and disabled on ports that are not meant to route packets. Furthermore you should filter inbound ICMPv6 RA messages on ports connected to hosts. This is to prevent a host from claiming to be a router and potentially man-in-the-middling the IPv6 hosts on the subnet.

http://www.cisco.com/c/en/us/td/docs/io ... guard.html

^^ Cisco doc on RA guard. It can largely be replicated with an IPv6 ACL