[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))

Subject: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))
From: jared at puck.nether.net (Jared Mauch)
Date: Thu, 14 Jul 2011 22:35:40 -0400
In-reply-to: <[email protected]>
References: <[email protected]> <CAPWAtbK4RsZphj=TdsZ9CvJTEMB26VQmdQxKvtTxP670mhJx5A@mail.gmail.com> <[email protected]> <[email protected]> <[email protected]> <CAPWAtbJSqR9cajRMn=1jXA8iwoGa+Q45KPf-uwXxyR9MKksm5w@mail.gmail.com> <[email protected]> <CAPWAtbJBLMTT9ySBgob1CjAOsVJGeGvb4jO5043=-WD7q_-vWA@mail.gmail.com> <CAAAwwbXDd-OoMPaSzXFhj1GAytFUOipvP+kd3sYZEfScRba4gA@mail.gmail.com> <1310429850.2382.26.camel@karl> <[email protected]> <CAAAwwbWV8SG_SJkR0V8MqKDZPvKVSv0Sa3uRegEEWrWh0QWHrQ@mail.gmail.com> <[email protected]>

On Jul 14, 2011, at 10:06 PM, Fernando Gont <fernando at gont.com.ar> wrote:

>> It should be possible to mitigate this, so long as the attack does not actually
>> originate from a neighbor on the same subnet as a router  IP interface on
>> an IPv6 subnet with sufficient number of IPs.
> 
> Well, unless there's some layer-2 anti-spoofing mitigation in place,
> with /64 subnets the "local attacker" typically *will* have enough
> addresses.

Solving a local attack is something I consider different in scope than the current draft being discussed in 6man, v6ops, ipv6@ etc...

Anyone on a layer-2 network can do something interesting like flood all f's and kill the lan. Trying to keep the majority of thoughts here for layer-3 originated attacks, even if the target is a layer2 item.

- Jared

Follow-Ups:
- NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))
  - From: fernando at gont.com.ar (Fernando Gont)
- NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))
  - From: mysidia at gmail.com (Jimmy Hess)
- NDP DoS attack
  - From: fw at deneb.enyo.de (Florian Weimer)

References:
- Why is IPv6 broken?
  - From: networkjoe at hotmail.com (Bob Network)
- Why is IPv6 broken?
  - From: jsw at inconcepts.biz (Jeff Wheeler)
- Why is IPv6 broken?
  - From: dmiller at tiggee.com (David Miller)
- Anybody can participate in the IETF (Was: Why is IPv6 broken?)
  - From: jeroen at unfix.org (Jeroen Massar)
- Anybody can participate in the IETF (Was: Why is IPv6 broken?)
  - From: bicknell at ufp.org (Leo Bicknell)
- Anybody can participate in the IETF (Was: Why is IPv6 broken?)
  - From: jsw at inconcepts.biz (Jeff Wheeler)
- Anybody can participate in the IETF (Was: Why is IPv6 broken?)
  - From: owen at delong.com (Owen DeLong)
- Anybody can participate in the IETF (Was: Why is IPv6 broken?)
  - From: jsw at inconcepts.biz (Jeff Wheeler)
- Anybody can participate in the IETF (Was: Why is IPv6 broken?)
  - From: mysidia at gmail.com (Jimmy Hess)
- NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))
  - From: kauer at biplane.com.au (Karl Auer)
- NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))
  - From: fernando at gont.com.ar (Fernando Gont)
- NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))
  - From: mysidia at gmail.com (Jimmy Hess)
- NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))
  - From: fernando at gont.com.ar (Fernando Gont)

Prev by Date: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))
Next by Date: Enterprise Internet - Question
Previous by thread: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))
Next by thread: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))
Index(es):
- Date
- Thread