[ipv6hackers] Status on NDP Exhaustion Attacks?

Owen DeLong owend at he.net
Wed Sep 28 17:40:36 CEST 2011


On Sep 27, 2011, at 11:12 PM, Fernando Gont wrote:

> On 09/28/2011 02:43 AM, Owen DeLong wrote:
>>> * A possible additional improvement (which "violates the spec") could be
>>> that when an IPv6 address needs to be mapped to a MAC address, an NS is
>>> sent, but no entry is created in the NC... and you'd create an entry
>>> when receiving the corresponding NA (which would look as a "gratuitous
>>> NA", since you would not be keeping track of the NS you had sent in the
>>> first place)
>>> 
>> Since we're talking about security, wouldn't that basically open you up to NC
>> poisoning attacks where someone could inject a gratuitous NA for $IMPORTANT_HOST
>> and intercept it's traffic?
> 
> The aforementioned behavior does not affect any entries already present
> in the NC, and hence does not the vulnerability you describe any different.
> 

Sure it does, it just means you have to get your gratuitous NA in ahead of the
real one.

> One might argue that it would allow nodes to "create" NC entries at a
> router by forging NAs (that are not in response to any NS sent by the
> router). However, the same can be achieved by means of forged NS (that
> include a source link-layer address option)... albeit with one
> additional packet (i.e., the NA sent by the router in response to the
> attackers NS).
> 

True.

Owen




More information about the Ipv6hackers mailing list