[ipv6hackers] RA guard evasion

Eric Vyncke (evyncke) evyncke at cisco.com
Wed May 15 01:05:05 CEST 2013 

FX

Thanks for your prompt reply

Point taken regarding the grammar being obvious.

Now, your 2nd point is also fair but I am afraid that the performance would be something such as 10 Gbps for all 48 ports (so about 0.5 Tbps) going down to 100 Mbps aggregated (just a vaguely educated guess) for fragmented packets. Not sure whether network operators would be happy. If they were happy to slowwwww down fragmentation throughput, then the problem would indeed be fixed easily in software.

Now, really going to get some sleep ;-)

-éric

> -----Original Message-----
> From: Felix 'FX' Lindner [mailto:fx at recurity-labs.com]
> Sent: mercredi 15 mai 2013 00:59
> To: Eric Vyncke (evyncke)
> Cc: IPv6 Hackers Mailing List; Pivarník Jozef
> Subject: Re: [ipv6hackers] RA guard evasion
> 
> Hi,
> 
> On Tue, 14 May 2013 22:28:21 +0000 "Eric Vyncke (evyncke)"
> <evyncke at cisco.com> wrote:
> > Regarding your last question, here is my point of view:
> > a) obviously IPv6 grammar is correct but of course attackers deviate
> > from this grammar (e.g. overlapping fragments hence RFC 5722)
> 
> ... or the grammar wasn't correct/precise/well-defined in this case. I
> learned the hard way to be careful with "obviously correct" anywhere in the
> languages we speak about here. The need for RFC 5722 underlines my argument
> IMHO.
> 
> > b) and indeed, for now and for the price (even for pricey switches)
> > doing re-assembly at 10 Gbps per port is simply not affordable (even
> > if doable), so, we (the vendors/industry/IETF) need to find a layman
> > way to fix the attack...
> 
> And that is exactly where I think the difference is! Why do we need to
> change the spec (for everyone) for a "corner case", although a very very
> important one? Drop all fragmented packets at the switch, configurable. Why
> change the grammar? Why not clearly say: "10Gbps without frags, 31.337%
> performance with frag reassembly" on every device and be done?
> 
> Basically, the performance problem goes away with time. A patchwork grammar
> with many side-effects and ambiguities stays forever.
> 
> Thanks for your response!
> cheers
> FX
> 
> --
> Recurity Labs GmbH           | Felix 'FX' Lindner
> http://www.recurity-labs.com | fx at recurity-labs.com
> Wrangelstrasse 4             | Fon: +49 30 69539993-0
> 10997 Berlin                 | PGP: A740 DE51 9891 19DF 0D05
> Germany                      |      13B3 1759 C388 C92D 6BBB
> HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner

More information about the Ipv6hackers mailing list