[ipv6hackers] Status on NDP Exhaustion Attacks?

Jim Small jim.small at cdw.com
Sat Oct 1 20:57:17 CEST 2011


Igor,

> :: On 09/27/2011 08:59 PM, Jim Small wrote:
> :: > Are there any new defenses for NDP Exhaustion attacks:
> :: > http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf
> :: >
> :: > I have heard that Cisco has implemented some protection against this
> :: > but I haven't uncovered any specifics just yet.
> ::
> :: Clearly, I cannot speak for any vendors. But I can say that you should
> :: expect improvements in the IPv6 stacks of several vendors (there are
> :: some efforts in this area that I hope to share soon).
> ::
> :: Unfortunately, vendors seem to be way too slow in this area, and
> :: existing vulnerability disclosure procedures seem to be fundamentally
> :: broken (so there are not that many options other than "full-disclosure,
> :: and let it...break" :-), or "'responsible' disclosure", which in many
> :: cases allows vendors to sit over vulnerabilities for years.
> ::
> :: Discussions such as the ones we've been having on this list help to
> :: raise awareness, including that of people that are in the position of
> :: putting some "pressure" on vendors (i.e., fix this, or we won't buy from
> :: you).
> 
> We've released an IETF draft on this topic, and have had fairly good
> success getting vendors to adopt most of these recommendations (with
> most
> of them shipping the fixes right before we published the draft, I know,
> shocking timing!):
> 
> http://tools.ietf.org/html/draft-gashinsky-v6nd-enhance-00
> http://tools.ietf.org/agenda/81/slides/6man-9.pdf
> 
> Comments/feedback on the draft are always welcome..

Thank you, I wasn't aware of that and it's very helpful.

--Jim




More information about the Ipv6hackers mailing list