[ipv6hackers] IPv6 security presentation at Hack.lu 2011
Jim Small
jim.small at cdw.com
Tue Sep 27 03:41:03 CEST 2011
Owen,
I will point out that NDP spoofing is no worse than ARP spoofing in IPv4,
so, I'm not sure how you can say that it is not an equivalent level of first
hop security.
[JRS>] I believe I owe Fernando the credit for this, but my understanding of the difference is that you can't fragment ARP but you can fragment NDP. Since NDP is based on IPv6 instead a L2 protocol like ARP which rides on Ethernet or the L2 technology, you can fragment it and use this to bypass ACLs or RA Guard. AFAIK you can't do this with ARP. There are proposals to fix this, but as far as I know a solution has not yet been implemented.
--Jim
More information about the Ipv6hackers
mailing list