[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Jim Small jim.small at cdw.com
Tue Sep 27 05:04:47 CEST 2011


Fred,

So why NDP could be worse than ARP ?
[JRS>] Better and worse.  Better in the sense that it has more features and flexibility.  Worse in the sense that since it uses IPv6 it can use (abuse) extension headers to bypass current security mechanisms like ACLs and RA Guard.

Because it can advertise a default router with a RA? If the answer is yes maybe there is a way (which I would
not recommend anyway) to stop the router from sending RA and configure the
end node from DHCPv6 or manually. Just like IPv4 would do.
[JRS>] Currently DHCPv6 is not capable of provisioning a default gateway, it relies on SLAAC for this.  So currently disabling SLAAC would prevent DHCPv6 from working.

Or is there anything else where NDP spoofing is worst than ARP spoofing ? I
would really think the opposite...
[JRS>] I think it will end up being superior, but first the issues with extension header abuse and getting mainstream vendors like Microsoft and Apple to implement SeND must be addressed.

--Jim





More information about the Ipv6hackers mailing list