[ipv6hackers] IPv6 security presentation at Hack.lu 2011
erey at ernw.de
Tue Sep 27 10:31:49 CEST 2011
On Tue, Sep 27, 2011 at 04:33:27AM +0200, fred wrote:
> I would then say that it is a bit more complicated to fool NDP than ARP
> because of its more sophisticated FSM, NUD, and so on...
> So why NDP could be worse than ARP ? Because it can advertise a default
> router with a RA? If the answer is yes maybe there is a way (which I would
> not recommend anyway) to stop the router from sending RA and configure the
> end node from DHCPv6 or manually. Just like IPv4 would do.
nope. as DHCPv6 does (currently, and the respective IETF draft was discarded after v01) _not_ allow the distribution of a default router.
so a node just configured by means of DHCPv6 only will not be able to communicate outside its local-link space. [which can be a desired state, security-wise, but will probably seldom be desirable functionality-wise ;-)]
as for manual config, not sure if anybody here regards this as a viable way in the IPv6 world...
> Or is there anything else where NDP spoofing is worst than ARP spoofing ? I
> would really think the opposite...
> Le 27/09/2011 03:28, ??Owen DeLong?? <owend at he.net> a ?crit?:
> > I will point out that NDP spoofing is no worse than ARP spoofing in IPv4,
> > so, I'm not sure how you can say that it is not an equivalent level of first
> > hop security.
> > Owen
> Fred Bovy
> fred at fredbovy.com
> Skype: fredericbovy
> Mobile: +33676198206
> Siret: 5221049000017
> Twitter: http://twitter.com/#!/FredBovy
> Blog: http://fredbovyipv6.blogspot.com/
> ccie #3013
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474
PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1
Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey
Blog: www.insinuator.net || Conference: www.troopers.de
More information about the Ipv6hackers