[ipv6hackers] Status on NDP Exhaustion Attacks?

Fernando Gont fgont at si6networks.com
Wed Sep 28 02:47:57 CEST 2011


Hi, Jim,

On 09/27/2011 08:59 PM, Jim Small wrote:
> Are there any new defenses for NDP Exhaustion attacks: 
> http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf
> 
> I have heard that Cisco has implemented some protection against this
> but I haven't uncovered any specifics just yet.

Clearly, I cannot speak for any vendors. But I can say that you should
expect improvements in the IPv6 stacks of several vendors (there are
some efforts in this area that I hope to share soon).

Unfortunately, vendors seem to be way too slow in this area, and
existing vulnerability disclosure procedures seem to be fundamentally
broken (so there are not that many options other than "full-disclosure,
and let it...break" :-), or "'responsible' disclosure", which in many
cases allows vendors to sit over vulnerabilities for years.

Discussions such as the ones we've been having on this list help to
raise awareness, including that of people that are in the position of
putting some "pressure" on vendors (i.e., fix this, or we won't buy from
you).


> The author's recommendation was to use smaller subnets that /64s.  My
> experience from teaching networking is that VLSM/Subnetting adds
> complexity and that if all host/server networks in IPv6 could be /64s
> it would make networking easier.
> 
> Is there a good solution to this problem besides smaller subnets? 

Basically:

* NC entries that are in the "INCOMPLETE" state should not interferre
with other entries.
* Limits should be applied to the number of entries in the NC (yes, this
is obvious, but still widely ignored in different parts of different stacks)
* A possible additional improvement (which "violates the spec") could be
that when an IPv6 address needs to be mapped to a MAC address, an NS is
sent, but no entry is created in the NC... and you'd create an entry
when receiving the corresponding NA (which would look as a "gratuitous
NA", since you would not be keeping track of the NS you had sent in the
first place)

That aside, I should mention that there is room for lots of improvements
in ND implementations. Basically, they fail to implement many obvious
sanity checks on the packets they receive. -- So you could take the NDP
exhaustion issue as "the tip of an iceberg".

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492






More information about the Ipv6hackers mailing list