[ipv6hackers] Status on NDP Exhaustion Attacks?

Fernando Gont fgont at si6networks.com
Wed Sep 28 08:12:48 CEST 2011

On 09/28/2011 02:43 AM, Owen DeLong wrote:
>> * A possible additional improvement (which "violates the spec") could be
>> that when an IPv6 address needs to be mapped to a MAC address, an NS is
>> sent, but no entry is created in the NC... and you'd create an entry
>> when receiving the corresponding NA (which would look as a "gratuitous
>> NA", since you would not be keeping track of the NS you had sent in the
>> first place)
> Since we're talking about security, wouldn't that basically open you up to NC
> poisoning attacks where someone could inject a gratuitous NA for $IMPORTANT_HOST
> and intercept it's traffic?

The aforementioned behavior does not affect any entries already present
in the NC, and hence does not the vulnerability you describe any different.

One might argue that it would allow nodes to "create" NC entries at a
router by forging NAs (that are not in response to any NS sent by the
router). However, the same can be achieved by means of forged NS (that
include a source link-layer address option)... albeit with one
additional packet (i.e., the NA sent by the router in response to the
attackers NS).

Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list