[ipv6hackers] Status on NDP Exhaustion Attacks?

Owen DeLong owend at he.net
Wed Sep 28 17:40:36 CEST 2011

On Sep 27, 2011, at 11:12 PM, Fernando Gont wrote:

> On 09/28/2011 02:43 AM, Owen DeLong wrote:
>>> * A possible additional improvement (which "violates the spec") could be
>>> that when an IPv6 address needs to be mapped to a MAC address, an NS is
>>> sent, but no entry is created in the NC... and you'd create an entry
>>> when receiving the corresponding NA (which would look as a "gratuitous
>>> NA", since you would not be keeping track of the NS you had sent in the
>>> first place)
>> Since we're talking about security, wouldn't that basically open you up to NC
>> poisoning attacks where someone could inject a gratuitous NA for $IMPORTANT_HOST
>> and intercept it's traffic?
> The aforementioned behavior does not affect any entries already present
> in the NC, and hence does not the vulnerability you describe any different.

Sure it does, it just means you have to get your gratuitous NA in ahead of the
real one.

> One might argue that it would allow nodes to "create" NC entries at a
> router by forging NAs (that are not in response to any NS sent by the
> router). However, the same can be achieved by means of forged NS (that
> include a source link-layer address option)... albeit with one
> additional packet (i.e., the NA sent by the router in response to the
> attackers NS).



More information about the Ipv6hackers mailing list