[ipv6hackers] Status on NDP Exhaustion Attacks?
Owen DeLong
owend at he.net
Wed Sep 28 17:40:36 CEST 2011
On Sep 27, 2011, at 11:12 PM, Fernando Gont wrote:
> On 09/28/2011 02:43 AM, Owen DeLong wrote:
>>> * A possible additional improvement (which "violates the spec") could be
>>> that when an IPv6 address needs to be mapped to a MAC address, an NS is
>>> sent, but no entry is created in the NC... and you'd create an entry
>>> when receiving the corresponding NA (which would look as a "gratuitous
>>> NA", since you would not be keeping track of the NS you had sent in the
>>> first place)
>>>
>> Since we're talking about security, wouldn't that basically open you up to NC
>> poisoning attacks where someone could inject a gratuitous NA for $IMPORTANT_HOST
>> and intercept it's traffic?
>
> The aforementioned behavior does not affect any entries already present
> in the NC, and hence does not the vulnerability you describe any different.
>
Sure it does, it just means you have to get your gratuitous NA in ahead of the
real one.
> One might argue that it would allow nodes to "create" NC entries at a
> router by forging NAs (that are not in response to any NS sent by the
> router). However, the same can be achieved by means of forged NS (that
> include a source link-layer address option)... albeit with one
> additional packet (i.e., the NA sent by the router in response to the
> attackers NS).
>
True.
Owen
More information about the Ipv6hackers
mailing list