[ipv6hackers] Status on NDP Exhaustion Attacks?

Owen DeLong owend at he.net
Wed Sep 28 19:16:32 CEST 2011

On Sep 28, 2011, at 10:07 AM, Fernando Gont wrote:

> On 09/28/2011 12:40 PM, Owen DeLong wrote:
>>>>> * A possible additional improvement (which "violates the spec") could be
>>>>> that when an IPv6 address needs to be mapped to a MAC address, an NS is
>>>>> sent, but no entry is created in the NC... and you'd create an entry
>>>>> when receiving the corresponding NA (which would look as a "gratuitous
>>>>> NA", since you would not be keeping track of the NS you had sent in the
>>>>> first place)
>>>> Since we're talking about security, wouldn't that basically open you up to NC
>>>> poisoning attacks where someone could inject a gratuitous NA for $IMPORTANT_HOST
>>>> and intercept it's traffic?
>>> The aforementioned behavior does not affect any entries already present
>>> in the NC, and hence does not the vulnerability you describe any different.
>> Sure it does, it just means you have to get your gratuitous NA in ahead of the
>> real one.
> How is this different from a normal NA-spoofing attack in which the
> target does not honour gratuitous NAs?

It's all about window of opportunity.

If it honors gratuitous NA, you can send your NA attack any time before it has
a proper NA from the real host, If it does not, then, you have to get in between
the NS and the real NA, which is a much smaller window.


More information about the Ipv6hackers mailing list