[ipv6hackers] Status on NDP Exhaustion Attacks?

Igor Gashinsky igor at yahoo-inc.com
Wed Sep 28 21:08:21 CEST 2011

On Tue, 27 Sep 2011, Fernando Gont wrote:

:: Hi, Jim,
:: On 09/27/2011 08:59 PM, Jim Small wrote:
:: > Are there any new defenses for NDP Exhaustion attacks: 
:: > http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf
:: > 
:: > I have heard that Cisco has implemented some protection against this
:: > but I haven't uncovered any specifics just yet.
:: Clearly, I cannot speak for any vendors. But I can say that you should
:: expect improvements in the IPv6 stacks of several vendors (there are
:: some efforts in this area that I hope to share soon).
:: Unfortunately, vendors seem to be way too slow in this area, and
:: existing vulnerability disclosure procedures seem to be fundamentally
:: broken (so there are not that many options other than "full-disclosure,
:: and let it...break" :-), or "'responsible' disclosure", which in many
:: cases allows vendors to sit over vulnerabilities for years.
:: Discussions such as the ones we've been having on this list help to
:: raise awareness, including that of people that are in the position of
:: putting some "pressure" on vendors (i.e., fix this, or we won't buy from
:: you).

We've released an IETF draft on this topic, and have had fairly good 
success getting vendors to adopt most of these recommendations (with most 
of them shipping the fixes right before we published the draft, I know, 
shocking timing!):


Comments/feedback on the draft are always welcome..


   Igor Gashinsky   | Network Architecture | Yahoo! Inc.
 igor at yahoo-inc.com |  cell 917.807.2213   | Do You... Yahoo?

More information about the Ipv6hackers mailing list