[ipv6hackers] Status on NDP Exhaustion Attacks?
Igor Gashinsky
igor at yahoo-inc.com
Wed Sep 28 21:08:21 CEST 2011
On Tue, 27 Sep 2011, Fernando Gont wrote:
:: Hi, Jim,
::
:: On 09/27/2011 08:59 PM, Jim Small wrote:
:: > Are there any new defenses for NDP Exhaustion attacks:
:: > http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf
:: >
:: > I have heard that Cisco has implemented some protection against this
:: > but I haven't uncovered any specifics just yet.
::
:: Clearly, I cannot speak for any vendors. But I can say that you should
:: expect improvements in the IPv6 stacks of several vendors (there are
:: some efforts in this area that I hope to share soon).
::
:: Unfortunately, vendors seem to be way too slow in this area, and
:: existing vulnerability disclosure procedures seem to be fundamentally
:: broken (so there are not that many options other than "full-disclosure,
:: and let it...break" :-), or "'responsible' disclosure", which in many
:: cases allows vendors to sit over vulnerabilities for years.
::
:: Discussions such as the ones we've been having on this list help to
:: raise awareness, including that of people that are in the position of
:: putting some "pressure" on vendors (i.e., fix this, or we won't buy from
:: you).
We've released an IETF draft on this topic, and have had fairly good
success getting vendors to adopt most of these recommendations (with most
of them shipping the fixes right before we published the draft, I know,
shocking timing!):
http://tools.ietf.org/html/draft-gashinsky-v6nd-enhance-00
http://tools.ietf.org/agenda/81/slides/6man-9.pdf
Comments/feedback on the draft are always welcome..
-igor
--------------------+----------------------+------------------
Igor Gashinsky | Network Architecture | Yahoo! Inc.
igor at yahoo-inc.com | cell 917.807.2213 | Do You... Yahoo?
--------------------+----------------------+------------------
More information about the Ipv6hackers
mailing list