[ipv6hackers] Status on NDP Exhaustion Attacks?

Fernando Gont fgont at si6networks.com
Wed Sep 28 23:39:34 CEST 2011

On 09/28/2011 02:16 PM, Owen DeLong wrote:
>>>>>> * A possible additional improvement (which "violates the spec") could be
>>>>>> that when an IPv6 address needs to be mapped to a MAC address, an NS is
>>>>>> sent, but no entry is created in the NC... and you'd create an entry
>>>>>> when receiving the corresponding NA (which would look as a "gratuitous
>>>>>> NA", since you would not be keeping track of the NS you had sent in the
>>>>>> first place)
>>>>> Since we're talking about security, wouldn't that basically open you up to NC
>>>>> poisoning attacks where someone could inject a gratuitous NA for $IMPORTANT_HOST
>>>>> and intercept it's traffic?
>>>> The aforementioned behavior does not affect any entries already present
>>>> in the NC, and hence does not the vulnerability you describe any different.
>>> Sure it does, it just means you have to get your gratuitous NA in ahead of the
>>> real one.
>> How is this different from a normal NA-spoofing attack in which the
>> target does not honour gratuitous NAs?
> It's all about window of opportunity.
> If it honors gratuitous NA, you can send your NA attack any time before it has
> a proper NA from the real host, If it does not, then, you have to get in between
> the NS and the real NA, which is a much smaller window.

Since NS messages are typically sent from time to time for the purpose
of NUD, it's always possible to perform this sort of attack.

That said, you don't need to permanently enable the aforementioned
behavior. i.e., you could enable it only when the number of entries in
the NC reaches some threshold. *And* it would take effect only for *new*
NC entries.

Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list