[ipv6hackers] RA guard evasion

Eric Vyncke (evyncke) evyncke at cisco.com
Wed May 15 00:49:02 CEST 2013

Andrew and Gert,

> > Would qualifying it "drop all fragments with link-local source" make
> > look a bit better ?
> Yes, there should never been link-local packets with fragments.  No
> objections against that (of course the OS needs to verify that RAs etc. are
> really only sent from link-local addresses, but I sincerely hope they are
> getting this right).

Do not forget that while rogue RA is the main issue with NDP, plain NA spoofing is also possible and (getting too late here to re-read the RFC 4861) NA are sometimes sent from a non link-local address... and as the fragmented-ext-header-chain attack will also work against all SAVI switches monitoring NS/NA, dropping only link-local fragments will only displace the problem from rogue RA to rogue NA (less damaging but bad anyway)

Hope it helps

Kind regards and enjoy RIPE meeting & the Guinness ;)


More information about the Ipv6hackers mailing list