[ipv6hackers] RA guard evasion
Eric Vyncke (evyncke)
evyncke at cisco.com
Wed May 15 00:49:02 CEST 2013
Andrew and Gert,
> > Would qualifying it "drop all fragments with link-local source" make
> > look a bit better ?
> Yes, there should never been link-local packets with fragments. No
> objections against that (of course the OS needs to verify that RAs etc. are
> really only sent from link-local addresses, but I sincerely hope they are
> getting this right).
Do not forget that while rogue RA is the main issue with NDP, plain NA spoofing is also possible and (getting too late here to re-read the RFC 4861) NA are sometimes sent from a non link-local address... and as the fragmented-ext-header-chain attack will also work against all SAVI switches monitoring NS/NA, dropping only link-local fragments will only displace the problem from rogue RA to rogue NA (less damaging but bad anyway)
Hope it helps
Kind regards and enjoy RIPE meeting & the Guinness ;)
More information about the Ipv6hackers