[ipv6hackers] RA guard evasion

Felix 'FX' Lindner fx at recurity-labs.com
Wed May 15 00:59:11 CEST 2013


On Tue, 14 May 2013 22:28:21 +0000 "Eric Vyncke (evyncke)"
<evyncke at cisco.com> wrote:
> Regarding your last question, here is my point of view:
> a) obviously IPv6 grammar is correct but of course attackers deviate
> from this grammar (e.g. overlapping fragments hence RFC 5722) 

... or the grammar wasn't correct/precise/well-defined in this case. I
learned the hard way to be careful with "obviously correct" anywhere in
the languages we speak about here. The need for RFC 5722 underlines my
argument IMHO.

> b) and indeed, for now and for the price (even for pricey switches)
> doing re-assembly at 10 Gbps per port is simply not affordable (even
> if doable), so, we (the vendors/industry/IETF) need to find a layman
> way to fix the attack...

And that is exactly where I think the difference is! Why do we need to
change the spec (for everyone) for a "corner case", although a very
very important one? Drop all fragmented packets at the switch,
configurable. Why change the grammar? Why not clearly say: "10Gbps
without frags, 31.337% performance with frag reassembly" on every
device and be done?

Basically, the performance problem goes away with time. A patchwork
grammar with many side-effects and ambiguities stays forever.

Thanks for your response!

Recurity Labs GmbH           | Felix 'FX' Lindner 
http://www.recurity-labs.com | fx at recurity-labs.com 
Wrangelstrasse 4             | Fon: +49 30 69539993-0
10997 Berlin                 | PGP: A740 DE51 9891 19DF 0D05  
Germany                      |      13B3 1759 C388 C92D 6BBB
HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner

More information about the Ipv6hackers mailing list