[ipv6hackers] RA guard evasion
Felix 'FX' Lindner
fx at recurity-labs.com
Wed May 15 00:59:11 CEST 2013
Hi,
On Tue, 14 May 2013 22:28:21 +0000 "Eric Vyncke (evyncke)"
<evyncke at cisco.com> wrote:
> Regarding your last question, here is my point of view:
> a) obviously IPv6 grammar is correct but of course attackers deviate
> from this grammar (e.g. overlapping fragments hence RFC 5722)
... or the grammar wasn't correct/precise/well-defined in this case. I
learned the hard way to be careful with "obviously correct" anywhere in
the languages we speak about here. The need for RFC 5722 underlines my
argument IMHO.
> b) and indeed, for now and for the price (even for pricey switches)
> doing re-assembly at 10 Gbps per port is simply not affordable (even
> if doable), so, we (the vendors/industry/IETF) need to find a layman
> way to fix the attack...
And that is exactly where I think the difference is! Why do we need to
change the spec (for everyone) for a "corner case", although a very
very important one? Drop all fragmented packets at the switch,
configurable. Why change the grammar? Why not clearly say: "10Gbps
without frags, 31.337% performance with frag reassembly" on every
device and be done?
Basically, the performance problem goes away with time. A patchwork
grammar with many side-effects and ambiguities stays forever.
Thanks for your response!
cheers
FX
--
Recurity Labs GmbH | Felix 'FX' Lindner
http://www.recurity-labs.com | fx at recurity-labs.com
Wrangelstrasse 4 | Fon: +49 30 69539993-0
10997 Berlin | PGP: A740 DE51 9891 19DF 0D05
Germany | 13B3 1759 C388 C92D 6BBB
HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner
More information about the Ipv6hackers
mailing list