[ipv6hackers] RA guard evasion

Andrew Yourtchenko ayourtch at gmail.com
Wed May 15 18:00:01 CEST 2013


On Tue, May 14, 2013 at 11:49 PM, Eric Vyncke (evyncke)
<evyncke at cisco.com>wrote:

> Andrew and Gert,
> > > Would qualifying it "drop all fragments with link-local source" make
> > > look a bit better ?
> >
> > Yes, there should never been link-local packets with fragments.  No
> > objections against that (of course the OS needs to verify that RAs etc.
> are
> > really only sent from link-local addresses, but I sincerely hope they are
> > getting this right).
> Do not forget that while rogue RA is the main issue with NDP, plain NA
> spoofing is also possible and (getting too late here to re-read the RFC
> 4861) NA are sometimes sent from a non link-local address... and as the
> fragmented-ext-header-chain attack will also work against all SAVI switches
> monitoring NS/NA, dropping only link-local fragments will only displace the
> problem from rogue RA to rogue NA (less damaging but bad anyway)

I re-read the 4861 and could not find any mention of what source to use.

OTOH given that the target address is in the option anyway - maybe
adjusting the spec & the hosts' behaviour might be useful ?


> Hope it helps
> Kind regards and enjoy RIPE meeting & the Guinness ;)
> -éric
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

More information about the Ipv6hackers mailing list