[ipv6hackers] RA guard evasion

Andrew Yourtchenko ayourtch at gmail.com
Wed May 15 18:00:01 CEST 2013


Eric,


On Tue, May 14, 2013 at 11:49 PM, Eric Vyncke (evyncke)
<evyncke at cisco.com>wrote:

> Andrew and Gert,
>
> > > Would qualifying it "drop all fragments with link-local source" make
> > > look a bit better ?
> >
> > Yes, there should never been link-local packets with fragments.  No
> > objections against that (of course the OS needs to verify that RAs etc.
> are
> > really only sent from link-local addresses, but I sincerely hope they are
> > getting this right).
>
> Do not forget that while rogue RA is the main issue with NDP, plain NA
> spoofing is also possible and (getting too late here to re-read the RFC
> 4861) NA are sometimes sent from a non link-local address... and as the
> fragmented-ext-header-chain attack will also work against all SAVI switches
> monitoring NS/NA, dropping only link-local fragments will only displace the
> problem from rogue RA to rogue NA (less damaging but bad anyway)
>

I re-read the 4861 and could not find any mention of what source to use.

OTOH given that the target address is in the option anyway - maybe
adjusting the spec & the hosts' behaviour might be useful ?

--a


>
> Hope it helps
>
> Kind regards and enjoy RIPE meeting & the Guinness ;)
>
> -éric
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
>



More information about the Ipv6hackers mailing list