[ipv6hackers] RA guard evasion
ayourtch at gmail.com
Wed May 15 18:00:01 CEST 2013
On Tue, May 14, 2013 at 11:49 PM, Eric Vyncke (evyncke)
<evyncke at cisco.com>wrote:
> Andrew and Gert,
> > > Would qualifying it "drop all fragments with link-local source" make
> > > look a bit better ?
> > Yes, there should never been link-local packets with fragments. No
> > objections against that (of course the OS needs to verify that RAs etc.
> > really only sent from link-local addresses, but I sincerely hope they are
> > getting this right).
> Do not forget that while rogue RA is the main issue with NDP, plain NA
> spoofing is also possible and (getting too late here to re-read the RFC
> 4861) NA are sometimes sent from a non link-local address... and as the
> fragmented-ext-header-chain attack will also work against all SAVI switches
> monitoring NS/NA, dropping only link-local fragments will only displace the
> problem from rogue RA to rogue NA (less damaging but bad anyway)
I re-read the 4861 and could not find any mention of what source to use.
OTOH given that the target address is in the option anyway - maybe
adjusting the spec & the hosts' behaviour might be useful ?
> Hope it helps
> Kind regards and enjoy RIPE meeting & the Guinness ;)
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
More information about the Ipv6hackers