[ipv6hackers] RA guard evasion

Eric Vyncke (evyncke) evyncke at cisco.com
Wed May 15 18:19:41 CEST 2013


> > Do not forget that while rogue RA is the main issue with NDP, plain NA
> > spoofing is also possible and (getting too late here to re-read the
> > RFC
> > 4861) NA are sometimes sent from a non link-local address... and as
> > the fragmented-ext-header-chain attack will also work against all SAVI
> > switches monitoring NS/NA, dropping only link-local fragments will
> > only displace the problem from rogue RA to rogue NA (less damaging but
> > bad anyway)
> >
> 
> I re-read the 4861 and could not find any mention of what source to use.
> 
> OTOH given that the target address is in the option anyway - maybe adjusting
> the spec & the hosts' behaviour might be useful ?

I read it as well today and in some places RFC 4861 is very specific about the use of link-local as the source (RA, ...) and in other places, it is simply 'address' so I assume that some traffic is indeed from a global address.

Sniffing for a while at home some NS sent to a global address from a LLA source (the reply NA is from LLA to LLA) so at least some NDP packets use global address.

Shame on me, I should know the definitive answer on this one!




More information about the Ipv6hackers mailing list