[ipv6hackers] CVE-2016-1409: IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability

Fernando Gont fgont at si6networks.com
Sun Aug 14 20:22:06 CEST 2016

On 08/10/2016 10:38 PM, Enno Rey wrote:
> Suresh,
> On Wed, Aug 10, 2016 at 05:52:16PM +0000, Suresh Krishnan wrote:
>> Hi all,
>>    I have been notified about this vulnerability and have been asked whether 
>> this is due to an issue with the IPv6 protocol specifications. At first 
>> glance, I have a hard time seeing how this attack is possible on any 
>> compliant RFC4861 implementation given that the 255 Hop Limit check would 
>> drop any remote attack packets. If someone on the 6man/v6ops mailing lists 
>> has further info
> some public discussion (hence no need for off-list) incl. practical testing can be found here:
> https://www.insinuator.net/2016/05/cve-2016-1409-ipv6-ndp-dos-vulnerability-in-cisco-software/

Some comments:
The outcome from your post is what I expected -- I'm not surprised. The
Hop LImit validation check is to be performed by the receiving node,
rather than by the intermmediate devices. If you wanted to enforce it on
intermmediate devices, you'd need to perform DPI, then the attacker
fires packets with EHs, and then we possibly end up with the usual "drop
all EHs, plus what I really want to drop".

My take is that the vuln is completely unrelated to NCE. since al end
systems I know of *do* check the Hop Limit of received ND packets.


Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list