[ipv6hackers] CVE-2016-1409: IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability

Fernando Gont fgont at si6networks.com
Sun Aug 14 21:07:52 CEST 2016

On 08/14/2016 08:38 PM, Enno Rey wrote:
>> Some comments: The outcome from your post is what I expected -- I'm
>> not surprised. The Hop LImit validation check is to be performed by
>> the receiving node,
> correct. actually in the post the Cisco device in question
> (2003:60:4010::8) *is* the receiving node. and it happily accepts
> ICMPv6 NA/RA/RS packets sent from far remote entities (and hence
> having a hop limit < 255). the point/problem is not the networks in
> between forwarding the packets but the final destination accepting
> them.

Oops, I was confused, then. So, if, say, the devices gets an NS, it
creates an entry in the NC?

>> rather than by the intermmediate devices. If you wanted to enforce
>> it on intermmediate devices, you'd need to perform DPI, then the
>> attacker fires packets with EHs, and then we possibly end up with
>> the usual "drop all EHs, plus what I really want to drop".
>> My take is that the vuln is completely unrelated to NCE. since al
>> end systems I know of *do* check the Hop Limit of received ND
>> packets.
> apparently not true for quite some high end C* and J* gear, as their
> respective advisories state/show.

I'll redo testing. I remember testing this, at the time, with a bunch of
devices, but they were all dropping ND packets when HL != 255.


Best regards,
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list