[ipv6hackers] CVE-2016-1409: IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability

Gert Doering gert at space.net
Sun Aug 14 21:29:25 CEST 2016


On Sun, Aug 14, 2016 at 08:22:06PM +0200, Fernando Gont wrote:
> My take is that the vuln is completely unrelated to NCE. since al end
> systems I know of *do* check the Hop Limit of received ND packets.

I tried to filter out (by ACL "deny and log") incoming ND packets at
DECIX with a TTL != 255.

And saw legitimate neighbours send such... (unfortunately, XR doesn't log
what the TTL *is* so I cannot answer the obvious question, and I didn't
yet set up infrastructure to sniff it off the wire).

... and when not filtered, these are *answered*...

(The other half of pandora's box I found there was that at least one major
vendor of backbone gear happily forwards packets sourced from fe80::
addresses off-link - as in: I see packets with fe80:: source addresses
coming from outside our network, destined to our DNS servers, containing 
proper queries...)

Gert Doering
        -- NetMaster
have you enabled IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444           USt-IdNr.: DE813185279

More information about the Ipv6hackers mailing list