[ipv6hackers] CVE-2016-1409: IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability
Gert Doering
gert at space.net
Sun Aug 14 21:29:25 CEST 2016
Hi,
On Sun, Aug 14, 2016 at 08:22:06PM +0200, Fernando Gont wrote:
> My take is that the vuln is completely unrelated to NCE. since al end
> systems I know of *do* check the Hop Limit of received ND packets.
I tried to filter out (by ACL "deny and log") incoming ND packets at
DECIX with a TTL != 255.
And saw legitimate neighbours send such... (unfortunately, XR doesn't log
what the TTL *is* so I cannot answer the obvious question, and I didn't
yet set up infrastructure to sniff it off the wire).
... and when not filtered, these are *answered*...
(The other half of pandora's box I found there was that at least one major
vendor of backbone gear happily forwards packets sourced from fe80::
addresses off-link - as in: I see packets with fe80:: source addresses
coming from outside our network, destined to our DNS servers, containing
proper queries...)
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
More information about the Ipv6hackers
mailing list