nanog mailing list archives
NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))
From: Karl Auer <kauer () biplane com au>
Date: Tue, 12 Jul 2011 10:17:30 +1000
On Mon, 2011-07-11 at 18:48 -0500, Jimmy Hess wrote:
It would be useful to at least have the risk properly described, in terms of what kind of DoS condition could arise on specific implementations.
RFC3756 IPv6 Neighbor Discovery (ND) Trust Models and Threats Section 4.3.2 In this attack, the attacking node begins fabricating addresses with the subnet prefix and continuously sending packets to them. The last hop router is obligated to resolve these addresses by sending neighbor solicitation packets. A legitimate host attempting to enter the network may not be able to obtain Neighbor Discovery service from the last hop router as it will be already busy with sending other solicitations. This DoS attack is different from the others in that the attacker may be off-link. The resource being attacked in this case is the conceptual neighbor cache, which will be filled with attempts to resolve IPv6 addresses having a valid prefix but invalid suffix. This is a DoS attack. The above RFC and RFC3971 (SEND) both have good descriptions of a BUNCH of possible attacks. RFC3971 is a bit dismissive IMHO of this particular attack. I realise this is not "specific implementations" as you requested, but it seems to me that the problem is generic enough not to require that. The attack is made possible by the design of the protocol, not any failing of specific implementations. Specific implementations need to describe what they've done about it (mitigation or prevention). Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer () biplane com au) +61-2-64957160 (h) http://www.biplane.com.au/kauer/ +61-428-957160 (mob) GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?), (continued)
- Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Owen DeLong (Jul 10)
- Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Michael Thomas (Jul 10)
- Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Jeff Wheeler (Jul 10)
- Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Darrel Lewis (Jul 11)
- Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Doug Barton (Jul 11)
- Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Leo Bicknell (Jul 11)
- Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Jeff Wheeler (Jul 11)
- Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Owen DeLong (Jul 11)
- Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Jeff Wheeler (Jul 11)
- Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Jimmy Hess (Jul 11)
- NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Karl Auer (Jul 11)
- Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Fernando Gont (Jul 14)
- Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Jimmy Hess (Jul 14)
- Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Owen DeLong (Jul 14)
- Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Christopher Morrow (Jul 15)
- Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Fernando Gont (Jul 14)
- Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Jared Mauch (Jul 14)
- Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Fernando Gont (Jul 14)
- Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Jared Mauch (Jul 14)
- Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Jimmy Hess (Jul 14)
- Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Fernando Gont (Jul 14)