Re: NIST IPv6 document

[Bill Bogstad <bogstad () pobox com>]

On Thu, Jan 6, 2011 at 5:54 AM, Jeff Wheeler <jsw () inconcepts biz> wrote:
> On Thu, Jan 6, 2011 at 5:20 AM, Owen DeLong <owen () delong com> wrote:
> > > You must also realize that the stateful firewall has the same problems
> > Uh, not exactly...
>
> Of course it does.  The stateful firewall must either 1) be vulnerable
> to the same form of NDP attack; or 2) have a list of allocated v6
> addresses on the LAN.  The reason is simple; a "stateful firewall" is
> no more able to store a 2**64 table than is a "router."  Calling it
> something different doesn't change the math.  If you choose to solve
> the problem by disabling NDP or allowing NS only for a list of "valid"
> addresses on the subnet, this can be done by a stateless router just
> like on a stateful firewall.
>
> > Uh, no it doesn't. It just needs a list of the hosts which are permitted
> > to receive inbound connections from the outside. That's the whole
>
> This solution falls apart as soon as there is a compromised host on
> the LAN, in which case the firewall (or router) NDP table can again be
> filled completely by that compromised/malicious host.  In addition,
> the "stateful firewall," by virtue of having connection state, does
> not solve the inbound NDP attack issue.  The list of hosts which can
> result in an NDP NS is whats causes this, and such a list may be
> present in a stateless router; but in both cases, it needs to be
> configured.

Err, almost everything falls apart once you allow a
compromised/malicious host on the local LAN.   If you have
circumstances where this may happen on anything like a regular basis,
you really need all kinds of control/monitoring of traffic that go far
beyond any local NDP overflow issues.

Bill Bogstad