nanog mailing list archives
Re: NIST IPv6 document
From: Bill Bogstad <bogstad () pobox com>
Date: Thu, 6 Jan 2011 10:23:17 -0500
On Thu, Jan 6, 2011 at 5:54 AM, Jeff Wheeler <jsw () inconcepts biz> wrote:
On Thu, Jan 6, 2011 at 5:20 AM, Owen DeLong <owen () delong com> wrote:You must also realize that the stateful firewall has the same problemsUh, not exactly...Of course it does. The stateful firewall must either 1) be vulnerable to the same form of NDP attack; or 2) have a list of allocated v6 addresses on the LAN. The reason is simple; a "stateful firewall" is no more able to store a 2**64 table than is a "router." Calling it something different doesn't change the math. If you choose to solve the problem by disabling NDP or allowing NS only for a list of "valid" addresses on the subnet, this can be done by a stateless router just like on a stateful firewall.Uh, no it doesn't. It just needs a list of the hosts which are permitted to receive inbound connections from the outside. That's the wholeThis solution falls apart as soon as there is a compromised host on the LAN, in which case the firewall (or router) NDP table can again be filled completely by that compromised/malicious host. In addition, the "stateful firewall," by virtue of having connection state, does not solve the inbound NDP attack issue. The list of hosts which can result in an NDP NS is whats causes this, and such a list may be present in a stateless router; but in both cases, it needs to be configured.
Err, almost everything falls apart once you allow a compromised/malicious host on the local LAN. If you have circumstances where this may happen on anything like a regular basis, you really need all kinds of control/monitoring of traffic that go far beyond any local NDP overflow issues. Bill Bogstad
Current thread:
- Re: NIST IPv6 document, (continued)
- Re: NIST IPv6 document Jack Bates (Jan 10)
- Re: NIST IPv6 document Owen DeLong (Jan 10)
- Re: NIST IPv6 document Valdis . Kletnieks (Jan 11)
- Re: NIST IPv6 document Jack Bates (Jan 11)
- Re: NIST IPv6 document Owen DeLong (Jan 10)
- Re: NIST IPv6 document Joel Jaeggli (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Jeff Wheeler (Jan 06)
- Re: NIST IPv6 document Joel Jaeggli (Jan 06)
- Re: NIST IPv6 document Jeff Wheeler (Jan 06)
- Re: NIST IPv6 document Bill Bogstad (Jan 06)
- Re: NIST IPv6 document Miquel van Smoorenburg (Jan 06)
- Re: NIST IPv6 document Joe Greco (Jan 06)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Valdis . Kletnieks (Jan 06)
- Re: NIST IPv6 document Jack Bates (Jan 06)
- Re: NIST IPv6 document Dobbins, Roland (Jan 06)
- Re: NIST IPv6 document Dobbins, Roland (Jan 06)
- Re: NIST IPv6 document Joe Greco (Jan 06)
- Re: NIST IPv6 document Jack Bates (Jan 06)
- Message not available
- Re: NIST IPv6 document Tim Chown (Jan 07)