On 01/31/2014 10:59 AM, Aurélien wrote:I personnally verified that this type of attack works with at least one major firewall vendor, provided you know/guess reasonably well the network behind it. (I'm not implying that this is a widespread attack type).I also found this paper: http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf I'm looking for other information sources, do you know other papers dealing with this problem ? Why do you think this is FUD ?The attack does work. But the reason it works is because the implementations are sloppy in this respect: they don't enforce limits on the size of the data structures they manage. The IPv4 subnet size enforces an artificial limit on things such as the ARP cache. A /64 removes such artificial limit. However, you shouldn't be relying on such limit. You should a real one in the implementation itself. And it's not just the NC. There are implementations that do not limit the number of addresses they configure, that do not limit the number of entries in the routing table, etc.
There are some different needs with this limitation.It's good to rate-limit a protocol exchange (to avoid dDoS), it's good to limit the size of the buffers (to avoid buffer overflows), but it may be arguable whether to limit the dynamic sizes of the instantiated data structures, especially when facing requirements of scalability - they'd rather be virtually infinite, like in virtual memory.
This is not a problem of implementation, it is a problem of unspoken assumption that the subnet prefix is always 64. It is unspoken because it is little required (almost none) by RFCs. Similarly as when the router of the link is always the .1.
Speaking of scalability - is there any link layer (e.g. Ethernet) that supports 2^64 nodes in the same link? Any deployed such link? I doubt so.
I suppose the largest number of nodes in a single link may reach somewhere in the thousands of nodes, but not 2^64.
The limitation on the number of nodes on the single link comes not only from the access contention algorithms, but from the implementation of the core of the highest performance switches; these are limited in terms of bandwidth. With these figures in mind, one realizes that it may be little reasonable to imagine subnets of maximum size 2^64 nodes.
Alex
If you want to play, please take a look at the ipv6toolkit: <http://www.si6networks.com/tools/ipv6toolkit>. On the same page, you'll also find a PDF that discusses ND attacks, and that tells you how to reproduce the attack with the toolkit. Besides, each manual page of the toolkit (ra6(1), na6(1), etc.) has an EXAMPLES section that provides popular ways to run each tool. Thanks! Cheers,
smime.p7s
Description: Signature cryptographique S/MIME