On Jul 13, 2011, at 9:14 AM, Arturo Servin wrote: > What's the point? > > If you asume unrealistic scenarios to prove your concept, then you > have a problem with your solution. > > The problem is that you have a link where the attacker can have > 2^64 different addresses to spoof and it can send NS request at any > rate.
I think what's most interesting is that the nature of the "threat" on the IPv6 capable Internet is the ability to generate high PPS rate activity easily. One needs to look no further than the risk and high PPS attacks on the IPv4 side of things. It's quite reasonable to expect to have 10k or more unique hosts(source IPs) participating in an attack. If you are a CDN, Major Web Property, or even Residential provider your risk in IPv4 is one per host or routed IP. The scale involved here is much larger by design, and the potential of a poorly behaving NDP implementation to be overwhelmed is quite easy. Not many vendors can handle 10k or 100kpps in their control-plane. To (re)state the biggest design issue with NDP again, it's outlined in 7.3 of the v6nd-enhance draft: -- snip -- 7.3. NDP Protocol Gratuitous NA Per RFC 4861, section 7.2.5 and 7.2.6 [RFC4861] requires that unsolicited neighbor advertisements result in the receiver setting it's neighbor cache entry to STALE, kicking off the resolution of the neighbor using neighbor solicitation. -- snip -- Forcing an entry to STALE if you see an unsolicited NA (assuming it matches the existing NA) seems unnecessary and counterproductive as it can interrupt traffic to existing hosts. Solving a remotely-exploitable specification problem is much different than solving a layer-2 compromise. Those are different risks and require a different solution and mitigation, (eg: duplicate IP detection in v4 and various layer-2 security features dhcp-guard, etc). - Jared -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
