Folks, We have just published a new IETF I-D, entitled "Neighbor Discovery Shield (ND-Shield): Protecting against Neighbor Discovery Attacks". This is probably the last missing piece of the "ND mitigation" puzzle (the others being RA-Guard and DHCPv6-Shield). This one mitigates attack vectors based on RS, NS, NA, and Redirect messages.
The I-D is available at: <http://tools.ietf.org/id/draft-gont-opsec-ipv6-nd-shield-00.txt> For this version in particular, I'm mostly interested in hearing your thoughts about the issues raised in the "DISCLAIMER" section -- although detailed feedback is always welcome. Our Twitter: @SI6Networks Thanks! Best regards, Fernando -------- Original Message -------- Subject: New Version Notification for draft-gont-opsec-ipv6-nd-shield-00.txt Date: Tue, 05 Jun 2012 06:05:24 -0700 From: internet-dra...@ietf.org To: fg...@si6networks.com A new version of I-D, draft-gont-opsec-ipv6-nd-shield-00.txt has been successfully submitted by Fernando Gont and posted to the IETF repository. Filename: draft-gont-opsec-ipv6-nd-shield Revision: 00 Title: Neighbor Discovery Shield (ND-Shield): Protecting against Neighbor Discovery Attacks Creation date: 2012-06-05 WG ID: Individual Submission Number of pages: 22 Abstract: This document specifies a mechanism that can be implemented in layer-2 devices to mitigate attack vectors based on Neighbor Discovery messages. It is meant to complement other mechanisms implemented in layer-2 devices such as Router Advertisement Guard (RA-Guard) and DHCPv6-Shield, with the goal of achieving a comprehensive IPv6 First Hop Security solution. This document is motivated by the desire to achieve feature parity with IPv4 with respect to First Hop Security mechanisms. The IETF Secretariat _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/