[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Anybody can participate in the IETF (Was: Why is IPv6 broken?)



On Mon, Jul 11, 2011 at 5:03 PM, Jeff Wheeler <jsw at inconcepts.biz> wrote:
> On Mon, Jul 11, 2011 at 5:12 PM, Owen DeLong <owen at delong.com> wrote:
>> No... I like SLAAC and find it useful in a number of places. What's wrong
>> with /64? Yes, we need better DOS protection in switches and routers

> See my slides http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf for
> why no vendor's implementation is effective "DOS protection" today and
> how much complexity is involved in doing it correctly, which requires
[snip]

If every vendor's implementation is vulnerable to a NDP Exhaustion
vulnerability,
how come the behavior of specific routers has not been documented specifically?

If  "zero" devices are not vulnerable, you came to this conclusion
because you tested
every single implementation against IPv6 NDP DoS,  or?

How come there are no security advisories.
What's the CWE or CVE number for this vulnerability?

I'm not denying the that NDP overflow might be a DoS issue for all IPv6
routers,  but I haven't seen   any specific documentation from vendors
or security
researchers about specific DoS conditions that can be caused by NDP overflow
on particular devices....

It would be useful to at least have the risk properly described, in
terms of what
kind of DoS condition could arise on specific implementations.


Regards,
--
-JH