[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))

On 07/11/2011 09:17 PM, Karl Auer wrote:
> I realise this is not "specific implementations" as you requested, but
> it seems to me that the problem is generic enough not to require that.
> The attack is made possible by the design of the protocol, not any
> failing of specific implementations. Specific implementations need to
> describe what they've done about it (mitigation or prevention).

Vulnerability to this specific issues has a great deal to do with the
implementation. After all, whenever there's a data structure that can
potentially grow out of bounds (or hit a limit), it becomes a resource
management issue.

In this particular case, if the implementation enforces a limit on the
number of entries in the "INCOMPLETE" state, then only nodes that have
never communicated with the outside world could be affected by this
attack. And if those entries that are in the "INCOMPLETE" state are
pruned periodically (e.g. in a round-robin fashion), chances are that
even those "new hosts" would be able to get into the neighbor cache and
hence remain unaffected by this attack.

Fernando Gont
e-mail: fernando at gont.com.ar || fgont at acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1