[134496] in North American Network Operators' Group
Re: NIST IPv6 document
daemon@ATHENA.MIT.EDU (Bill Bogstad)
Thu Jan 6 10:24:03 2011
In-Reply-To: <AANLkTin10qow6Tt+YMfX8OienxixCqH57movhRj3uvSZ@mail.gmail.com>
Date: Thu, 6 Jan 2011 10:23:17 -0500
From: Bill Bogstad <bogstad@pobox.com>
To: Jeff Wheeler <jsw@inconcepts.biz>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Jan 6, 2011 at 5:54 AM, Jeff Wheeler <jsw@inconcepts.biz> wrote:
> On Thu, Jan 6, 2011 at 5:20 AM, Owen DeLong <owen@delong.com> wrote:
>>> You must also realize that the stateful firewall has the same problems
>> Uh, not exactly...
>
> Of course it does. =A0The stateful firewall must either 1) be vulnerable
> to the same form of NDP attack; or 2) have a list of allocated v6
> addresses on the LAN. =A0The reason is simple; a "stateful firewall" is
> no more able to store a 2**64 table than is a "router." =A0Calling it
> something different doesn't change the math. =A0If you choose to solve
> the problem by disabling NDP or allowing NS only for a list of "valid"
> addresses on the subnet, this can be done by a stateless router just
> like on a stateful firewall.
>
>> Uh, no it doesn't. It just needs a list of the hosts which are permitted
>> to receive inbound connections from the outside. That's the whole
>
> This solution falls apart as soon as there is a compromised host on
> the LAN, in which case the firewall (or router) NDP table can again be
> filled completely by that compromised/malicious host. =A0In addition,
> the "stateful firewall," by virtue of having connection state, does
> not solve the inbound NDP attack issue. =A0The list of hosts which can
> result in an NDP NS is whats causes this, and such a list may be
> present in a stateless router; but in both cases, it needs to be
> configured.
Err, almost everything falls apart once you allow a
compromised/malicious host on the local LAN. If you have
circumstances where this may happen on anything like a regular basis,
you really need all kinds of control/monitoring of traffic that go far
beyond any local NDP overflow issues.
Bill Bogstad
