[142656] in North American Network Operators' Group
Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)
daemon@ATHENA.MIT.EDU (Jimmy Hess)
Mon Jul 11 19:48:39 2011
In-Reply-To: <CAPWAtbJBLMTT9ySBgob1CjAOsVJGeGvb4jO5043=-WD7q_-vWA@mail.gmail.com>
Date: Mon, 11 Jul 2011 18:48:33 -0500
From: Jimmy Hess <mysidia@gmail.com>
To: Jeff Wheeler <jsw@inconcepts.biz>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, Jul 11, 2011 at 5:03 PM, Jeff Wheeler <jsw@inconcepts.biz> wrote:
> On Mon, Jul 11, 2011 at 5:12 PM, Owen DeLong <owen@delong.com> wrote:
>> No... I like SLAAC and find it useful in a number of places. What's wrong
>> with /64? Yes, we need better DOS protection in switches and routers
> See my slides http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf for
> why no vendor's implementation is effective "DOS protection" today and
> how much complexity is involved in doing it correctly, which requires
[snip]
If every vendor's implementation is vulnerable to a NDP Exhaustion
vulnerability,
how come the behavior of specific routers has not been documented specifically?
If "zero" devices are not vulnerable, you came to this conclusion
because you tested
every single implementation against IPv6 NDP DoS, or?
How come there are no security advisories.
What's the CWE or CVE number for this vulnerability?
I'm not denying the that NDP overflow might be a DoS issue for all IPv6
routers, but I haven't seen any specific documentation from vendors
or security
researchers about specific DoS conditions that can be caused by NDP overflow
on particular devices....
It would be useful to at least have the risk properly described, in
terms of what
kind of DoS condition could arise on specific implementations.
Regards,
--
-JH
