[142657] in North American Network Operators' Group
NDP DoS attack (was Re: Anybody can participate in the IETF (Was:
daemon@ATHENA.MIT.EDU (Karl Auer)
Mon Jul 11 20:18:24 2011
From: Karl Auer <kauer@biplane.com.au>
To: nanog@nanog.org
In-Reply-To: <CAAAwwbXDd-OoMPaSzXFhj1GAytFUOipvP+kd3sYZEfScRba4gA@mail.gmail.com>
Date: Tue, 12 Jul 2011 10:17:30 +1000
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--=-Js6g7AFS138/F1Mb/HRd
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
On Mon, 2011-07-11 at 18:48 -0500, Jimmy Hess wrote:
> It would be useful to at least have the risk properly described, in
> terms of what kind of DoS condition could arise on specific implementatio=
ns.
RFC3756 IPv6 Neighbor Discovery (ND) Trust Models and Threats
Section 4.3.2
In this attack, the attacking node begins fabricating addresses with
the subnet prefix and continuously sending packets to them. The last
hop router is obligated to resolve these addresses by sending
neighbor solicitation packets. A legitimate host attempting to enter
the network may not be able to obtain Neighbor Discovery service from
the last hop router as it will be already busy with sending other
solicitations. This DoS attack is different from the others in that
the attacker may be off-link. The resource being attacked in this
case is the conceptual neighbor cache, which will be filled with
attempts to resolve IPv6 addresses having a valid prefix but invalid
suffix. This is a DoS attack.
The above RFC and RFC3971 (SEND) both have good descriptions of a BUNCH
of possible attacks. RFC3971 is a bit dismissive IMHO of this particular
attack.
I realise this is not "specific implementations" as you requested, but
it seems to me that the problem is generic enough not to require that.
The attack is made possible by the design of the protocol, not any
failing of specific implementations. Specific implementations need to
describe what they've done about it (mitigation or prevention).
Regards, K.
--=20
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer@biplane.com.au) +61-2-64957160 (h)
http://www.biplane.com.au/kauer/ +61-428-957160 (mob)
GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
--=-Js6g7AFS138/F1Mb/HRd
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEABECAAYFAk4bkpQACgkQMAcU7Vc29ocHkwCdGoBmznec/rXWNTnDT1OYfb5t
E30AnjxN1+Lx1bMcSNbabevg2sgAvPyO
=RnvD
-----END PGP SIGNATURE-----
--=-Js6g7AFS138/F1Mb/HRd--
