NIST IPv6 document

Bill Bogstad bogstad at
Thu Jan 6 09:23:17 CST 2011

On Thu, Jan 6, 2011 at 5:54 AM, Jeff Wheeler <jsw at> wrote:
> On Thu, Jan 6, 2011 at 5:20 AM, Owen DeLong <owen at> wrote:
>>> You must also realize that the stateful firewall has the same problems
>> Uh, not exactly...
> Of course it does.  The stateful firewall must either 1) be vulnerable
> to the same form of NDP attack; or 2) have a list of allocated v6
> addresses on the LAN.  The reason is simple; a "stateful firewall" is
> no more able to store a 2**64 table than is a "router."  Calling it
> something different doesn't change the math.  If you choose to solve
> the problem by disabling NDP or allowing NS only for a list of "valid"
> addresses on the subnet, this can be done by a stateless router just
> like on a stateful firewall.
>> Uh, no it doesn't. It just needs a list of the hosts which are permitted
>> to receive inbound connections from the outside. That's the whole
> This solution falls apart as soon as there is a compromised host on
> the LAN, in which case the firewall (or router) NDP table can again be
> filled completely by that compromised/malicious host.  In addition,
> the "stateful firewall," by virtue of having connection state, does
> not solve the inbound NDP attack issue.  The list of hosts which can
> result in an NDP NS is whats causes this, and such a list may be
> present in a stateless router; but in both cases, it needs to be
> configured.

Err, almost everything falls apart once you allow a
compromised/malicious host on the local LAN.   If you have
circumstances where this may happen on anything like a regular basis,
you really need all kinds of control/monitoring of traffic that go far
beyond any local NDP overflow issues.

Bill Bogstad

More information about the NANOG mailing list