NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))

Jimmy Hess mysidia at gmail.com
Fri Jul 15 03:24:08 UTC 2011


On Thu, Jul 14, 2011 at 9:35 PM, Jared Mauch <jared at puck.nether.net> wrote:
> On Jul 14, 2011, at 10:06 PM, Fernando Gont <fernando at gont.com.ar> wrote:
> Anyone on a layer-2 network can do something interesting like flood all f's and kill the lan. Trying to keep the majority of thoughts here for layer-3 originated attacks, even if the target is a layer2 item.
> - Jared

In most cases if you have a DoS attack coming from the same Layer-2
network that a router is attached to,
it would mean there was already a serious security incident  that
occured to give the attacker that special point to attack from.

A similarly hazardous situation exists with IPv4,  and it is basically
unheard of  for IPv4's Layer 2/ARP security weaknesses to be exploited
to create a DoS condition, even though they can be (very easily),
IPv4  Layer 2 DoS conditions are often due to a malfunction or error
than intended attack;   more likely,   IPv6 Layer 2 security
weaknesses will be used to  intercept traffic for snooping, or quietly
subvert network policy.   LAN DoS conditions are noticed quickly, and
usually result in physical unplugging of the attacking  (or
malfunctioning)  node.

Methods can be designed to protect against spoofed NDP flooding on the
LAN that do not require the router's involvement.

For IPv4 switched networks there is a technology referred to as
'Dynamic ARP Inspection'.

Untrusted IPv6 LAN environments will need to implement SEND  or  some
form of  'Dynamic ND inspection'   plus RA-guard.

If it comes down to   solving a  remote DoS issue at the cost of
creating a LAN DoS issue that comes down to   'hosts on the LAN having
to spoof'

I would say that's easily well worth it.

--
-JH




More information about the NANOG mailing list