On 08/10/13 16:13, Andrew Yourtchenko wrote:
1. Should the Cisco WLC IPv6 FHS stuff be blocking these, given the
target IP is the HSRP VIP and is obviously not on a client?
No. NS is merely a query - it does not affect anything. It's the NAs
that you'd need to be worried about and have blocked. (And indeed they
were blocked for me and reflected in the WLC counters as 'martian').
Ok thanks, this is very helpful - I was slightly concerned they might
have an effect analogous to grat.-arp packets, but if they're neither
being leaked to other clients nor having that effect, I can rest easy
and just whitelist them in our SEC config file for the time being.
Also, because the target is on the wired, you do not need to worry
about the bandwidth saving
Good to know.
Do I need to
be worried about them?
Depends on what their source is. I'd investigate, because:
I would like to, but I think it's unlikely we'll get hands-on on a
device. These are customer-owned and we've few ways (and no real desire)
to force them to let us take a look.
a) If those are seen only with HTC as another mail points out, I can
So far today, all the MAC prefixes have indeed been HTC, running Android.
b) OTOH, it could well be someone who either used some badly written
attack tool or did not RTFM properly before attempting to play around.
:-)
FWIW it's a WPA2-Enterprise SSID and the MACs are all associated with
different users, so I'm leaning away from that explanation.
Anyway in my quick lab test the NS for default gateway's address
always got sent up the wired side but never to any other wireless
clients - so it's only this client which will suffer the consequences.
That's the key bit of info for me, really :o)
I'll try to get hands on a device, and see if I can identify the cause.
