On 01/31/2014 10:59 AM, Aurélien wrote: > > I personnally verified that this type of attack works with at least one > major firewall vendor, provided you know/guess reasonably well the > network behind it. (I'm not implying that this is a widespread attack type). > > I also found this paper: http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf > > I'm looking for other information sources, do you know other papers > dealing with this problem ? Why do you think this is FUD ?
The attack does work. But the reason it works is because the implementations are sloppy in this respect: they don't enforce limits on the size of the data structures they manage. The IPv4 subnet size enforces an artificial limit on things such as the ARP cache. A /64 removes such artificial limit. However, you shouldn't be relying on such limit. You should a real one in the implementation itself. And it's not just the NC. There are implementations that do not limit the number of addresses they configure, that do not limit the number of entries in the routing table, etc. If you want to play, please take a look at the ipv6toolkit: <http://www.si6networks.com/tools/ipv6toolkit>. On the same page, you'll also find a PDF that discusses ND attacks, and that tells you how to reproduce the attack with the toolkit. Besides, each manual page of the toolkit (ra6(1), na6(1), etc.) has an EXAMPLES section that provides popular ways to run each tool. Thanks! Cheers, -- Fernando Gont e-mail: [email protected] || [email protected] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
