On Thu, Jan 6, 2011 at 5:54 AM, Jeff Wheeler <j...@inconcepts.biz> wrote: > On Thu, Jan 6, 2011 at 5:20 AM, Owen DeLong <o...@delong.com> wrote: >>> You must also realize that the stateful firewall has the same problems >> Uh, not exactly... > > Of course it does. The stateful firewall must either 1) be vulnerable > to the same form of NDP attack; or 2) have a list of allocated v6 > addresses on the LAN. The reason is simple; a "stateful firewall" is > no more able to store a 2**64 table than is a "router." Calling it > something different doesn't change the math. If you choose to solve > the problem by disabling NDP or allowing NS only for a list of "valid" > addresses on the subnet, this can be done by a stateless router just > like on a stateful firewall. > >> Uh, no it doesn't. It just needs a list of the hosts which are permitted >> to receive inbound connections from the outside. That's the whole > > This solution falls apart as soon as there is a compromised host on > the LAN, in which case the firewall (or router) NDP table can again be > filled completely by that compromised/malicious host. In addition, > the "stateful firewall," by virtue of having connection state, does > not solve the inbound NDP attack issue. The list of hosts which can > result in an NDP NS is whats causes this, and such a list may be > present in a stateless router; but in both cases, it needs to be > configured.
Err, almost everything falls apart once you allow a compromised/malicious host on the local LAN. If you have circumstances where this may happen on anything like a regular basis, you really need all kinds of control/monitoring of traffic that go far beyond any local NDP overflow issues. Bill Bogstad
