Hello to the list and RA guard evasion technique

Fernando Gont fernando at gont.com.ar
Wed Jun 1 06:25:06 CEST 2011

On 05/29/2011 08:53 AM, Eric Vyncke (evyncke) wrote:

> But, you obviously have found a work-around around the work-around:
> overlapping fragments. Especially if hosts accept it... (which is
> weird BTW but what can we do?). 

The specs have been updated recommending hosts not to accept them --
yes, it'll take time for all hosts to be updated, and some may probably
never be updated.

> The theoretical mitigation would
> force re-assembly in the switch which could lead to a DoS which could
> be worse as it breaks other layer-2 broadcast domains. The standard
> mitigation is SEND of course in all hosts which is not possible right
> now (BTW, I keep hearing rumors that MSFT could do it eventually!).

What about the PKI? How will they solve that?

Fernando Gont
e-mail: fernando at gont.com.ar || fgont at acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

More information about the ipv6-ops mailing list