Hello to the list and RA guard evasion technique

Fernando Gont fernando at gont.com.ar
Wed Jun 1 06:32:24 CEST 2011


On 05/29/2011 10:51 AM, Matt Addison wrote:

> This could be mitigated somewhat by only punting multicast fragments 
> for reassembly, and providing a limited number of reassembly
> buffers. To reduce the DoS concern you could rate limit the incoming
> punted fragments, or limit how many buffers are concurrently held by
> an end system (buffers per port? buffers per MAC address?).
> Presumably the hardware can support this selective punting as it can
> drop unknown fragments and untrusted RAs in the fast path?

At the point your limits are hit, you need to start dropping fragments,
and hence you run the risk of false negatives.

Thanks,
-- 
Fernando Gont
e-mail: fernando at gont.com.ar || fgont at acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1





More information about the ipv6-ops mailing list