Hello to the list and RA guard evasion technique

Matt Addison matt.addison at lists.evilgeni.us
Sun May 29 15:51:44 CEST 2011


On May 29, 2011, at 7:54, "Eric Vyncke (evyncke)" <evyncke at cisco.com> wrote:

> But, you obviously have found a work-around around the work-around: overlapping fragments. Especially if hosts accept it... (which is weird BTW but what can we do?). The theoretical mitigation would force re-assembly in the switch which could lead to a DoS which could be worse as it breaks other layer-2 broadcast domains.

This could be mitigated somewhat by only punting multicast fragments
for reassembly, and providing a limited number of reassembly buffers.
To reduce the DoS concern you could rate limit the incoming punted
fragments, or limit how many buffers are concurrently held by an end
system (buffers per port? buffers per MAC address?). Presumably the
hardware can support this selective punting as it can drop unknown
fragments and untrusted RAs in the fast path?

~Matt



More information about the ipv6-ops mailing list