Hello to the list and RA guard evasion technique
Matt Addison
matt.addison at lists.evilgeni.us
Sun May 29 15:51:44 CEST 2011
On May 29, 2011, at 7:54, "Eric Vyncke (evyncke)" <evyncke at cisco.com> wrote:
> But, you obviously have found a work-around around the work-around: overlapping fragments. Especially if hosts accept it... (which is weird BTW but what can we do?). The theoretical mitigation would force re-assembly in the switch which could lead to a DoS which could be worse as it breaks other layer-2 broadcast domains.
This could be mitigated somewhat by only punting multicast fragments
for reassembly, and providing a limited number of reassembly buffers.
To reduce the DoS concern you could rate limit the incoming punted
fragments, or limit how many buffers are concurrently held by an end
system (buffers per port? buffers per MAC address?). Presumably the
hardware can support this selective punting as it can drop unknown
fragments and untrusted RAs in the fast path?
~Matt
More information about the ipv6-ops
mailing list