Hello to the list and RA guard evasion technique

Erik Kline ek at google.com
Tue May 31 22:28:32 CEST 2011


On 29 May 2011 13:51, Matt Addison <matt.addison at lists.evilgeni.us> wrote:
> On May 29, 2011, at 7:54, "Eric Vyncke (evyncke)" <evyncke at cisco.com> wrote:
>
>> But, you obviously have found a work-around around the work-around: overlapping fragments. Especially if hosts accept it... (which is weird BTW but what can we do?). The theoretical mitigation would force re-assembly in the switch which could lead to a DoS which could be worse as it breaks other layer-2 broadcast domains.
>
> This could be mitigated somewhat by only punting multicast fragments
> for reassembly, and providing a limited number of reassembly buffers.
> To reduce the DoS concern you could rate limit the incoming punted
> fragments, or limit how many buffers are concurrently held by an end
> system (buffers per port? buffers per MAC address?). Presumably the
> hardware can support this selective punting as it can drop unknown
> fragments and untrusted RAs in the fast path?

But someone could still target individuals by trying to send them
these specially crafted unicast RAs.



More information about the ipv6-ops mailing list