IPv6 duplicate DAD packets from Android clients?
Phil Mayers
p.mayers at imperial.ac.uk
Tue Oct 8 19:02:15 CEST 2013
On 08/10/13 16:13, Andrew Yourtchenko wrote:
>> 1. Should the Cisco WLC IPv6 FHS stuff be blocking these, given the
>> target IP is the HSRP VIP and is obviously not on a client?
>
> No. NS is merely a query - it does not affect anything. It's the NAs
> that you'd need to be worried about and have blocked. (And indeed they
> were blocked for me and reflected in the WLC counters as 'martian').
Ok thanks, this is very helpful - I was slightly concerned they might
have an effect analogous to grat.-arp packets, but if they're neither
being leaked to other clients nor having that effect, I can rest easy
and just whitelist them in our SEC config file for the time being.
> Also, because the target is on the wired, you do not need to worry
> about the bandwidth saving
Good to know.
>> Do I need to
>> be worried about them?
>
> Depends on what their source is. I'd investigate, because:
I would like to, but I think it's unlikely we'll get hands-on on a
device. These are customer-owned and we've few ways (and no real desire)
to force them to let us take a look.
> a) If those are seen only with HTC as another mail points out, I can
So far today, all the MAC prefixes have indeed been HTC, running Android.
> b) OTOH, it could well be someone who either used some badly written
> attack tool or did not RTFM properly before attempting to play around.
> :-)
FWIW it's a WPA2-Enterprise SSID and the MACs are all associated with
different users, so I'm leaning away from that explanation.
>
> Anyway in my quick lab test the NS for default gateway's address
> always got sent up the wired side but never to any other wireless
> clients - so it's only this client which will suffer the consequences.
That's the key bit of info for me, really :o)
I'll try to get hands on a device, and see if I can identify the cause.
More information about the ipv6-ops
mailing list