IPv6 duplicate DAD packets from Android clients?

Phil Mayers p.mayers at imperial.ac.uk
Tue Oct 8 19:02:15 CEST 2013

On 08/10/13 16:13, Andrew Yourtchenko wrote:

>>    1. Should the Cisco WLC IPv6 FHS stuff be blocking these, given the
>> target IP is the HSRP VIP and is obviously not on a client?
> No. NS is merely a query - it does not affect anything. It's the NAs
> that you'd need to be worried about and have blocked. (And indeed they
> were blocked for me and reflected in the WLC counters as 'martian').

Ok thanks, this is very helpful - I was slightly concerned they might 
have an effect analogous to grat.-arp packets, but if they're neither 
being leaked to other clients nor having that effect, I can rest easy 
and just whitelist them in our SEC config file for the time being.

> Also, because the target is on the wired,  you do not need to worry
> about the bandwidth saving

Good to know.

>> Do I need to
>> be worried about them?
> Depends on what their source is. I'd investigate, because:

I would like to, but I think it's unlikely we'll get hands-on on a 
device. These are customer-owned and we've few ways (and no real desire) 
to force them to let us take a look.

> a) If those are seen only with HTC as another mail points out, I can

So far today, all the MAC prefixes have indeed been HTC, running Android.

> b) OTOH, it could well be someone who either used some badly written
> attack tool or did not RTFM properly before attempting to play around.
> :-)

FWIW it's a WPA2-Enterprise SSID and the MACs are all associated with 
different users, so I'm leaning away from that explanation.

> Anyway in my quick lab test the NS for default gateway's address
> always got sent up the wired side but never to any other wireless
> clients - so it's only this client which will suffer the consequences.

That's the key bit of info for me, really :o)

I'll try to get hands on a device, and see if I can identify the cause.

More information about the ipv6-ops mailing list