Question about IPAM tools for v6

Fernando Gont fernando at
Fri Jan 31 16:13:17 CET 2014

On 01/31/2014 10:59 AM, Aurélien wrote:
> I personnally verified that this type of attack works with at least one
> major firewall vendor, provided you know/guess reasonably well the
> network behind it. (I'm not implying that this is a widespread attack type).
> I also found this paper:
> I'm looking for other information sources, do you know other papers
> dealing with this problem ? Why do you think this is FUD ?

The attack does work. But the reason it works is because the
implementations are sloppy in this respect: they don't enforce limits on
the size of the data structures they manage.

The IPv4 subnet size enforces an artificial limit on things such as the
ARP cache. A /64 removes such artificial limit. However, you shouldn't
be relying on such limit. You should a real one in the implementation

And it's not just the NC. There are implementations that do not limit
the number of addresses they configure, that do not limit the number of
entries in the routing table, etc.

If you want to play, please take a look at the ipv6toolkit:
<>. On the same page, you'll
also find a PDF that discusses ND attacks, and that tells you how to
reproduce the attack with the toolkit.

Besides, each manual page of the toolkit (ra6(1), na6(1), etc.) has an
EXAMPLES section that provides popular ways to run each tool.


Fernando Gont
e-mail: fernando at || fgont at
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

More information about the ipv6-ops mailing list