[nsp-sec] New IPV6 NDP issue (via cert)
Jens Rosenboom
jens.rosenboom at freenet.ag
Tue Oct 7 03:33:50 EDT 2008
On Fri, Oct 03, 2008 at 05:50:18PM +0000, Chris Morrow wrote:
> since one of my vendors sent out a note about this (hi greg, ask your
> alert folks to actually put the alert on the alert page eh?), another is
> listed.. what say you vendor folks?
>
> <http://www.kb.cert.org/vuls/id/472363>
>
> "IPv6 implementations insecurely update Forward Information Base"
>
> Looks like you can reply with "Yea, I'm that neighbor, send traffic over
> there ->"
>
> This looks like it's also discussed (according to cert) in: RFC 3756
> and... looks like a problem that can't be immediately solved without some
> changes to ND? Since it's a local LAN issue unless your local LAN is
> compromised/made-up-of-compromised-hosts things should be good, eh?
>
> (low threat... I guess)
Low threat for a local LAN maybe, but do you guys really trust all
of the hosts on every IXP you are connected to? And in that case
even things like uRPF aren't going to help you.
Btw. RFC4861 only says that "the recipient SHOULD create or update
the Neighbor Cache entry for the IP Source Address of the solicitation."
As it is "SHOULD" and not "MUST", I don't see why a node would
violate the standard if it did not create an entry for sources
that is does not like, e.g. because they are considered off-link.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20081007/e32a7aa2/attachment-0001.sig>
More information about the nsp-security
mailing list