IPv6 stacks responds to all node link local multicast NS
Hiroki Sato
hrs at FreeBSD.org
Mon Oct 20 04:19:21 UTC 2014
prabhakar lakhera <prabhakar.lakhera at gmail.com> wrote
in <CALg+rhX6L8HARzuWR=V429vO+tV7N=nX0B20vHrWAACRMpPwkQ at mail.gmail.com>:
pr> Like I said before, it is not per RFC. It is trivial to derive solicited
pr> node multicast address from the target IP, so If someone were to launch a
pr> flood attack to poison cache entry for X host by sending Address resolution
pr> request for all other local hosts in the network, with NS's source IP=X's
pr> IP and with source link layer info=attacker's MAC, computing sol node
pr> multicast for each target will make it only slightly costly, so I am not
pr> sure if security could be of concern here.
pr>
pr> The other concern is if it can be a compliance issue given the NS packet
pr> format described by the RFC.
pr>
pr> Also the comment in the code suggests what RFC says but the check is more
pr> liberal. Also why it is different for DAD NS vs Neighbor resolution NS.
In my understanding, RFC does not allow sending NS messages to
all-node multicast address but says nothing about accepting side. An
NS message to all-node multicast address is broken, but at least
FreeBSD never sends an NS message to all-node multicast address.
There is no problem with RFC conformance in this regard.
The check itself is easy and I think the attached patch is enough. I
am still wondering what kind of trouble we have if we do not do this
check.
I do not think the security concern is severe because NS flooding
from neighbors is still easy even if narrowing down the destination
address check upon its acceptance. One possible countermeasure
would be rate-limiting of NS/NA.
-- Hiroki
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nd6_nbr_smaddrcheck_20141020-1.diff
Type: text/x-patch
Size: 2202 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20141020/235569b6/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20141020/235569b6/attachment.sig>
More information about the freebsd-net
mailing list