> As with IPv4 and ARP (e.g. gratuituous ARP), it may be that the most > issues cannot be solved, at least without resorting to IPSEC. But that is > perhaps not necessary -- in my book, it's good to identify problems even > though no proper "solution" can be found.
I think we have existence proof that IPsec pixie dust does't work well in practise... If somebody wants to build a network where anybody can walk up and connect yet want to limit the damage one "visitor" can do to another, it seems like assuming pre-configured IPsec SAs for the multicast addresses used by Neighbor Discovery is a non-starter. > Comment on 3.3 Neighbor Solicitation/Advertisement Spoofing > --8<-- > An attacking node can cause packets for legitimate nodes, both hosts > and routers, to be sent to some other link-layer address. This can > be done by either sending a Neighbor Solicitation with a different > source link-layer address option, or sending a Neighbor > Advertisement with a different target link-layer address option. > If the spoofed link-layer address is a valid one, as long as the > attacker responds to the unicast Neighbor Solicitation messages sent > as part of the Neighbor Unreachability Detection, packets will > continue to be redirected. This is a redirect attack. > [...] > --8<-- > Here, it could be elaborated that NS messages with different link-local > source address should overwrite the cached one [RFC2461 7.2.3]; the > mechanism on how this attack works may not be self-evident. OK. > Comment on 3.5 Bogus On-Link Prefix: > --8<-- > An attacking node can send a Router Advertisement message specifying > that some prefix of arbitrary length is on-link. If a sending host > thinks the prefix is on-link, it will never send a packet for that > prefix to the router. Instead, the host will try to perform address > resolution by sending Neighbor Solicitations, but the Neighbor > Solicitations will not result in a response, denying service to the > attacked host. This is a DoS attack. > > The attacker can use an arbitrary lifetime on the bogus prefix > advertisement. If the lifetime is infinity, the sending host will be > denied service until it loses the state in its prefix list e.g. by > rebooting, or the same prefix is advertised with a zero lifetime. > The attack could also be perpetrated selectively for packets > destined to a particular prefix by using 128 bit prefixes, i.e. full > addresses. > > This threat involves Router Advertisement messages. > --8<-- > > It appears to me this is more than DoS. This could be extremely evil -- > what prevents the attacker from listening to all on-link traffic and > responding posivitely to Neighbour Solicitations? That way, it could act > as a man-in-the-middle attacker for all destinations.. Scary.. I agree that this combined with NA spoofing can be used as a redirect attack. We should make that clear I think (but I'm a bit concerned about there being lots of possible combinations to mention in general.) > Possible additional threat: > > - attacker assigns the subnet-router anycast address to itself. With > various methods (like 3.3) it could capture the traffic meant to the > address to itself. Depending whether the anycast address is used for e.g. > selecting the exit router, or being contacted by outside parties wishing > to talk to the router of the subnet. For packets sent from the outside to the subnet anycast address one router at the endge of the subnet will receive it thus it will not be forwarded onto the link. So this is only an issue for subnet anycast packets sent from nodes on the link. Currently there is no protocol that does this I think but it makes sense adding the threat. Erik -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
