[LACNIC/Seguridad] Fwd: New IETF I-D on IPv6 ND SLLA/TLLA options (forwarding loops)

Fernando Gont fgont en si6networks.com
Vie Feb 14 13:06:15 BRST 2014


Estimados,

Acabamos de publicar un nuevo IETF I-D sobre opciones SLLA/TLLA de
Neighbor Discovery. El mismo se encuentra disponible en:
<http://www.ietf.org/internet-drafts/draft-gont-6man-lla-opt-validation-00.txt>

Es super-super simple de leer. Y al menos uno de los ataques es
"curioso", en el sentido de que es tan tonto que esperaba que no funcione.

Si pueden enviar comentarios, serán bienvenidos. Si lo pueden hacer en
ingles (idealmente), envienlos a
"draft-gont-6man-lla-opt-validation en tools.ietf.org" (sin las comillas) e
incluyendo en el CC a "ipv6 en ietf.org" (sin las comillas).

En caso de hacerlo en español, envíenmelos a mi, o por esta lista.

Saludos, y gracias!
Fer




-------- Original Message --------
Date: Fri, 14 Feb 2014 11:59:35 -0300
From: Fernando Gont <fgont en si6networks.com>
To: IPv6 Hackers Mailing List <ipv6hackers en lists.si6networks.com>
Subject: New IETF I-D on IPv6 ND SLLA/TLLA options (forwarding loops)
References: <20140214145359.7925.43448.idtracker en ietfa.amsl.com>


Folks,

We have published a new IETF I-D on issues arising from "malicious"
Neighbor Discovery SLLA/TLLA options. The I-D is available at:
<http://www.ietf.org/internet-drafts/draft-gont-6man-lla-opt-validation-00.txt>

We'd welcome any comments. If you feel like sending feedback, please
send it to "draft-gont-6man-lla-opt-validation en tools.ietf.org" (without
the quotes, and make sure to CC "ipv6 en ietf.org" (without the quotes).

The aforementioned issues can, of course, be reproduced with THC-IPv6
and the IPv6 toolkit (http://www.si6networks.com/tools/ipv6toolkit).

Thanks!

Best regards,
Fernando




-------- Original Message --------
From: - Fri Feb 14 11:54:20 2014
From: internet-drafts en ietf.org
To: Shucheng LIU (Will) <liushucheng en huawei.com>, Will (Shucheng) Liu
<liushucheng en huawei.com>, Fernando Gont <fgont en si6networks.com>, Ron
Bonica <rbonica en juniper.net>, Fernando Gont <fgont en si6networks.com>,
Ronald P. Bonica <rbonica en juniper.net>
Subject: New Version Notification for
draft-gont-6man-lla-opt-validation-00.txt
X-Test-IDTracker: no
X-IETF-IDTracker: 5.0.0.p1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20140214145359.7925.43448.idtracker en ietfa.amsl.com>
Date: Fri, 14 Feb 2014 06:53:59 -0800


A new version of I-D, draft-gont-6man-lla-opt-validation-00.txt
has been successfully submitted by Fernando Gont and posted to the
IETF repository.

Name:		draft-gont-6man-lla-opt-validation
Revision:	00
Title:		Validation of Neighbor Discovery Source Link-Layer Address
(SLLA) and Target Link-layer Address (TLLA) options
Document date:	2014-02-14
Group:		Individual Submission
Pages:		10
URL:
http://www.ietf.org/internet-drafts/draft-gont-6man-lla-opt-validation-00.txt
Status:
https://datatracker.ietf.org/doc/draft-gont-6man-lla-opt-validation/
Htmlized:
http://tools.ietf.org/html/draft-gont-6man-lla-opt-validation-00


Abstract:
   This memo documents two scenarios in which an on-link attacker emits
   a crafted IPv6 Neighbor Discovery (ND) packet that poisons its
   victim's neighbor cache.  In the first scenario, the attacker causes
   a victim to map a local IPv6 address to a local router's own link-
   layer address.  In the second scenario, the attacker causes the
   victim to map a unicast IP address to a link layer broadcast address.
   In both scenarios, the attacker can exploit the poisoned neighbor
   cache to perform a subsequent forwording-loop attack, thus
   potentially causing a Denial of Service.

   Finally, this memo specifies simple validations that the recipient of
   an ND message can execute in order to protect itself against the
   above-mentioned threats.





Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat









Más información sobre la lista de distribución Seguridad