On Thu, Jan 6, 2011 at 5:54 AM, Jeff Wheeler <jsw@inconcepts.biz> wrote:
On Thu, Jan 6, 2011 at 5:20 AM, Owen DeLong <owen@delong.com> wrote:
You must also realize that the stateful firewall has the same problems Uh, not exactly...
Of course it does. The stateful firewall must either 1) be vulnerable to the same form of NDP attack; or 2) have a list of allocated v6 addresses on the LAN. The reason is simple; a "stateful firewall" is no more able to store a 2**64 table than is a "router." Calling it something different doesn't change the math. If you choose to solve the problem by disabling NDP or allowing NS only for a list of "valid" addresses on the subnet, this can be done by a stateless router just like on a stateful firewall.
Uh, no it doesn't. It just needs a list of the hosts which are permitted to receive inbound connections from the outside. That's the whole
This solution falls apart as soon as there is a compromised host on the LAN, in which case the firewall (or router) NDP table can again be filled completely by that compromised/malicious host. In addition, the "stateful firewall," by virtue of having connection state, does not solve the inbound NDP attack issue. The list of hosts which can result in an NDP NS is whats causes this, and such a list may be present in a stateless router; but in both cases, it needs to be configured.
Err, almost everything falls apart once you allow a compromised/malicious host on the local LAN. If you have circumstances where this may happen on anything like a regular basis, you really need all kinds of control/monitoring of traffic that go far beyond any local NDP overflow issues. Bill Bogstad