About the Post

Author Information

Layer 2 DoS and other IPv6 Tricks

Over on the post “Layer 2 DoS and other IPv6 Tricks” contains this text:

“IPv6, just like IPv4, is a layer 3 (Network Layer) protocol. However, it does depend on Layer 2 (Link Layer) to reach the next hop. Historically, Layer 2 has been a fertile attack breeding ground. Layer 2 protocols like Ethernet do not address these security issues and are build to be lightweight rather then secure. The assumption is that physical access to the network is restricted, and with that physical access controls can be used to mitigate most Layer 2 risks.
Of course, this hasn’t been true for most networks. Wireless access, access to unsecured network jacks in public areas and even remote access via compromised hosts inside the network have been shown to provide access to layer 2. 802.1x is probably the best option to mitigate most of these threats, but even 802.1x will not protect you from a compromised authenticated workstation, and 802.1x can be difficult to implement in many scenarios.
So how does this all apply to IPv6? One of the big changes in IPv6 is that ARP is replaced with the Neighbor Discovery Protocol (NDP). NDP is based on ICMPv6. In addition, Router Advertisements (RA) are used to configure hosts. 
Probably the most important thing to understand: Neither NDP or RA prevent by default any attacks we have seen against ARP or DHCP. Just like for ARP and DHCP, we need to be able to detect and mitigate spoofing.”

No comments yet.

Leave a Reply