Presentation is loading. Please wait.

Presentation is loading. Please wait.

ND-Shield: Protecting against Neighbor Discovery Attacks

Published byLorin Walker Modified over 6 years ago

Similar presentations

Presentation on theme: "ND-Shield: Protecting against Neighbor Discovery Attacks"— Presentation transcript:

1 ND-Shield: Protecting against Neighbor Discovery Attacks
(draft-gont-opsec-nd-shield) IETF 84 Vancouver, Canada. July 29-August 3, 2012

2 Overview Aims at blocking Neighbor Discovery attacks at the link-layer
It targets attack vectors based on: Neighbor Solicitation Neighbor Advertisement Router Solicitation Redirect messages Complements other technologies such as RA-Guard Even if you do RA-Guard, an attacker can still become the “Next-Hop Router” by sending other non-RA Neighbor Discovery packets

3 draft-gont-opsec-nd-shield
Specifies the filtering rules for ND-Shield, i.e., how to filter: Neighbor Solicitations Neighbor Advertisements Router Solicitations Redirects Greatly benefits from work done in v6ops for RA-Guard

4 Filtering rules General rules for all messages:
Follow the entire IPv6 header chain to identify the type of packet If the packet is a first-fragment and the upper-layer header is not found, drop the packet If the Source Address had not been previously seen, record the address, otherwise filter the packet if it has been received on a different port [Type-specific filtering] Otherwise, pass the packet as usual

5 Open issues Current I-D specifies the rules on a per-packet-type basis
Might want to coalesce all filtering rules Probably more useful from an implementor's point of view

6 Moving forward Adopt as an OPSEC WG item?

7 Thanks! Fernando Gont

Download ppt "ND-Shield: Protecting against Neighbor Discovery Attacks"

Similar presentations

73rd IETF meeting, November 16-21, 2008

73rd IETF meeting, November 16-21, 2008
Security Assessment of Neighbor Discovery for IPv6

Security Assessment of Neighbor Discovery for IPv6
IETF – March 22, 2001 Improving Network Renumbering in Mobile IPv6 Changes to Tunneled Router Solicit/Advert T.J. Kniveton Nokia Research Center Mountain.

IETF – March 22, 2001 Improving Network Renumbering in Mobile IPv6 Changes to Tunneled Router Solicit/Advert T.J. Kniveton Nokia Research Center Mountain.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
IP Forwarding Relates to Lab 3.

IP Forwarding Relates to Lab 3.
Neighbor Discovery for IPv6 Mangesh Kaushikkar. Overview Introduction Terminology Protocol Overview Message Formats Conceptual Model of a Host.

Neighbor Discovery for IPv6 Mangesh Kaushikkar. Overview Introduction Terminology Protocol Overview Message Formats Conceptual Model of a Host.
Security Assessment of the Internet Protocol version 4 (IPv4) draft-ietf-opsec-ip-security Fernando Gont project carried out on behalf of UK CPNI 76th.

Security Assessment of the Internet Protocol version 4 (IPv4) draft-ietf-opsec-ip-security Fernando Gont project carried out on behalf of UK CPNI 76th.
2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College

2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College
Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt OPSEC WG, IETF #66.

Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt OPSEC WG, IETF #66.
Mitigating Teredo Routing Loop Attacks (draft-gont-6man-teredo-loops-00 ) Fernando Gont on behalf of UK CPNI IETF 79 November 7-12, 2010. Beijing, China.

Mitigating Teredo Routing Loop Attacks (draft-gont-6man-teredo-loops-00 ) Fernando Gont on behalf of UK CPNI IETF 79 November 7-12, Beijing, China.
Security implications of Network Address Translators (NATs) (draft-gont-behave-nat-security) Fernando Gont Pyda Srisuresh UTN/FRH EMC Corporation 76th.

Security implications of Network Address Translators (NATs) (draft-gont-behave-nat-security) Fernando Gont Pyda Srisuresh UTN/FRH EMC Corporation 76th.
SAVI IP Source Guard draft-baker-sava- implementation Fred Baker.

SAVI IP Source Guard draft-baker-sava- implementation Fred Baker.
Doc.: IEEE 802.11-11/1183r0 Submission September 2011 Masataka Ohta, Tokyo Institute of TechnologySlide 1 IP over Congested WLAN Date: 2011-09-19 Authors:

Doc.: IEEE /1183r0 Submission September 2011 Masataka Ohta, Tokyo Institute of TechnologySlide 1 IP over Congested WLAN Date: Authors:
Pseudowire Endpoint Fast Failure Protection draft-shen-pwe3-endpoint-fast-protection-00 Rahul Aggarwal Yimin Shen

Pseudowire Endpoint Fast Failure Protection draft-shen-pwe3-endpoint-fast-protection-00 Rahul Aggarwal Yimin Shen
Reactive Discovery of Point-to-Point Routes in Low Power and Lossy Networks draft-ietf-roll-p2p-rpl-04 Mukul Goyal University of Wisconsin Milwaukee.

Reactive Discovery of Point-to-Point Routes in Low Power and Lossy Networks draft-ietf-roll-p2p-rpl-04 Mukul Goyal University of Wisconsin Milwaukee.
FMIPv6 Usage with DNA Protocol draft-koodli-dna-fmip-00 Rajeev Koodli, Syam Madanapalli DNA WG, 63 IETF - Paris.

FMIPv6 Usage with DNA Protocol draft-koodli-dna-fmip-00 Rajeev Koodli, Syam Madanapalli DNA WG, 63 IETF - Paris.
TCP/IP Basics A review for firewall configuration.

TCP/IP Basics A review for firewall configuration.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
Guide to TCP/IP Fourth Edition

Guide to TCP/IP Fourth Edition
Internet Control Message Protocol ICMP. ICMP has two major purposes: –To report erroneous conditions –To diagnose network problems ICMP has two major.

Internet Control Message Protocol ICMP. ICMP has two major purposes: –To report erroneous conditions –To diagnose network problems ICMP has two major.

Similar presentations

Ads by Google