Re: [CGA-EXT] Possible DoS attack to DAD in SEND ?

Tony Cheneau <> Thu, 26 November 2009 22:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 851F93A6B12 for <>; Thu, 26 Nov 2009 14:46:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TeIHHX6kzNkh for <>; Thu, 26 Nov 2009 14:46:05 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 876483A687E for <>; Thu, 26 Nov 2009 14:46:05 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 9F77AFE1939; Thu, 26 Nov 2009 23:45:57 +0100 (CET)
Received: from ( []) by (Postfix) with ESMTP id C736A405090; Thu, 26 Nov 2009 23:45:50 +0100 (CET)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTP id A90BE90103; Thu, 26 Nov 2009 23:45:50 +0100 (CET)
Date: Thu, 26 Nov 2009 23:46:01 +0100 (CET)
From: Tony Cheneau <>
X-X-Sender: shad@localhost.localdomain
To: =?ISO-8859-15?Q?Alberto_Garc=EDa?= <>
In-Reply-To: <BA2095E910AB454F9408A7EF7B249BD9@bombo>
Message-ID: <alpine.LNX.2.00.0911262254210.11124@localhost.localdomain>
References: <BA2095E910AB454F9408A7EF7B249BD9@bombo>
User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
MIME-Version: 1.0
Content-ID: <alpine.LNX.2.00.0911262307291.11124@localhost.localdomain>
X-INT-MailScanner-Information: Please contact the ISP for more information
X-INT-MailScanner-ID: C736A405090.A988D
X-INT-MailScanner: Found to be clean
X-INT-MailScanner-SpamCheck: n'est pas un polluriel, SpamAssassin (not cached, score=0.805, requis 6.01, BAYES_00 -2.60, FH_HELO_EQ_D_D_D_D 0.00, HELO_DYNAMIC_IPADDR 2.43, RCVD_IN_SORBS_DUL 0.88, RDNS_DYNAMIC 0.10)
Subject: Re: [CGA-EXT] Possible DoS attack to DAD in SEND ?
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 26 Nov 2009 22:46:06 -0000

Hello Alberto,

> I was wondering if the following is really an issue for SEND hosts doing
> DAD, and if it is worth to be protected (this arose when defining SAVI
> operation for SEND):

This is the attack I described to the list in this mail:
And then a thread (providing some other solutions):

> I don't see in RFC 3971 any countermeasure to this. Am I right?
The spec does not say how to counter this. However, in a current
implementations, adding a fix seems pretty straightforward.

> Do you think this is a problem? If so, do you think it needs to be fixed?

IMHO, RFC 3971-bis should explicitly provide a solution to counter this 

> A simple solution would be for the possible victim to discard received DAD
> NSOLs for the same address that it has in tentative state that have equal
> <public key, nonce, timestamp> than the DAD NSOL that it had sent before.
> (The probability of a legitimate collision in which another host that
> generates a DAD NSOL with the same public address, nonce and timestamp
> should be really low).
Just comparing the nonce value should suffice.

> For ND (unsecured), this case is also a problem, but for ND you can't decide
> by looking to a received DAD NSOL when it is an attack or just a real
> collision (and this could be also an incentive to use SEND, of course).
Plain ND is not secure anyway.
Some scenario are using a network setup where each nodes are on a
different port of a switch. If the switch was to support Multicast
Listener Discovery, the attacker will never get to receive the DAD NS
message to begin with. As stated in:
Hence, it will preclude the attack. Am I wrong ?