Re: [v6ops] [EXTERNAL] Re: Improving ND security

Philip Homburg <> Mon, 03 August 2020 16:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CB6003A0F3D; Mon, 3 Aug 2020 09:32:52 -0700 (PDT)
X-Quarantine-ID: <H3XZtGMGkmT6>
X-Virus-Scanned: amavisd-new at
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "Cc"
X-Spam-Flag: NO
X-Spam-Score: 0.004
X-Spam-Status: No, score=0.004 tagged_above=-999 required=5 tests=[RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id H3XZtGMGkmT6; Mon, 3 Aug 2020 09:32:51 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8C7793A0F3E; Mon, 3 Aug 2020 09:32:49 -0700 (PDT)
Received: from (localhost [::ffff:]) by with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305) (Smail #157) id m1k2dOD-0000KyC; Mon, 3 Aug 2020 18:32:41 +0200
Message-Id: <>
Cc: "Templin (US), Fred L" <>
Cc: 6man <>
From: Philip Homburg <>
References: <> <>, <> <> <> <> <> <>
In-reply-to: Your message of "Mon, 3 Aug 2020 15:51:33 +0000 ." <>
Date: Mon, 03 Aug 2020 18:32:37 +0200
Archived-At: <>
Subject: Re: [v6ops] [EXTERNAL] Re: Improving ND security
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 03 Aug 2020 16:32:53 -0000

>    Thanks for your opinion, Ed, but it does not apply for the OMNI
>    use case because
>    the keys only need to be known to a fixed (and finite) set of
>    Servers which can
>    keep in sync via a shared filesystem. 

Maybe we should first look at which application domains we want to discuss.
For most people, if you have a fixed set of servers connected to a single
LAN, then you typically don't have a security problem with ND. Of course,
there could still be networks where ND security is an issue even if all
devices are known.

I think the common case for ND security issues is a an ethernet (or
ethernet-like wifi) where untrusted devices can connect. However for
the common case where bridges just accept any MAC address, what prevents
the attacker from sending packets with the MAC address of a victim?

Of course there is the special case where bridges lock the MAC addresses of
devices connected to ports, but in those cases, bridges could also lock the
IPv6 address and otherwise limit ND traffic.

The easiest way to solve the issue for small networks is to give each host
a private vlan. The would break multicast, but multicast in an untrusted 
environment is probably not such a great idea anyhow.