Re: [v6ops] Improving ND security

"Templin (US), Fred L" <> Fri, 31 July 2020 17:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 534483A0C50; Fri, 31 Jul 2020 10:35:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EWuQAPM96vus; Fri, 31 Jul 2020 10:35:47 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 377C03A0C8E; Fri, 31 Jul 2020 10:35:45 -0700 (PDT)
Received: from localhost (localhost []) by (8.15.2/8.15.2/DOWNSTREAM_MBSOUT) with SMTP id 06VHZf58005314; Fri, 31 Jul 2020 13:35:42 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=boeing-s1912; t=1596216943; bh=DUo7ww1w/pv0NZ4byUp+8C9ofUkcKdC9ID8ydkZwfiU=; h=From:To:CC:Subject:Date:From; b=EYxYgq4rAfdjiMaB96a0d1vOt9v0zLJCbIzWupTUaZyv6qG4OtR+ZsrBHirnNwHM7 91RGaJTeGvT664WPgRCeoRavX06mLR3T98iAUeD3k4ibT8NGSoYvYtxeqFbdAirXar KE+Y3ku5w8Thpj3azV+bqewmg2wy1KR6NPQO45cM64aggNs90vxtEf48QtSVclzlY2 7EsR1UyOstCh1RCzNwp6v9/Y0KNA+qRBivOFozBo5DmKBXtEAveHO7WiwOag0weHax cOEpcjYpep7cEzztSyC67tciVdFHpRQxYeciHUUlxYPggxqYmzWNlkLCQWSiDSjqEb lvrMVken7iNtw==
Received: from ( []) by (8.15.2/8.15.2/8.15.2/UPSTREAM_MBSOUT) with ESMTPS id 06VHZWrC004749 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=OK); Fri, 31 Jul 2020 13:35:32 -0400
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1979.3; Fri, 31 Jul 2020 10:35:31 -0700
Received: from ([fe80::1522:f068:5766:53b5]) by ([fe80::1522:f068:5766:53b5%2]) with mapi id 15.01.1979.003; Fri, 31 Jul 2020 10:35:31 -0700
From: "Templin (US), Fred L" <>
To: Ted Lemon <>
CC: "Pascal Thubert (pthubert)" <>, "v6ops list" <>, 6man <>
Thread-Topic: Improving ND security
Thread-Index: AdZnYGykJNK1kk2zSneWe05yLDtm6g==
Date: Fri, 31 Jul 2020 17:35:31 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-tm-snts-smtp: 987A15763C39FB47C81163C67172A664484305430C429B3FB5955EE3A62918892000:8
Content-Type: multipart/alternative; boundary="_000_d5c245f216c3409f826f8132e532a882boeingcom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [v6ops] Improving ND security
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 31 Jul 2020 17:35:53 -0000

On Jul 31, 2020, at 1:17 PM, Templin (US), Fred L <<>> wrote:
Ted, I think SEND would solve the neighbor cache resource exhaustion attack since a NCE is
only created on receipt of an authentic (SEND-protected) IPv6 ND message.

OK, but an attacker can just generate a bazillion key pairs, right? So it can still exhaust the cache, at the cost of some computation work.

I think as long as the network has a way of associating the key pair with another piece
of information that accompanies the IPv6 ND message then the network would be able
to know when the mobile node is using its (single) authorized key. So, for example, if
the IPv6 ND message included an identity for the MN (sort of like a DHCPv6 DUID), the
network would know when the MN is using the correct key pair – right? (BTW, I am
not saying to use DHCPv6 DUID – that is just one example of a MN identity…)

Thanks - Fred