[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPv6 -> MAC multicast address mapping

> I can't think of a way this is a security problem - can you point this
> please? With the exception that a DOS might be mounted by sending
> to the wrong MAC address that are later discarded... But you'll have
> stop them at the source, not at the receivers, to prevent the DOS.

There is a class of attacks based on mismatches between MAC and IP
addressing. For example, if a node is a member of an IP group, it is
possible to send it a packet where the MAC destination is the unicast
MAC address of the node, while the IP destination is the group address.
Or vice versa, send a packet where the MAC destination is a multicast
address, but the IP destination is a unicast address. Hackers can use
the first technique to disrupt the operation of multicast groups, and
the second one to mount some forms of denial of service attacks. These
attacks require that the attacker be connected on the same link as a
target, but there are cases such as public access wireless where this
isn't much of a mitigation. (University dorms are also a great place for
such attacks.)

-- Christian Huitema

IETF IPng Working Group Mailing List
IPng Home Page:                      http://playground.sun.com/ipng
FTP archive:                      ftp://playground.sun.com/pub/ipng
Direct all administrative requests to majordomo@sunroof.eng.sun.com