Despite the Headlines, SLAAC Does Not Represent a Zero-Day Attack Vector

[Peaches]

Apr18 Despite the Headlines, SLAAC Does Not Represent a Zero-Day Attack Vector

SLAAC is a mnemonic for IPv6 StateLess Address AutoConfiguration, which follows attempts at obtaining router information that happens only after the interface has established an IPv6 address for the local link. IPv6 does not use Ethernet broadcasting, which imposes scaling limitations on the devices supported on a local link. Instead, IPv6 multicasting divides devices into 16.7 million isolated Solicited-Node groups based on the last 3 bytes of their IPv6 address. Multicasting represents a significant departure from the way networks previously worked using the blunt method of broadcasting.

IPv4 and MAC Address Relationship with Network Interface Unverified

Under IPv4, IP addresses are determined using the ARP [RFC826] to request MAC addresses associated with a specific IPv4 address by using a broadcast (all one’s) destination for the MAC address recognized by switches and interfaces and replicated or flooded across all switch ports. ARP can also announce an address by setting both source and destination IPv4 addresses to the same value or to probe by setting the source to a null IP address.

The inverse of ARP was BootP described in [RFC951] back in 1985. BootP requests an IP address for the MAC address by using a broadcast (all one’s) destination IP address. BootP was superseded by DHCP. Those new to IPv6 are often surprised to find how multicasting rather than broadcasting changed the way networks, switches, and routers operate.

More details: http://blog.trendmicro.com/