nanog mailing list archives
RE: Using IPv6 with prefixes shorter than a /64 on a LAN
From: "George Bonser" <gbonser () seven com>
Date: Tue, 25 Jan 2011 10:49:51 -0800
So I pretty strongly disagree about your statement. Repetitively sweeping an IPv6 network to DoS/DDoS the ND protocol thereby
flooding
the ND cache/LRUs could be extremely effective and if not payed serious attention will cause serious issues.Yes.... This is an issue for point-to-point links but using a longer prefix (/126 or similar) has been suggested as a mitigation for this sort of attack. I would assume that in the LAN scenario where you have a /64 for your internal network that you would have some sort of stateful firewall sitting infront of the network to stop any un-initiated sessions. This therefore stops any hammering of ND cache etc. The argument then is that the number of packets hitting your firewall / bandwidth starvation would be the the alternative line of attack for a DoS/DDos but that is a completely different issue.
So for /64 subnets used for point-to-points you disable ND, configure static neighbors and that's the end of it. No ND DDoS.
Current thread:
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN, (continued)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Roland Dobbins (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Mark Smith (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Owen DeLong (Jan 26)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Karl Auer (Jan 26)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN eric clark (Jan 31)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Owen DeLong (Jan 31)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Michael Dillon (Jan 31)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Owen DeLong (Jan 31)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Owen DeLong (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Ray Soucy (Jan 26)
- RE: Using IPv6 with prefixes shorter than a /64 on a LAN George Bonser (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Fernando Gont (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Matthew Petach (Jan 30)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Fernando Gont (Jan 30)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Matthew Petach (Jan 31)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Mikael Abrahamsson (Jan 30)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Per Carlson (Jan 31)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Mikael Abrahamsson (Jan 31)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Mark Andrews (Jan 24)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Owen DeLong (Jan 24)