nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NIST IPv6 document

From: Tim Chown <tjc () ecs soton ac uk>
Date: Thu, 6 Jan 2011 15:23:30 +0000

On 6 Jan 2011, at 15:10, Lamar Owen wrote:


Ok, perhaps I'm dense, but why is the router going to try to find a host that it already doesn't know based on an 
unsolicited outside packet?  Why is the router trusting the outside's idea of what addresses are active, and why 
isn't the router dropping packets on the floor destined to hosts on one of its interfaces' local subnets that it 
doesn't already know about?

If the packet is a response to a request from the host, then the router should have seen the outgoing packet (or, in 
the case of HSRP-teamed routers, all the routers in the standby group should be keeping track of all hosts, etc) and 
it should already be in the neighbor table.


There's some interesting discussion around this point in RFC6018, which discusses the use of greynet monitoring in 
sparsely populated IPv6 subnets.    This approach may be one method to help detect and or mitigate such attacks.

Tim
Previous By Date Next
Previous By Thread Next

Current thread: