Re: NIST IPv6 document

[Owen DeLong <owen () delong com>]

On Jan 6, 2011, at 7:13 PM, Jeff Wheeler wrote:

> On Thu, Jan 6, 2011 at 9:24 PM, Joe Greco <jgreco () ns sol net> wrote:
> > With today's implementations of things?  Perhaps.  However, you
> > show yourself equally incapable of grasping the real problem by
> > looking at the broader picture, and recognizing that problematic
> > issues such as finding hosts on a network are very solvable
> > problems, and that we are at an early enough phase of IPv6 that
> > we can even expect some experiments will be tried.
> >
> > Look beyond what _is_ today and see if you can figure out what
> > it _could_ be.  There's no need for what I suggest to DoS a router;
> > that's just accepting a naive implementation and saying "well this
> > can't be done because this one way of doing it breaks things."  It
> > is better to look for a way to fix the problem.
>
> Actually, unlike most posters on this subject, I have a very good
> understanding of how everything works "under the hood."  For this
> reason, I also understand what is possible given the size of a /64
> subnet and the knowledge that we will never have adjacency tables
> approaching this size.
>
> If you are someone who thinks, oh, those Cisco and Juniper developers
> will figure this out, they just haven't thought about it hard enough
> yet, I can understand why you believe that a simple fix like "no ip
> directed-broadcast" is on the horizon.  Unfortunately, it is not.  The
> only thing they can do is give more mitigation knobs to allow
> operators to choose our failure modes and thresholds.  To really fix
> it, you need a smaller subnet or a radical protocol change that will
> introduce a different set of problems.
I think I have a pretty good understanding of what happens under the
hood, too.

The reality is that what you say is theoretically possible, but, not
terribly practical from an attacker perspective. It's pretty trivial to
block these attacks out from threats outside your network or at
least severely limit the number of attackable addresses within the
individual network. Smaller network segments are not necessary
to reduce the attackable profile of the network segment.

Yes, a determined host within your network segment can DOS the
network segment this way. Guess what... If you've got a determined
attacker on your network segment, you've already lost on multiple
other levels, so, this might even be a feature.

As such, while the issue you bring up can be a problem for a poorly
administered network, I think you overstate it's viability as an attack
vector in most real world instances.

Owen