nanog mailing list archives
Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks?
From: Jeff Wheeler <jsw () inconcepts biz>
Date: Tue, 29 Nov 2011 03:23:04 -0500
On Tue, Nov 29, 2011 at 1:43 AM, <Valdis.Kletnieks () vt edu> wrote:
It's worked for us since 1997. We've had bigger problems with IPv4 worms
That's not a reason to deny that the problem exists. It's even fixable. I'd prefer that vendors fixed it *before* there were massive botnet armies with IPv6 connectivity, but in case they don't, I do not deploy /64. On Tue, Nov 29, 2011 at 2:20 AM, Jonathan Lassoff <jof () thejof com> wrote:
Agreed. While I don't have any good numbers that I can publicly offer up, it also intuitively makes sense that there's a greater proportion of IPv4 DDOS and resource exhaustion attacks vs IPv6 ones.
Of course. There are comparably few hosts with IPv6 connectivity. Bad guys aren't that familiar with IPv6 yet. Even if they are, their armies of compromised desktops probably can't launch an effective IPv6 attack yet. Lack of sources, no way to get nasty IPv6 packets to the target, or the target has different infrastructure for IPv4 and IPv6 anyway, and taking out the IPv6 one only isn't that beneficial (Happy Eyeballs features and such.) Further, the victim can just turn off IPv6 when they start getting attacked in this way. And that is exactly what sites will end up doing, turning off IPv6 because vendors aren't addressing issues like these. That doesn't help anyone.
I imagine the mitigation strategies are similar for both cases though: just rate-limit how often your router will attempt neighbor discovery. Are there other methods?
Simply rate-limiting the data-plane events that trigger ND resolution is not good enough. One very popular platform that is offered with cards in horizontal or vertical orientation uses the same policer for ARP and NDP. That means when you do eventually start getting ND attacks, it will break your IPv4 services also. If you want to learn more about this, I have some slides: http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf -- Jeff S Wheeler <jsw () inconcepts biz> Sr Network Operator / Innovative Network Concepts
Current thread:
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks?, (continued)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Dmitry Cherkasov (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Brzozowski, John (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Ray Soucy (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Leo Bicknell (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Ray Soucy (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Owen DeLong (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jeff Wheeler (Nov 28)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Valdis . Kletnieks (Nov 28)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jonathan Lassoff (Nov 28)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Dmitry Cherkasov (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jeff Wheeler (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Valdis . Kletnieks (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Owen DeLong (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jeff Wheeler (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Dmitry Cherkasov (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Bill Stewart (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Doug Barton (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Dmitry Cherkasov (Nov 29)