[134390] in North American Network Operators' Group
Re: NIST IPv6 document
daemon@ATHENA.MIT.EDU (Phil Regnauld)
Wed Jan 5 12:58:39 2011
Date: Wed, 5 Jan 2011 18:57:50 +0100
From: Phil Regnauld <regnauld@nsrc.org>
To: Jeff Wheeler <jsw@inconcepts.biz>
In-Reply-To: <AANLkTim8cuhLnF3bzMLahOoyjk7v2Dywtmq7S8U3HF5y@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Jeff Wheeler (jsw) writes:
> are badly needed. The largest current routing devices have room for
> about 100,000 ARP/NDP entries, which can be used up in a fraction of a
> second with a gigabit of malicious traffic flow. What happens after
> that is the problem, and we need to tell our vendors what knobs we
> want so we can "choose our own failure mode" and limit damage to one
> interface/LAN.
Well there are *some* knobs:
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-addrg_bsc_con.html#wp1369018
Not very smart, as it just controls how fast you run out of entries.
I haven't read all entries in this thread yet, but I wonder if
http://tools.ietf.org/html/draft-jiang-v6ops-nc-protection-01 has been
mentioned ?
Seems also that this topic has been brought up here a year ago give
or take a couple of weeks:
http://www.mail-archive.com/nanog@nanog.org/msg18841.html
Cheers,
Phil
