[134393] in North American Network Operators' Group
Re: NIST IPv6 document
daemon@ATHENA.MIT.EDU (Jeff Wheeler)
Wed Jan 5 13:14:36 2011
In-Reply-To: <AANLkTinVKNQ+TZUt1XvXt97S_RQMmrpWhXy7gT4fbJUr@mail.gmail.com>
Date: Wed, 5 Jan 2011 13:14:33 -0500
From: Jeff Wheeler <jsw@inconcepts.biz>
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Jan 5, 2011 at 1:02 PM, TJ <trejrco@gmail.com> wrote:
> Many would argue that the version of IP is irrelevant, if you are permitt=
ing
> external hosts the ability to scan your internal network in an unrestrict=
ed
> fashion (no stateful filtering or rate limiting) you have already lost, y=
ou
How do you propose to rate-limit this scanning traffic? More router
knobs are needed. This also does not solve problems with malicious
hosts on the LAN.
A stateful firewall on every router interface has been suggested
already on this thread. It is unrealistic.
> Even granting that, for the sake of argument - it seems like it would not=
be
> hard for $vendor to have some sort of "emergency garbage collection"
> routines within their NDP implementations ... ?
How do you propose the router know what entries are "garbage" and
which are needed? Eliminating active, "good" entries to allow for
more churn would make the problem much worse, not better.
--=20
Jeff S Wheeler <jsw@inconcepts.biz> +1-212-981-0607
Sr Network Operator=A0 /=A0 Innovative Network Concepts
