[135382] in North American Network Operators' Group
Re: Using IPv6 with prefixes shorter than a /64 on a LAN
daemon@ATHENA.MIT.EDU (Michael Loftis)
Mon Jan 24 17:41:32 2011
In-Reply-To: <AANLkTimcZavnJN2gqayS2-piDvOAcw_nrJAREJ0EDTjp@mail.gmail.com>
Date: Mon, 24 Jan 2011 15:41:27 -0700
From: Michael Loftis <mloftis@wgops.com>
To: Ray Soucy <rps@maine.edu>
Cc: nanog <nanog@nanog.org>, carlos <carlos@lacnic.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, Jan 24, 2011 at 1:53 PM, Ray Soucy <rps@maine.edu> wrote:
> Many cite concerns of potential DoS attacks by doing sweeps of IPv6
> networks. =A0I don't think this will be a common or wide-spread problem.
> =A0The general feeling is that there is simply too much address space
> for it to be done in any reasonable amount of time, and there is
> almost nothing to be gained from it.
The problem I see is the opening of a new, simple, DoS/DDoS scenario.
By repetitively sweeping a targets /64 you can cause EVERYTHING in
that /64 to stop working by overflowing the ND/ND cache, depending on
the specific ND cache implementation and how big it is/etc. Routers
can also act as amplifiers too, DDoSing every host within a multicast
ND directed solicitation group (and THAT is even assuming a correctly
functioning switch thats limiting the multicast travel)
Add to it the assumption that every router gets certain things right
(like everything correctly decrementing TTLs as assumed in RFC 4861
11.2 in order for hosts to detect off-link RA/ND messages and guard
themselves against those), in these ways it's certainly at least
somewhat worse than ARP.
If you're able to bring down, or severely limit, a site by sending a
couple thousand PPS towards the /64 it's on, or by varying the upper
parts of the /64 to flood all the hosts with multicast traffic while
simultaneously floodign the routers LRU ND cache well thats a cheap
and easy attack and it WILL be used, and that can be done with the
protocols working as designed, at least from my reading. Granted I
don't have an IPv6 lab to test any of this. But I'd be willing to bet
this exact scenario is readily and easily possible, it already is with
ARP tables (and it DOES happen, it's just harder to make happen with
ARP and IPv4 since the space is so small, esp when compared to a /64)
IPv6 ND LRU Caches/tables aren't going to be anywhere near big enough
to handle a single /64's worth of hosts. And if they're any
significant amt smaller then it'd be trivial to cause a DoS by
sweeping the address space. It would depend on the ND table
limits/sizes, and any implementation specific timers/etc and garbage
collection, and a some other details I don't have, but, I bet it'd be
a really small flow in the scheme of things to completely stomp out a
/64....someone I'm sure knows more about the implementations, and I'm
betting this has been brought up before about IPv6/ND...
So I pretty strongly disagree about your statement. Repetitively
sweeping an IPv6 network to DoS/DDoS the ND protocol thereby flooding
the ND cache/LRUs could be extremely effective and if not payed
serious attention will cause serious issues.
