[135444] in North American Network Operators' Group
RE: Using IPv6 with prefixes shorter than a /64 on a LAN
daemon@ATHENA.MIT.EDU (George Bonser)
Tue Jan 25 13:51:41 2011
Date: Tue, 25 Jan 2011 10:49:51 -0800
In-Reply-To: <4D3F0144.70107@sohonet.co.uk>
From: "George Bonser" <gbonser@seven.com>
To: "Patrick Sumby" <patrick.sumby@sohonet.co.uk>,
<nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> >
> > So I pretty strongly disagree about your statement. Repetitively
> > sweeping an IPv6 network to DoS/DDoS the ND protocol thereby
flooding
> > the ND cache/LRUs could be extremely effective and if not payed
> > serious attention will cause serious issues.
> >
>=20
>=20
> Yes.... This is an issue for point-to-point links but using a longer
> prefix (/126 or similar) has been suggested as a mitigation for this
> sort of attack.
>=20
> I would assume that in the LAN scenario where you have a /64 for your
> internal network that you would have some sort of stateful firewall
> sitting infront of the network to stop any un-initiated sessions. This
> therefore stops any hammering of ND cache etc. The argument then is
> that
> the number of packets hitting your firewall / bandwidth starvation
> would
> be the the alternative line of attack for a DoS/DDos but that is a
> completely different issue.
>=20
>=20
So for /64 subnets used for point-to-points you disable ND, configure
static neighbors and that's the end of it. No ND DDoS.
