[135510] in North American Network Operators' Group
Re: Using IPv6 with prefixes shorter than a /64 on a LAN
daemon@ATHENA.MIT.EDU (Fernando Gont)
Wed Jan 26 02:38:16 2011
Date: Wed, 26 Jan 2011 03:26:43 -0300
From: Fernando Gont <fernando@gont.com.ar>
To: Michael Loftis <mloftis@wgops.com>
In-Reply-To: <AANLkTikHBb+cyfPxXftb5QZh136D04fkdWFMy3NFhDdi@mail.gmail.com>
Cc: nanog <nanog@nanog.org>, carlos <carlos@lacnic.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 24/01/2011 07:41 p.m., Michael Loftis wrote:
>> Many cite concerns of potential DoS attacks by doing sweeps of IPv6
>> networks. I don't think this will be a common or wide-spread problem.
>> The general feeling is that there is simply too much address space
>> for it to be done in any reasonable amount of time, and there is
>> almost nothing to be gained from it.
>
> The problem I see is the opening of a new, simple, DoS/DDoS scenario.
> By repetitively sweeping a targets /64 you can cause EVERYTHING in
> that /64 to stop working by overflowing the ND/ND cache, depending on
> the specific ND cache implementation and how big it is/etc.
That depends on the ND implementation being broken enough by not
limiting the number of neighbor cache entries that are in the INCOMPLETE
state. (I'm not saying those broken implementations don't exist, though).
Thanks,
--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
