[135901] in North American Network Operators' Group
Re: Using IPv6 with prefixes shorter than a /64 on a LAN
daemon@ATHENA.MIT.EDU (Matthew Petach)
Sun Jan 30 18:17:25 2011
In-Reply-To: <4D3FBEA3.6040404@gont.com.ar>
Date: Sun, 30 Jan 2011 15:17:19 -0800
From: Matthew Petach <mpetach@netflight.com>
To: Fernando Gont <fernando@gont.com.ar>
Cc: nanog <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Jan 25, 2011 at 10:26 PM, Fernando Gont <fernando@gont.com.ar> wrot=
e:
> On 24/01/2011 07:41 p.m., Michael Loftis wrote:
>
>>> Many cite concerns of potential DoS attacks by doing sweeps of IPv6
>>> networks. =A0I don't think this will be a common or wide-spread problem=
.
>>> =A0The general feeling is that there is simply too much address space
>>> for it to be done in any reasonable amount of time, and there is
>>> almost nothing to be gained from it.
>>
>> The problem I see is the opening of a new, simple, DoS/DDoS scenario.
>> By repetitively sweeping a targets /64 you can cause EVERYTHING in
>> that /64 to stop working by overflowing the ND/ND cache, depending on
>> the specific ND cache implementation and how big it is/etc.
>
> That depends on the ND implementation being broken enough by not
> limiting the number of neighbor cache entries that are in the INCOMPLETE
> state. (I'm not saying those broken implementations don't exist, though).
Even without completely overflowing the ND cache, informal lab testing
shows that a single laptop on a well-connected network link can send
sufficient packets at a very-large-scale backbone router's connected /64
subnet to keep the router CPU at 90%, sustained, for as long as you'd
like. So, while it's not a direct denial of service (the network keeps
functioning, albeit under considerable pain), it's enough to impact the
ability of the network to react to other dynamic loads. :/
Matt
