[135964] in North American Network Operators' Group
Re: Using IPv6 with prefixes shorter than a /64 on a LAN
daemon@ATHENA.MIT.EDU (Mikael Abrahamsson)
Mon Jan 31 01:59:25 2011
Date: Mon, 31 Jan 2011 07:58:28 +0100 (CET)
From: Mikael Abrahamsson <swmike@swm.pp.se>
To: nanog <nanog@nanog.org>
In-Reply-To: <AANLkTimSpkQZ7pW=jb2KB1pndmKBpkug+WtugzOcUGJP@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sun, 30 Jan 2011, Matthew Petach wrote:
> Even without completely overflowing the ND cache, informal lab testing
> shows that a single laptop on a well-connected network link can send
> sufficient packets at a very-large-scale backbone router's connected /64
> subnet to keep the router CPU at 90%, sustained, for as long as you'd
> like. So, while it's not a direct denial of service (the network keeps
> functioning, albeit under considerable pain), it's enough to impact the
> ability of the network to react to other dynamic loads. :/
At AMSIX, a Cisco 12000 running IOS will get into trouble with the 170pps
of ND seen there. AMSIX doesn't do MLD snooping so everybody gets
everything and on IOS 12000 ND is punted to RP and when it's busy with
calculating BGP, it'll start dropping BGP sessions.
An access-list filtering IPv6 multicast the router isn't subscribed to
fixes the problem.
--
Mikael Abrahamsson email: swmike@swm.pp.se
