[136989] in North American Network Operators' Group
Re: Failure modes: NAT vs SPI
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Mon Feb 7 16:08:20 2011
From: Iljitsch van Beijnum <iljitsch@muada.com>
In-Reply-To: <25213878.5499.1297095351131.JavaMail.root@benjamin.baylink.com>
Date: Mon, 7 Feb 2011 22:07:26 +0100
To: Jay Ashworth <jra@baylink.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 7 feb 2011, at 17:15, Jay Ashworth wrote:
>> Ok, I had a hard time making up my mind whether a sarcastic or a
>> factual response was in order...
> I see you decided to go with "sarcastic".
Not sure if Owen noticed... :-)
> I'm sure it's clear to you that "no one's doing it now" is not a valid
> response to prophylactic secure network planning...
Well, no and yes. There's only a few panes of glass keeping people out =
of most houses. We know glass is easy to break. We know it gets broken =
and people get in who aren't wanted there once in a while. Still only a =
few people see the need to install steel bars in front of their windows.
In real life we take risks all the time. In the networked world somehow =
it always has to be all or nothing, with few people occupying the =
reasonable middle ground.
But in this case, we know there's a potential problem and waiting for it =
to become acute is not the best approach.
> So, you're not going to actually address the problem seriously?
Vendors should modify their neighbor discovery implementations such that =
it still works even when large numbers of addresses are scanned. The =
easiest way would be to keep only a limited number of incomplete ND =
cache entries and throw those away on an LRU base, but create a full ND =
cache entry that is kept around when a neighbor advertisement is =
received, even if there is no incomplete ND cache entry at that time. =
AFAIK the incomplete ND cache entries don't do anything we can't do =
without.
"Solving" this with NAT is the classic example of shooting a mosquito =
with a canon.
I also don't think any protocol modifications are necessary.=
