[142844] in North American Network Operators' Group
Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was:
daemon@ATHENA.MIT.EDU (Jared Mauch)
Thu Jul 14 22:37:12 2011
In-Reply-To: <4E1FA08A.8020503@gont.com.ar>
From: Jared Mauch <jared@puck.nether.net>
Date: Thu, 14 Jul 2011 22:35:40 -0400
To: Fernando Gont <fernando@gont.com.ar>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jul 14, 2011, at 10:06 PM, Fernando Gont <fernando@gont.com.ar> wrote:
>> It should be possible to mitigate this, so long as the attack does not ac=
tually
>> originate from a neighbor on the same subnet as a router IP interface on=
>> an IPv6 subnet with sufficient number of IPs.
>=20
> Well, unless there's some layer-2 anti-spoofing mitigation in place,
> with /64 subnets the "local attacker" typically *will* have enough
> addresses.
Solving a local attack is something I consider different in scope than the c=
urrent draft being discussed in 6man, v6ops, ipv6@ etc...
Anyone on a layer-2 network can do something interesting like flood all f's a=
nd kill the lan. Trying to keep the majority of thoughts here for layer-3 or=
iginated attacks, even if the target is a layer2 item.
- Jared=20=
