[142882] in North American Network Operators' Group
Re: NDP DoS attack
daemon@ATHENA.MIT.EDU (Florian Weimer)
Sun Jul 17 07:04:46 2011
From: Florian Weimer <fw@deneb.enyo.de>
To: Mikael Abrahamsson <swmike@swm.pp.se>
Date: Sun, 17 Jul 2011 13:04:39 +0200
In-Reply-To: <alpine.DEB.2.00.1107171258280.20159@uplift.swm.pp.se> (Mikael
Abrahamsson's message of "Sun, 17 Jul 2011 12:59:34 +0200 (CEST)")
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
* Mikael Abrahamsson:
> On Sun, 17 Jul 2011, Florian Weimer wrote:
>
>> Interesting, thnaks. It's not the vendors I would expect, and it's
>> not based on SEND (which is not surprising at all and actually a
>> good thing).
>
> Personally I think SEND is never going to get any traction.
Last time, I was told that SEND was the way to go, despite not
actually fixing anything. This mess is even worse than SCTP.
>> Is this actually secure in the sense that it ties addresses to
>> specific ports for both sending and receiving? I'm asking because
>> folks have built similar systems for IPv4 which weren't. The CLI
>> screenshots look good, better than what most folks achieve with
>> IPv4.
>
> As far as I know, it's designed to work securely in an ETTH scenario,
> which implies both sending and receiving (if I understood you
> correctly).
And it would also plug the NDP DOS vector because you've got a small
set of addresses you need to process. Let's hope this gets buy-in
from more vendors (and across the whole switch product lines, please),
with full interoperability.
_____
NANOG mailing list
NANOG@nanog.org
https://mailman.nanog.org/mailman/listinfo/nanog
