[174387] in North American Network Operators' Group
Re: Fwd: Interesting problems with using IPv6
daemon@ATHENA.MIT.EDU (Dale W. Carder)
Mon Sep 8 11:08:53 2014
X-Original-To: nanog@nanog.org
Date: Mon, 08 Sep 2014 10:08:44 -0500
From: "Dale W. Carder" <dwcarder@wisc.edu>
To: Scott Weeks <surfer@mauigateway.com>
In-reply-to: <20140907121718.43C44FB1@m0005298.ppops.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Thus spake Scott Weeks (surfer@mauigateway.com) on Sun, Sep 07, 2014 at 12:17:18PM -0700:
> --- fergdawgster@mykolab.com wrote:
> From: Paul Ferguson <fergdawgster@mykolab.com>
>
> There's been a lot of on-and-off discussion about v6,
> especially about security and operational concerns
> about some aspects of IPv6 deployment, specifically
> regarding neighbor discovery (although there are other
> operational security concerns, as well).
>
> I'd like to provide this as an example of those
> concerns, without any additional commentary. :-)
>
> See also:
>
> http://www.ietf.org/mail-archive/web/ietf/current/msg89517.html
> --------------------------------------------------
>
>
> I read the article and Tim Warnock on ipv6.org.au gave
> a pretty good and very brief summary. Pasted here for
> those that don't have time to read it. :-)
>
> "large L2 domain + ipv6 windows privacy extensions + some
> intel card bug + some mention of igmp snooping = multicast
> flood w/ high switch/router cpu..."
This is well known. see: draft-pashby-magma-simplify-mld-snooping-01
About 4-5 years ago there was CSCtl51859.
Vendor implementations that treat v6 neighbor discovery like it's IGMPv2
are doomed to fail.
Dale
