nanog mailing list archives
Re: Failure modes: NAT vs SPI
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Mon, 7 Feb 2011 22:07:26 +0100
On 7 feb 2011, at 17:15, Jay Ashworth wrote:
Ok, I had a hard time making up my mind whether a sarcastic or a factual response was in order...
I see you decided to go with "sarcastic".
Not sure if Owen noticed... :-)
I'm sure it's clear to you that "no one's doing it now" is not a valid response to prophylactic secure network planning...
Well, no and yes. There's only a few panes of glass keeping people out of most houses. We know glass is easy to break. We know it gets broken and people get in who aren't wanted there once in a while. Still only a few people see the need to install steel bars in front of their windows. In real life we take risks all the time. In the networked world somehow it always has to be all or nothing, with few people occupying the reasonable middle ground. But in this case, we know there's a potential problem and waiting for it to become acute is not the best approach.
So, you're not going to actually address the problem seriously?
Vendors should modify their neighbor discovery implementations such that it still works even when large numbers of addresses are scanned. The easiest way would be to keep only a limited number of incomplete ND cache entries and throw those away on an LRU base, but create a full ND cache entry that is kept around when a neighbor advertisement is received, even if there is no incomplete ND cache entry at that time. AFAIK the incomplete ND cache entries don't do anything we can't do without. "Solving" this with NAT is the classic example of shooting a mosquito with a canon. I also don't think any protocol modifications are necessary.
Current thread:
- Failure modes: NAT vs SPI, (continued)
- Failure modes: NAT vs SPI Jay Ashworth (Feb 03)
- Re: Failure modes: NAT vs SPI Iljitsch van Beijnum (Feb 03)
- Message not available
- Re: Failure modes: NAT vs SPI Iljitsch van Beijnum (Feb 07)
- Re: Failure modes: NAT vs SPI Owen DeLong (Feb 07)
- Re: Failure modes: NAT vs SPI Lamar Owen (Feb 10)
- Re: Failure modes: NAT vs SPI Owen DeLong (Feb 10)
- Re: Failure modes: NAT vs SPI Joel Jaeggli (Feb 10)
- Re: Failure modes: NAT vs SPI Jay Ashworth (Feb 07)
- Re: Failure modes: NAT vs SPI Valdis . Kletnieks (Feb 07)
- Re: Failure modes: NAT vs SPI Jack Bates (Feb 07)
- Re: Failure modes: NAT vs SPI Iljitsch van Beijnum (Feb 07)
- Re: quietly.... Iljitsch van Beijnum (Feb 03)
- Re: quietly.... Jon Lewis (Feb 03)
- Re: quietly.... Iljitsch van Beijnum (Feb 03)
- RE: quietly.... Matthew Huff (Feb 03)
- Re: quietly.... Jack Bates (Feb 03)
- Re: quietly.... Matthew Palmer (Feb 03)
- Re: quietly.... Jack Bates (Feb 03)
- Re: quietly.... Jay Ashworth (Feb 03)
- Re: quietly.... sthaug (Feb 03)
- RE: quietly.... david raistrick (Feb 03)