nanog mailing list archives
Re: NIST IPv6 document
From: Jeff Wheeler <jsw () inconcepts biz>
Date: Wed, 5 Jan 2011 12:44:23 -0500
On Wed, Jan 5, 2011 at 12:26 PM, Phil Regnauld <regnauld () nsrc org> wrote:
Jeff Wheeler (jsw) writes:Not good, but also does not affect any other interfaces on the router.You're assuming that all routing devices have per-interface ARP tables.
No, Phil, I am assuming that the routing device has a larger ARP table than 250 entries. To be more correct, I am assuming that the routing device has a large enough ARP table that any one subnet could go from 0 ARP entries to 100% ARP entries without using up all the remaining ARP resources on the box. This is usually true. Further, routing devices usually have enough ARP table space that every subnet attached to them could be 100% full of active ARP entries without using up all the ARP resources. This is also often true. To give some figures, a Cisco 3750 "pizza box" layer-3 switch has room for several thousand ARP entries, and I have several with 3000 - 5000 active ARPs. Most people probably do not have more than a /20 worth of subnets for ARPing to a pizza box switch like this, but it does basically work. As we all know, a /64 is a lot more than a few thousand possible addresses. It is more addresses than anyone can store in memory, so state information for "incomplete" can't be tracked in software without creating problems there. Being fully stateless for new neighbor learning is possible and desirable, but a malicious host on the LAN can badly impact the router. This is why per-interface knobs are badly needed. The largest current routing devices have room for about 100,000 ARP/NDP entries, which can be used up in a fraction of a second with a gigabit of malicious traffic flow. What happens after that is the problem, and we need to tell our vendors what knobs we want so we can "choose our own failure mode" and limit damage to one interface/LAN. -- Jeff S Wheeler <jsw () inconcepts biz> Sr Network Operator / Innovative Network Concepts
Current thread:
- Re: NIST IPv6 document, (continued)
- Re: NIST IPv6 document Justin M. Streiner (Jan 07)
- Re: NIST IPv6 document Owen DeLong (Jan 07)
- Message not available
- Re: NIST IPv6 document Tim Chown (Jan 10)
- Re: NIST IPv6 document Owen DeLong (Jan 10)
- Re: NIST IPv6 document Jack Bates (Jan 10)
- Re: NIST IPv6 document Iljitsch van Beijnum (Jan 05)
- Re: NIST IPv6 document Jeff Wheeler (Jan 05)
- Re: NIST IPv6 document Joel Jaeggli (Jan 05)
- Re: NIST IPv6 document Jeff Wheeler (Jan 05)
- Re: NIST IPv6 document Phil Regnauld (Jan 05)
- Re: NIST IPv6 document Jeff Wheeler (Jan 05)
- Re: NIST IPv6 document Phil Regnauld (Jan 05)
- Re: NIST IPv6 document Mark Smith (Jan 06)
- Re: NIST IPv6 document Owen DeLong (Jan 06)
- Re: NIST IPv6 document Phil Regnauld (Jan 06)
- Re: NIST IPv6 document Jack Bates (Jan 05)
- Re: NIST IPv6 document Richard Barnes (Jan 05)
- Re: NIST IPv6 document TJ (Jan 05)
- Re: NIST IPv6 document Jeff Wheeler (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document TJ (Jan 06)