nanog mailing list archives
Re: NIST IPv6 document
From: Joel Jaeggli <joelja () bogus com>
Date: Wed, 05 Jan 2011 23:42:29 -0800
On 1/5/11 11:03 PM, Matthew Petach wrote:
On Wed, Jan 5, 2011 at 10:51 PM, Joe Greco <jgreco () ns sol net> wrote: Hi Joe, I think what people are trying to say is that it doesn't matter whether or not your host is easily findable or not, if I can trivially take out your upstream router. With your upstream router out of commission, the findability of your host on the subnet really doesn't matter. Once the router is gone, so is your host, no matter how well hidden on the subnet it was. So, the push here is to prevent the trivial ability to take out the upstream routers, so that the host-level issues will still matter, and be worth discussing.
icmp6 rate limiting both reciept and origination is not rocket science. The attack that's being described wasn't exactly dreamed up last week, is as observed not unique to ipv6, and can be mitigated. I'd encourage you to go look at rfc 3756 rfc 4443 and probably elsewhere including, the manual for your router os of choice and possibly your account rep if you don't get the kind of satisfaction you expect. We can probably do better still...
Hope this helps clarify the reason for the overarching concern about the /64 subnet size.
You can still have this problem when you assign a bunch of /112s how many neighbor unreachable entries per interface can your fib hold?
Thanks!! Matt... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Current thread:
- Re: NIST IPv6 document, (continued)
- Re: NIST IPv6 document Lamar Owen (Jan 10)
- Re: NIST IPv6 document mikea (Jan 10)
- Re: NIST IPv6 document Owen DeLong (Jan 10)
- Re: NIST IPv6 document Jeff Kell (Jan 10)
- Re: NIST IPv6 document Valdis . Kletnieks (Jan 10)
- Re: NIST IPv6 document Jack Bates (Jan 10)
- Re: NIST IPv6 document Owen DeLong (Jan 10)
- Re: NIST IPv6 document Valdis . Kletnieks (Jan 11)
- Re: NIST IPv6 document Jack Bates (Jan 11)
- Re: NIST IPv6 document Owen DeLong (Jan 10)
- Re: NIST IPv6 document Joel Jaeggli (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Jeff Wheeler (Jan 06)
- Re: NIST IPv6 document Joel Jaeggli (Jan 06)
- Re: NIST IPv6 document Jeff Wheeler (Jan 06)
- Re: NIST IPv6 document Bill Bogstad (Jan 06)
- Re: NIST IPv6 document Miquel van Smoorenburg (Jan 06)
- Re: NIST IPv6 document Joe Greco (Jan 06)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Valdis . Kletnieks (Jan 06)
- Re: NIST IPv6 document Jack Bates (Jan 06)