nanog mailing list archives
Re: NIST IPv6 document
From: TJ <trejrco () gmail com>
Date: Thu, 6 Jan 2011 15:17:07 -0500
On Wed, Jan 5, 2011 at 13:14, Jeff Wheeler <jsw () inconcepts biz> wrote:
On Wed, Jan 5, 2011 at 1:02 PM, TJ <trejrco () gmail com> wrote:Many would argue that the version of IP is irrelevant, if you arepermittingexternal hosts the ability to scan your internal network in anunrestrictedfashion (no stateful filtering or rate limiting) you have already lost,you How do you propose to rate-limit this scanning traffic? More router knobs are needed. This also does not solve problems with malicious hosts on the LAN.
Off the top of my head, maybe just slow down the generation of new NS attempts when under attack (without impacting the NUD-based NS).
A stateful firewall on every router interface has been suggested already on this thread. It is unrealistic.Even granting that, for the sake of argument - it seems like it would notbehard for $vendor to have some sort of "emergency garbage collection" routines within their NDP implementations ... ?How do you propose the router know what entries are "garbage" and which are needed? Eliminating active, "good" entries to allow for more churn would make the problem much worse, not better.
Again, off the top of my head, maybe - when under duress - age out the incomplete ND table entries faster. /TJ
Current thread:
- Re: NIST IPv6 document, (continued)
- Re: NIST IPv6 document Jeff Wheeler (Jan 05)
- Re: NIST IPv6 document Phil Regnauld (Jan 05)
- Re: NIST IPv6 document Mark Smith (Jan 06)
- Re: NIST IPv6 document Owen DeLong (Jan 06)
- Re: NIST IPv6 document Phil Regnauld (Jan 06)
- Re: NIST IPv6 document Jack Bates (Jan 05)
- Re: NIST IPv6 document Richard Barnes (Jan 05)
- Re: NIST IPv6 document TJ (Jan 05)
- Re: NIST IPv6 document Jeff Wheeler (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document TJ (Jan 06)
- Re: NIST IPv6 document Jack Bates (Jan 06)
- Re: NIST IPv6 document Seth Mattinen (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document TJ (Jan 06)
- Re: NIST IPv6 document Joe Greco (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Joe Greco (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- RE: NIST IPv6 document George Bonser (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)