nanog mailing list archives
Re: NIST IPv6 document
From: Owen DeLong <owen () delong com>
Date: Thu, 6 Jan 2011 17:47:12 -0800
On Thu, Jan 6, 2011 at 1:20 PM, Owen DeLong <owen () delong com> wrote:And there are ways to mitigate ND attacks as well.No, Owen, there aren't. The necessary router knobs do not exist. The "Cisco approach" is currently to police NDP on a per-interface basis (either with per-int or global configuration knob) and break NDP on the interface once that policer is exceeded. This is good (thanks, Cisco) because it limits damage to one subnet; but bad because it exemplifies the severity of the issue: the "Cisco solution" is known to be bad, but is less bad than letting the whole box break. Cisco is not going to come up with a magic knob because there isn't any -- with the current design, you have to pick your failure modes and live with them. That's not good and it is not a Cisco failing by any means, it is a design failing brought on by the standards bodies.
Saying this over and over doesn't make it so... 1. Block packets destined for your point-to-point links at your borders. There's no legitimate reason someone should be expecting your routers to respond to packets sent to the router specifically. 2. For networks that aren't intended to receive inbound requests from the outside, limit such requests to the live hosts that exist on those networks with a stateful firewall. 3. Police the ND issue rate on the router. Yes, it means that an ND attack could prevent some legitimate ND requests from getting through, but, at least it prevents ND overflow and the working hosts with existing ND entries continue to function. In most cases, this will be virtually all of the active hosts on the network. All of these things can be done today with the knobs that exist. The combination of them pretty much takes the wind out of any ND table overflow attack. Yes, it involves some tradeoffs and isn't a perfect solution. However, it is an effective mitigation. Owen
Current thread:
- Re: NIST IPv6 document, (continued)
- Re: NIST IPv6 document Jeff Wheeler (Jan 04)
- Re: NIST IPv6 document Mohacsi Janos (Jan 05)
- Re: NIST IPv6 document Jeff Wheeler (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Jack Bates (Jan 05)
- Re: NIST IPv6 document Owen DeLong (Jan 05)
- Re: NIST IPv6 document Jack Bates (Jan 06)
- Re: NIST IPv6 document Mohacsi Janos (Jan 05)
- Re: NIST IPv6 document Owen DeLong (Jan 05)
- Re: NIST IPv6 document Robert E. Seastrom (Jan 06)
- Re: NIST IPv6 document Jeff Wheeler (Jan 06)
- Re: NIST IPv6 document Owen DeLong (Jan 06)
- Re: NIST IPv6 document Jeff Wheeler (Jan 06)
- Message not available
- Re: NIST IPv6 document Jeff Wheeler (Jan 06)
- Re: NIST IPv6 document Jeff Wheeler (Jan 04)
- Re: NIST IPv6 document Mark Smith (Jan 07)
- Re: NIST IPv6 document Dobbins, Roland (Jan 07)
- Re: NIST IPv6 document Mark Smith (Jan 07)
- Re: NIST IPv6 document Owen DeLong (Jan 07)
- Re: NIST IPv6 document Mark Smith (Jan 08)
- Re: NIST IPv6 document Dobbins, Roland (Jan 07)
- Re: NIST IPv6 document TJ (Jan 07)
- Re: NIST IPv6 document Dobbins, Roland (Jan 07)