nanog mailing list archives
Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)
From: Jimmy Hess <mysidia () gmail com>
Date: Mon, 11 Jul 2011 18:48:33 -0500
On Mon, Jul 11, 2011 at 5:03 PM, Jeff Wheeler <jsw () inconcepts biz> wrote:
On Mon, Jul 11, 2011 at 5:12 PM, Owen DeLong <owen () delong com> wrote:No... I like SLAAC and find it useful in a number of places. What's wrong with /64? Yes, we need better DOS protection in switches and routers
See my slides http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf for why no vendor's implementation is effective "DOS protection" today and how much complexity is involved in doing it correctly, which requires
[snip] If every vendor's implementation is vulnerable to a NDP Exhaustion vulnerability, how come the behavior of specific routers has not been documented specifically? If "zero" devices are not vulnerable, you came to this conclusion because you tested every single implementation against IPv6 NDP DoS, or? How come there are no security advisories. What's the CWE or CVE number for this vulnerability? I'm not denying the that NDP overflow might be a DoS issue for all IPv6 routers, but I haven't seen any specific documentation from vendors or security researchers about specific DoS conditions that can be caused by NDP overflow on particular devices.... It would be useful to at least have the risk properly described, in terms of what kind of DoS condition could arise on specific implementations. Regards, -- -JH
Current thread:
- Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?), (continued)
- Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) William Allen Simpson (Jul 11)
- Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Owen DeLong (Jul 10)
- Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Michael Thomas (Jul 10)
- Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Jeff Wheeler (Jul 10)
- Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Darrel Lewis (Jul 11)
- Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Doug Barton (Jul 11)
- Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Leo Bicknell (Jul 11)
- Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Jeff Wheeler (Jul 11)
- Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Owen DeLong (Jul 11)
- Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Jeff Wheeler (Jul 11)
- Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Jimmy Hess (Jul 11)
- NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Karl Auer (Jul 11)
- Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Fernando Gont (Jul 14)
- Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Jimmy Hess (Jul 14)
- Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Owen DeLong (Jul 14)
- Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Christopher Morrow (Jul 15)
- Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Fernando Gont (Jul 14)
- Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Jared Mauch (Jul 14)
- Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Fernando Gont (Jul 14)
- Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Jared Mauch (Jul 14)
- Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Jimmy Hess (Jul 14)