Re: Failure modes: NAT vs SPI

[Iljitsch van Beijnum <iljitsch () muada com>]

On 7 feb 2011, at 17:15, Jay Ashworth wrote:

> > Ok, I had a hard time making up my mind whether a sarcastic or a
> > factual response was in order...

> I see you decided to go with "sarcastic".

Not sure if Owen noticed...  :-)

> I'm sure it's clear to you that "no one's doing it now" is not a valid
> response to prophylactic secure network planning...

Well, no and yes. There's only a few panes of glass keeping people out of most houses. We know glass is easy to break. 
We know it gets broken and people get in who aren't wanted there once in a while. Still only a few people see the need 
to install steel bars in front of their windows.

In real life we take risks all the time. In the networked world somehow it always has to be all or nothing, with few 
people occupying the reasonable middle ground.

But in this case, we know there's a potential problem and waiting for it to become acute is not the best approach.

> So, you're not going to actually address the problem seriously?

Vendors should modify their neighbor discovery implementations such that it still works even when large numbers of 
addresses are scanned. The easiest way would be to keep only a limited number of incomplete ND cache entries and throw 
those away on an LRU base, but create a full ND cache entry that is kept around when a neighbor advertisement is 
received, even if there is no incomplete ND cache entry at that time. AFAIK the incomplete ND cache entries don't do 
anything we can't do without.

"Solving" this with NAT is the classic example of shooting a mosquito with a canon.

I also don't think any protocol modifications are necessary.