nanog mailing list archives

RE: Using IPv6 with prefixes shorter than a /64 on a LAN

From: "George Bonser" <gbonser () seven com>
Date: Tue, 25 Jan 2011 10:49:51 -0800


So I pretty strongly disagree about your statement.  Repetitively
sweeping an IPv6 network to DoS/DDoS the ND protocol thereby

flooding

the ND cache/LRUs could be extremely effective and if not payed
serious attention will cause serious issues.



Yes.... This is an issue for point-to-point links but using a longer
prefix (/126 or similar) has been suggested as a mitigation for this
sort of attack.

I would assume that in the LAN scenario where you have a /64 for your
internal network that you would have some sort of stateful firewall
sitting infront of the network to stop any un-initiated sessions. This
therefore stops any hammering of ND cache etc. The argument then is
that
the number of packets hitting your firewall / bandwidth starvation
would
be the the alternative line of attack for a DoS/DDos but that is a
completely different issue.


So for /64 subnets used for point-to-points you disable ND, configure
static neighbors and that's the end of it. No ND DDoS.

Current thread:

Re: Using IPv6 with prefixes shorter than a /64 on a LAN, (continued)
- - - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Roland Dobbins (Jan 25)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Mark Smith (Jan 25)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Owen DeLong (Jan 26)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Karl Auer (Jan 26)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN eric clark (Jan 31)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Owen DeLong (Jan 31)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Michael Dillon (Jan 31)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Owen DeLong (Jan 31)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Owen DeLong (Jan 25)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Ray Soucy (Jan 26)
    - RE: Using IPv6 with prefixes shorter than a /64 on a LAN George Bonser (Jan 25)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Fernando Gont (Jan 25)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Matthew Petach (Jan 30)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Fernando Gont (Jan 30)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Matthew Petach (Jan 31)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Mikael Abrahamsson (Jan 30)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Per Carlson (Jan 31)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Mikael Abrahamsson (Jan 31)
  - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Ricky Beam (Jan 24)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Mark Andrews (Jan 24)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Owen DeLong (Jan 24)

(Thread continues...)