nanog mailing list archives

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

From: Fernando Gont <fernando () gont com ar>
Date: Wed, 26 Jan 2011 03:26:43 -0300

On 24/01/2011 07:41 p.m., Michael Loftis wrote:

Many cite concerns of potential DoS attacks by doing sweeps of IPv6
networks.  I don't think this will be a common or wide-spread problem.
 The general feeling is that there is simply too much address space
for it to be done in any reasonable amount of time, and there is
almost nothing to be gained from it.


The problem I see is the opening of a new, simple, DoS/DDoS scenario.
By repetitively sweeping a targets /64 you can cause EVERYTHING in
that /64 to stop working by overflowing the ND/ND cache, depending on
the specific ND cache implementation and how big it is/etc.


That depends on the ND implementation being broken enough by not
limiting the number of neighbor cache entries that are in the INCOMPLETE
state. (I'm not saying those broken implementations don't exist, though).

Thanks,
-- 
Fernando Gont
e-mail: fernando () gont com ar || fgont () acm org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Current thread:

Re: Using IPv6 with prefixes shorter than a /64 on a LAN, (continued)
- - - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Mark Smith (Jan 25)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Owen DeLong (Jan 26)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Karl Auer (Jan 26)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN eric clark (Jan 31)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Owen DeLong (Jan 31)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Michael Dillon (Jan 31)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Owen DeLong (Jan 31)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Owen DeLong (Jan 25)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Ray Soucy (Jan 26)
    - RE: Using IPv6 with prefixes shorter than a /64 on a LAN George Bonser (Jan 25)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Fernando Gont (Jan 25)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Matthew Petach (Jan 30)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Fernando Gont (Jan 30)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Matthew Petach (Jan 31)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Mikael Abrahamsson (Jan 30)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Per Carlson (Jan 31)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Mikael Abrahamsson (Jan 31)
  - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Ricky Beam (Jan 24)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Mark Andrews (Jan 24)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN Owen DeLong (Jan 24)
    - Re: Using IPv6 with prefixes shorter than a /64 on a LAN sthaug (Jan 24)

(Thread continues...)