nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

From: Ray Soucy <rps () maine edu>
Date: Wed, 26 Jan 2011 10:55:56 -0500
I think we're losing focus on the discussion here.

The core issue here is that ND tables have a finite size, just like
ARP tables.  Making an unsolicited request to a subnet will cause ND
on the router to try and reach find the host.

This can be a problem with subnets as small as 1024 (I constantly find
people using Linux-based routers, for example, running with the kernel
default ARP table of 127 instead of bumping it up to a sane and
network appropriate level).

I don't believe that using smaller IPv6 prefixes is an appropriate
response to the problem.  In time, we will likely see protection
mechanisms come from vendors.  Perhaps disabling the ability for
routers to solicit ND and just depend on connected hosts to announce
their presence would be sufficient.  Perhaps not.  It is something
that needs to be looked into, just like DAD DoS attacks, and rogue RA
on the LAN.  But it has little to do with prefix length.

When it comes down to it.  I find it hard to justify attempting to
mitigate this DoS vector by using longer prefixes.  There are many
many more useful and effective DoS vectors that are lower-hanging
fruit.  And the lowest hanging fruit always wins.

On Tue, Jan 25, 2011 at 1:42 PM, Owen DeLong <owen () delong com> wrote:


On Jan 25, 2011, at 8:58 AM, Patrick Sumby wrote:


On 24/01/2011 22:41, Michael Loftis wrote:

On Mon, Jan 24, 2011 at 1:53 PM, Ray Soucy<rps () maine edu>  wrote:


Many cite concerns of potential DoS attacks by doing sweeps of IPv6
networks.  I don't think this will be a common or wide-spread problem.
 The general feeling is that there is simply too much address space
for it to be done in any reasonable amount of time, and there is
almost nothing to be gained from it.


The problem I see is the opening of a new, simple, DoS/DDoS scenario.
By repetitively sweeping a targets /64 you can cause EVERYTHING in
that /64 to stop working by overflowing the ND/ND cache, depending on
the specific ND cache implementation and how big it is/etc.  Routers
can also act as amplifiers too, DDoSing every host within a multicast
ND directed solicitation group (and THAT is even assuming a correctly
functioning switch thats limiting the multicast travel)


I love this term... "repetitively sweeping a targets /64".

Seriously? Repetitively sweeping a /64? Let's do the math...

2^64 = 18,446,744,073,709,551,616 IP addresses.

Let's assume that few networks would not be DOS'd by a 1,000 PPS
storm coming in so that's a reasonable cap on our scan rate.

That means sweeping a /64 takes 18,446,744,073,709,551 sec.
(rounded down).

There are 86,400 seconds per day.

18,446,744,073,709,551 / 86,400 = 213,503,982,334 days.

Rounding a year down to 365 days, that's 584,942,417
years to sweep the /64 once.

If we increase our scan rate to 1,000,000 packets
per second, it still takes us 584,942 years to sweep
a /64.

I don't know about you, but I do not expect to live long
enough to sweep a /64, let alone do so repetitively.

Owen






-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/
Previous By Date Next
Previous By Thread Next

Current thread: