nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NIST IPv6 document

From: Jack Bates <jbates () brightok net>
Date: Wed, 05 Jan 2011 11:31:48 -0600
On 1/5/2011 11:19 AM, Jeff Wheeler wrote:

IPv6) I can scan your v6 /64 subnet, and your router will have to send
out NDP NS for every host I scan.  If it requires "incomplete" entries
in its table, I will use them all up, and NDP learning will be broken.
  Typically, this breaks not just on that interface, but on the entire
router.  This is much worse than the v4/ARP sitation.
I haven't checked of late for v6, but I'd expect the same NDP security we have for ARP these days, which reduces the need to even send unsolicited ND requests.
In this day and age, sending unsolicited neighbor requests from a router seems terribly broken. Even with SLAAC, one could quickly design a model that doesn't require unsolicited ND from the router to find the remove computer. This could possibly utilize DAD checks or even await the first packet from the node (similar to how we fill our MAC forwarding tables in switches, and not all switches will broadcast when a MAC is unknown). 


Jack
Previous By Date Next
Previous By Thread Next

Current thread: