Re: NIST IPv6 document

[Richard Barnes <richard.barnes () gmail com>]

> IPv6) I can scan your v6 /64 subnet, and your router will have to send
> out NDP NS for every host I scan.  If it requires "incomplete" entries
> in its table, I will use them all up, and NDP learning will be broken.
>  Typically, this breaks not just on that interface, but on the entire
> router.  This is much worse than the v4/ARP sitation.

I'm guessing you're referring to this paragraph of RFC 4861:
"
   When a node has a unicast packet to send to a neighbor, but does not
   know the neighbor's link-layer address, it performs address
   resolution.  For multicast-capable interfaces, this entails creating
   a Neighbor Cache entry in the INCOMPLETE state and transmitting a
   Neighbor Solicitation message targeted at the neighbor.  The
   solicitation is sent to the solicited-node multicast address
   corresponding to the target address.
"
<http://tools.ietf.org/html/rfc4861#section-7.2.2>

It's worth noting that nothing in this paragraph is normative (there's
no RFC 2119 language), so implementations are free to ignore it.  I
haven't read the NIST document, but it wouldn't conflict with the RFC
if they recommended ignoring this paragraph and just relying on the ND
cache they already have when a packet arrives.

--Richard