Re: NIST IPv6 document

[TJ <trejrco () gmail com>]

> IPv4) I can scan your v4 subnet, let's say it's a /24, and your router
> might send 250 ARP requests and may even add 250 "incomplete" entries
> to its ARP table.  This is not a disaster for that LAN, or any others.
>  No big deal.  I can also intentionally send a large amount of traffic
> to unused v4 IPs on the LAN, which will be handled as unknown-unicast
> and sent to all hosts on the LAN via broadcasting, but many boxes
> already have knobs for this, as do many switches.  Not good, but also
> does not affect any other interfaces on the router.
>
> IPv6) I can scan your v6 /64 subnet, and your router will have to send
> out NDP NS for every host I scan.  If it requires "incomplete" entries
> in its table, I will use them all up, and NDP learning will be broken.
>  Typically, this breaks not just on that interface, but on the entire
> router.  This is much worse than the v4/ARP sitation.

Many would argue that the version of IP is irrelevant, if you are permitting
external hosts the ability to scan your internal network in an unrestricted
fashion (no stateful filtering or rate limiting) you have already lost, you
just might not know it yet.

Even granting that, for the sake of argument - it seems like it would not be
hard for $vendor to have some sort of "emergency garbage collection"
routines within their NDP implementations ... ?


/TJ