Re: Using IPv6 with prefixes shorter than a /64 on a LAN

[Fernando Gont <fernando () gont com ar>]

Hi, Matthew,

On 30/01/2011 08:17 p.m., Matthew Petach wrote:
> > > The problem I see is the opening of a new, simple, DoS/DDoS scenario.
> > > By repetitively sweeping a targets /64 you can cause EVERYTHING in
> > > that /64 to stop working by overflowing the ND/ND cache, depending on
> > > the specific ND cache implementation and how big it is/etc.
> >
> > That depends on the ND implementation being broken enough by not
> > limiting the number of neighbor cache entries that are in the INCOMPLETE
> > state. (I'm not saying those broken implementations don't exist, though).
>
> Even without completely overflowing the ND cache, informal lab testing
> shows that a single laptop on a well-connected network link can send
> sufficient packets at a very-large-scale backbone router's connected /64
> subnet to keep the router CPU at 90%, sustained, for as long as you'd
> like.  So, while it's not a direct denial of service (the network keeps
> functioning, albeit under considerable pain), it's enough to impact the
> ability of the network to react to other dynamic loads.  :/

This is very interesting data. Are you talking about Ciscos? Any
specific model?

I guess that a possible mitigation technique (implementation-based)
would be to limit the number of ongoing addresses in address resolution.
(i.e., once you have X ongoing ND resolutions, the router should not be
engaged in ND for other addresses) -- note that addresses that the
router had already resolved in the past would not suffer from this
penalty, as their corresponding entries would be in states other than
INCOMPLETE.

Thoughts?

Thanks,
-- 
Fernando Gont
e-mail: fernando () gont com ar || fgont () acm org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1