Re: NIST IPv6 document

[TJ <trejrco () gmail com>]

On Wed, Jan 5, 2011 at 13:14, Jeff Wheeler <jsw () inconcepts biz> wrote:

> On Wed, Jan 5, 2011 at 1:02 PM, TJ <trejrco () gmail com> wrote:
> > Many would argue that the version of IP is irrelevant, if you are
> permitting
> > external hosts the ability to scan your internal network in an
> unrestricted
> > fashion (no stateful filtering or rate limiting) you have already lost,
> you
>
> How do you propose to rate-limit this scanning traffic?  More router
> knobs are needed.  This also does not solve problems with malicious
> hosts on the LAN.

Off the top of my head, maybe just slow down the generation of new NS
attempts when under attack (without impacting the NUD-based NS).



> A stateful firewall on every router interface has been suggested
> already on this thread.  It is unrealistic.
>
> > Even granting that, for the sake of argument - it seems like it would not
> be
> > hard for $vendor to have some sort of "emergency garbage collection"
> > routines within their NDP implementations ... ?
>
> How do you propose the router know what entries are "garbage" and
> which are needed?  Eliminating active, "good" entries to allow for
> more churn would make the problem much worse, not better.


Again, off the top of my head, maybe - when under duress - age out the
incomplete ND table entries faster.


/TJ