Re: NIST IPv6 document

[Mohacsi Janos <mohacsi () niif hu>]

Dear Jeff,
	In my opinion the real challenges already in IPv6 networks the 
following: SPAM and attacking over IPv6; DoS; track back hosts with 
privacy enhanced addresses.
	Do you have some methods in your mind to resolve ARP/ND overflow 
problem? I think limiting mac address per port on switches both efficient 
on IPv4 and IPv6. Equivalent of DHCP snooping and Dynamic ARP Inspection 
should be implemented by the switch vendors.... But remember DHCP snooping 
et al. implemented in IPv4 after the first serious attacks...Make pressure 
on your switch vendors....

Janos Mohacsi
Head of HBONE+ project
Network Engineer, Deputy Director of Network Planning and Projects
NIIF/HUNGARNET, HUNGARY
Key 70EF9882: DEC2 C685 1ED4 C95A 145F  4300 6F64 7B00 70EF 9882

On Wed, 5 Jan 2011, Jeff Wheeler wrote:

> On Tue, Jan 4, 2011 at 11:35 PM, Kevin Oberman <oberman () es net> wrote:
> > The PDF is available at:
>
> I notice that this document, in its nearly 200 pages, makes only
> casual mention of ARP/NDP table overflow attacks, which may be among
> the first real DoS challenges production IPv6 networks, and equipment
> vendors, have to resolve.  Some platforms have far worse failure modes
> than others when subjected to such an attack, and information on this
> subject is not widely-available.
>
> Unless operators press their vendors for information, and more knobs,
> to deal with this problem, we may all be waiting for some group like
> "Anonymous" to take advantage of this vulnerability in IPv6 networks
> with large /64 subnets configured on LANs; at which point we may all
> find ourselves scrambling to request knobs, or worse, redesigning and
> renumbering our LANs.
>
> RFC5157 does not touch on this topic at all, and that is the sole
> reference I see in the NIST publication to scanning attacks.
>
> I continue to believe that a heck of a lot of folks are missing the
> boat on this issue, including some major equipment vendors.  It has
> been pointed out to me that I should have been more vocal when IPv6
> was still called IPng, but in 16 years, there has been nothing done
> about this problem other than water-cooler talk.  I suspect that will
> continue to be the case until those of us who have configured our
> networks carefully are having a laugh at the networks who haven't.
> However, until that time, it's also been pointed out to me that
> customers will expect /64 LANs, and not offering it may put networks
> at a competitive disadvantage.
>
> Vendor solutions are needed before scanning IPv6 LANs becomes a
> popular way to inconvenience (at best) or disable (at worst) service
> providers and their customers.
>
> --
> Jeff S Wheeler <jsw () inconcepts biz>
> Sr Network Operator  /  Innovative Network Concepts