nanog mailing list archives

Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))

From: Jared Mauch <jared () puck nether net>
Date: Thu, 14 Jul 2011 22:35:40 -0400



On Jul 14, 2011, at 10:06 PM, Fernando Gont <fernando () gont com ar> wrote:

It should be possible to mitigate this, so long as the attack does not actually
originate from a neighbor on the same subnet as a router  IP interface on
an IPv6 subnet with sufficient number of IPs.


Well, unless there's some layer-2 anti-spoofing mitigation in place,
with /64 subnets the "local attacker" typically *will* have enough
addresses.


Solving a local attack is something I consider different in scope than the current draft being discussed in 6man, 
v6ops, ipv6@ etc...

Anyone on a layer-2 network can do something interesting like flood all f's and kill the lan. Trying to keep the 
majority of thoughts here for layer-3 originated attacks, even if the target is a layer2 item.

- Jared

Current thread:

Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?), (continued)
- - - Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Jeff Wheeler (Jul 11)
    - Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Owen DeLong (Jul 11)
    - Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Jeff Wheeler (Jul 11)
    - Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Jimmy Hess (Jul 11)
    - NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Karl Auer (Jul 11)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Fernando Gont (Jul 14)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Jimmy Hess (Jul 14)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Owen DeLong (Jul 14)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Christopher Morrow (Jul 15)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Fernando Gont (Jul 14)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Jared Mauch (Jul 14)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Fernando Gont (Jul 14)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Jared Mauch (Jul 14)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Jimmy Hess (Jul 14)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Fernando Gont (Jul 14)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Owen DeLong (Jul 14)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Valdis . Kletnieks (Jul 15)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Dobbins, Roland (Jul 17)
    - Re: NDP DoS attack Florian Weimer (Jul 17)
    - Re: NDP DoS attack Dobbins, Roland (Jul 17)
    - Re: NDP DoS attack Mikael Abrahamsson (Jul 17)

(Thread continues...)