nanog mailing list archives

Re: Internet Edge Router replacement - IPv6 route tablesizeconsiderations

From: George Herbert <george.herbert () gmail com>
Date: Sat, 12 Mar 2011 00:25:48 -0800

On Fri, Mar 11, 2011 at 8:14 PM, Jeff Wheeler <jsw () inconcepts biz> wrote:

It's the same thing that happens if you toss a /8 on an IPv4 LAN and
start banging away at the ARP table, while expecting all of your
legitimate hosts within that /8 to continue working correctly.  We all
know that's crazy, right?


This is a valid concern.  However...

 How is it suddenly less crazy to put an
even larger subnet on an IPv6 LAN without gaining any direct benefits
from doing so?  [...]


This is not a valid statement.  I understand that you don't value the
benefits we find with /64 or less, but we find value there, and it's
really important to us, and they're things which were explicitly hoped
for and planned for with IPv6 transition.

The problem you pointed out, with a single host overrunning switch
tables, can be outsmarted rather than brute forced by mandating small
enough subnets that it doesn't exist.

If we presume that the originating host doesn't fake its' layer 2 MAC
as it's faking its layer 3 address, it's pretty trivial; you build in
a software option that puts a maximum number of IPs per MAC.  You
balance virtualization cluster size limits with preemptive defense
against this type of DOS when you do that, but balance points around
1E2 to 1E3 seem to me to be able to handle that just fine.  You build
in an override for switches / L2 gateways, or by port, or whatever
other tuning mechanisms make sense (default to 10, override for your
VMware cluster box and your switches...).

If the originating host does try to fake its layer 2 MAC, you can
detect new floods of new MACs via existing mechanisms.  Plenty of port
MAC map / allowed MAC mechanisms already exist for basic LAN security
purposes.  You just dump the fake MACs on the floor.

The world is not perfect, and I'm sure there are still new
vulnerabilities out there.  But we can smart this one.  If we can't
smart this one, I'll be extremely surprised and disappointed.


-- 
-george william herbert
george.herbert () gmail com

Current thread:

Re: Internet Edge Router replacement - IPv6 route tablesizeconsiderations, (continued)
- - - Re: Internet Edge Router replacement - IPv6 route tablesizeconsiderations Hammer (Mar 14)
    - Re: Internet Edge Router replacement - IPv6 route tablesizeconsiderations Jeff Wheeler (Mar 11)
    - Re: Internet Edge Router replacement - IPv6 route tablesizeconsiderations Mikael Abrahamsson (Mar 11)
    - Re: Internet Edge Router replacement - IPv6 route tablesizeconsiderations Nick Hilliard (Mar 11)
    - Re: Internet Edge Router replacement - IPv6 route tablesizeconsiderations Ask Bjørn Hansen (Mar 14)
    - Re: Internet Edge Router replacement - IPv6 route tablesizeconsiderations Nick Hilliard (Mar 14)
    - Re: Internet Edge Router replacement - IPv6 route tablesizeconsiderations Ask Bjørn Hansen (Mar 14)
    - Re: Internet Edge Router replacement - IPv6 route tablesizeconsiderations Owen DeLong (Mar 11)
    - Re: Internet Edge Router replacement - IPv6 route tablesizeconsiderations Jeff Wheeler (Mar 11)
    - Re: Internet Edge Router replacement - IPv6 route tablesizeconsiderations Dobbins, Roland (Mar 11)
    - Re: Internet Edge Router replacement - IPv6 route tablesizeconsiderations George Herbert (Mar 12)