[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NIST IPv6 document

Subject: NIST IPv6 document
From: nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org (Mark Smith)
Date: Thu, 6 Jan 2011 23:48:41 +1030
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]>

On Wed, 5 Jan 2011 18:57:50 +0100
Phil Regnauld <regnauld at nsrc.org> wrote:

> Jeff Wheeler (jsw) writes:
> > are badly needed.  The largest current routing devices have room for
> > about 100,000 ARP/NDP entries, which can be used up in a fraction of a
> > second with a gigabit of malicious traffic flow.  What happens after
> > that is the problem, and we need to tell our vendors what knobs we
> > want so we can "choose our own failure mode" and limit damage to one
> > interface/LAN.
> 
> 	Well there are *some* knobs:
> 
> 	http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-addrg_bsc_con.html#wp1369018
> 
> 	Not very smart, as it just controls how fast you run out of entries.
> 
> 	I haven't read all entries in this thread yet, but I wonder if
> 	http://tools.ietf.org/html/draft-jiang-v6ops-nc-protection-01 has been
> 	mentioned ?
> 

The problem fundamentally is the outstanding state while the NS/NA
transaction takes place. IPX had big subnets (i.e. /32s out of 80 bit
addresses), but as it didn't use a layer 3 to layer 2 address resolution
protocol (layer 2 addresses were the layer 3 node addresses), requiring
transaction state, it didn't (or wouldn't have) had this issue.

I think the answer is to go stateless for the NS/NA transaction, either
blindly trusting the received NAs (initially compatible with current
NS/NA mechanisms), which reduces the set of nodes that can exploit
neighbor cache tables to those onlink, and then eventually moving
towards a nonce based verification of received NAs, which in effect
carries the NS/NA transaction state within the packet, rather than
storing it within the NS'ing node's memory. Going stateless means
losing ICMPv6 destination unreachables for non-existent neighbors
however (a) vendors aren't implementing those on P2P links already
because they switch off ND address resolution, (b) the /127 P2P proposal
switches them off because it proposes switching off ND address
resolution, and (c) firewalls commonly drop them inbound from the
Internet anyway. 

Other possible options -

http://www.ietf.org/mail-archive/web/ipv6/current/msg12400.html

> 	Seems also that this topic has been brought up here a year ago give
> 	or take a couple of weeks:
> 
> 	http://www.mail-archive.com/nanog at nanog.org/msg18841.html
> 
> 
> 	Cheers,
> 	Phil
>

References:
- NIST IPv6 document
  - From: oberman at es.net (Kevin Oberman)
- NIST IPv6 document
  - From: jsw at inconcepts.biz (Jeff Wheeler)
- NIST IPv6 document
  - From: mohacsi at niif.hu (Mohacsi Janos)
- NIST IPv6 document
  - From: jsw at inconcepts.biz (Jeff Wheeler)
- NIST IPv6 document
  - From: iljitsch at muada.com (Iljitsch van Beijnum)
- NIST IPv6 document
  - From: jsw at inconcepts.biz (Jeff Wheeler)
- NIST IPv6 document
  - From: joelja at bogus.com (Joel Jaeggli)
- NIST IPv6 document
  - From: jsw at inconcepts.biz (Jeff Wheeler)
- NIST IPv6 document
  - From: regnauld at nsrc.org (Phil Regnauld)
- NIST IPv6 document
  - From: jsw at inconcepts.biz (Jeff Wheeler)
- NIST IPv6 document
  - From: regnauld at nsrc.org (Phil Regnauld)

Prev by Date: NIST IPv6 document
Next by Date: NIST IPv6 document
Previous by thread: NIST IPv6 document
Next by thread: NIST IPv6 document
Index(es):
- Date
- Thread