Using IPv6 with prefixes shorter than a /64 on a LAN

[patrick.sumby at sohonet.co.uk (Patrick Sumby)]

On 24/01/2011 22:41, Michael Loftis wrote:
> On Mon, Jan 24, 2011 at 1:53 PM, Ray Soucy<rps at maine.edu>  wrote:
>
>> Many cite concerns of potential DoS attacks by doing sweeps of IPv6
>> networks.  I don't think this will be a common or wide-spread problem.
>>   The general feeling is that there is simply too much address space
>> for it to be done in any reasonable amount of time, and there is
>> almost nothing to be gained from it.
>
> The problem I see is the opening of a new, simple, DoS/DDoS scenario.
> By repetitively sweeping a targets /64 you can cause EVERYTHING in
> that /64 to stop working by overflowing the ND/ND cache, depending on
> the specific ND cache implementation and how big it is/etc.  Routers
> can also act as amplifiers too, DDoSing every host within a multicast
> ND directed solicitation group (and THAT is even assuming a correctly
> functioning switch thats limiting the multicast travel)
>
> Add to it the assumption that every router gets certain things right
> (like everything correctly decrementing TTLs as assumed in RFC 4861
> 11.2 in order for hosts to detect off-link RA/ND messages and guard
> themselves against those), in these ways it's certainly at least
> somewhat worse than ARP.
>
> If you're able to bring down, or severely limit, a site by sending a
> couple thousand PPS towards the /64 it's on, or by varying the upper
> parts of the /64 to flood all the hosts with multicast traffic while
> simultaneously floodign the routers LRU ND cache well thats a cheap
> and easy attack and it WILL be used, and that can be done with the
> protocols working as designed, at least from my reading.  Granted I
> don't have an IPv6 lab to test any of this.  But I'd be willing to bet
> this exact scenario is readily and easily possible, it already is with
> ARP tables (and it DOES happen, it's just harder to make happen with
> ARP  and IPv4 since the space is so small, esp when compared to a /64)
>   IPv6 ND LRU Caches/tables aren't going to be anywhere near big enough
> to handle a single /64's worth of hosts.  And if they're any
> significant amt smaller then it'd be trivial to cause a DoS by
> sweeping the address space.  It would depend on the ND table
> limits/sizes, and any implementation specific timers/etc and garbage
> collection, and a some other details I don't have, but, I bet it'd be
> a really small flow in the scheme of things to completely stomp out a
> /64....someone I'm sure knows more about the implementations, and I'm
> betting this has been brought up before about IPv6/ND...
>
> So I pretty strongly disagree about your statement.  Repetitively
> sweeping an IPv6 network to DoS/DDoS the ND protocol thereby flooding
> the ND cache/LRUs could be extremely effective and if not payed
> serious attention will cause serious issues.
>


Yes.... This is an issue for point-to-point links but using a longer 
prefix (/126 or similar) has been suggested as a mitigation for this 
sort of attack.

I would assume that in the LAN scenario where you have a /64 for your 
internal network that you would have some sort of stateful firewall 
sitting infront of the network to stop any un-initiated sessions. This 
therefore stops any hammering of ND cache etc. The argument then is that 
the number of packets hitting your firewall / bandwidth starvation would 
be the the alternative line of attack for a DoS/DDos but that is a 
completely different issue.