NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))
Jared Mauch
jared at puck.nether.net
Fri Jul 15 02:35:40 UTC 2011
On Jul 14, 2011, at 10:06 PM, Fernando Gont <fernando at gont.com.ar> wrote:
>> It should be possible to mitigate this, so long as the attack does not actually
>> originate from a neighbor on the same subnet as a router IP interface on
>> an IPv6 subnet with sufficient number of IPs.
>
> Well, unless there's some layer-2 anti-spoofing mitigation in place,
> with /64 subnets the "local attacker" typically *will* have enough
> addresses.
Solving a local attack is something I consider different in scope than the current draft being discussed in 6man, v6ops, ipv6@ etc...
Anyone on a layer-2 network can do something interesting like flood all f's and kill the lan. Trying to keep the majority of thoughts here for layer-3 originated attacks, even if the target is a layer2 item.
- Jared
More information about the NANOG
mailing list