NDP DoS attack

Florian Weimer fw at deneb.enyo.de
Sun Jul 17 09:48:25 UTC 2011


* Mikael Abrahamsson:

> On Sun, 17 Jul 2011, Florian Weimer wrote:
>
>> In practice, the IPv4 vs IPv6 difference is that some vendors
>> provide DHCP snooping, private VLANs and unicast flood protection in
>> IPv4 land, which seems to provide a scalable way to build Ethernet
>> networks with address validation---but there is nothing comparable
>> for IPv6 right now, from any vendor.
>
> That is not true. Check out work and reports from the IETF SAVI
> WG. There are actually quite a few implementations out there, being
> used in production.

Others use tunnels, PPPoE or lots of scripting, so certainly something
can be done about it.  To my knowledge, SAVI SEND is still at a
similar stage.  Pointers to vendor documentation would be appreciated
if this is not the case.

And SAVI SEND is not the full story---it's still missing unicast flood
protection.




More information about the NANOG mailing list