IPv6 point-to-point was: It's Ars Tech's turn to bang the IPv4 exhaustion drum

Jeroen Massar jeroen at unfix.org
Wed Aug 20 09:38:15 CDT 2008


michael.dillon at bt.com wrote:
>> matsuzaki-san's preso, i think the copy he will present next 
>> week at apops:
> 
> To summarize, using /64 on a link opens the door to a DOS
> problem that we need to pressure the vendors to fix. 

How is this not an obvious 'duh' kind of situation that just depends on
doing ones configuration correctly?

A similar problem occurs when one assigns a /48 down the P2P link and
the downstream user has a default route back upstream but doesn't route
the /48 to a loopback, but only routes a part of it (eg a /64 or two). eg:

{ Internet} - { ISP } - { p2p-link } - { customer } - { c1 }
                                                     \ { c2 }

p2p-link = 2001:db8:1000::/64 (::1 == ISP, ::2 == Customer)
customer = 2001:db8:2000::/48 via 2001:db8:1000::2
c1       = 2001:db8:2000:1::/64
c2       = 2001:db8:2000:1::/64

Packets from $internet to 2001:db8:2000:1234::1 will travel down to the
customer, who routes it with it's default back up to the p2p-link, where
your correctly configured box will see a source address of $internet and
icmp admin reject it because that is an invalid source address. Indeed
the packet will bounce back up and a third packet (the icmp) will be
sent thus you have an amplification of 3x, but who cares? that is at the
customer link, they should configure that link correctly, and they are
paying you for that link anyway -> their problem, your cash $$$ :)

RPF saves the day here yet again. Remember boys and girls to configure
at least your boxes correctly, don't trust other people to do the same ;)

There are various number of "ISP's" who of course don't do this and
which allow full spoofing from any prefix as they don't do RPF or even
something simple as a "source != 2001:db8::/32" or whatever they have as
their own prefix on their core routers. There of course also "ISP's"
which think they are transits and tunnel to everybody they can find, 
these "ISP's" then of course also don't do any spoofing-filtering and 
generally have 'customers' that exhibit the same problem, as those just 
set a default back upstream. Take a small guess how easy it is to take 
those networks off the Internet.... better start fixing that broken setup ;)

Greets,
  Jeroen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20080820/12df4c9e/attachment.bin>


More information about the NANOG mailing list