Failure modes: NAT vs SPI

Jay Ashworth jra at
Mon Feb 7 16:15:51 UTC 2011

----- Original Message -----
> From: "Iljitsch van Beijnum" <iljitsch at>

> On 4 feb 2011, at 22:02, Dave Cardwell wrote:
> > Without wanting to get into whether NAT provides security to hosts
> > that exist on the inside. I am curious if the potential to overflow
> > ND caches with incomplete* entries exists on currently shipping CPE
> > hardware and if NAT helps prevent this?
> > e.g.
> > In v4 with a /24 on the inside an attacker can send a single packet to
> > each consecutive address causing at most 254 arp requests to be sent
> > on the lan segment and upto 253 incomplete entries, until they
> > timeout.
> > In v6 with a /64 on the inside it seems like the same tactic would
> > lead to more outstanding ND requests than any realistically sized
> > cache would support.
> Ok, I had a hard time making up my mind whether a sarcastic or a
> factual response was in order...

I see you decided to go with "sarcastic".

> This is of course a very big problem, and one of the reasons why
> everyone who's tried IPv6 immediately turns it off again: script
> kiddies are continuously scanning the entire IPv6 address space so
> this happens to regular IPv6 users all the time.

I'm sure it's clear to you that "no one's doing it now" is not a valid
response to prophylactic secure network planning...

> Since this is a problem that is inherent to the ND protocol that is
> impossible to fix without modifying the IPv6 standards significantly,
> the easiest way to solve this with the least amount of impact to
> applications, the ability to host services and the end-to-end model in
> particular is to use a single public IPv6 address and NAT all local
> stuff behind it.

So, you're not going to actually address the problem seriously?

Got it.

-- jra

More information about the NANOG mailing list