Failure modes: NAT vs SPI
Iljitsch van Beijnum
iljitsch at muada.com
Mon Feb 7 15:07:26 CST 2011
On 7 feb 2011, at 17:15, Jay Ashworth wrote:
>> Ok, I had a hard time making up my mind whether a sarcastic or a
>> factual response was in order...
> I see you decided to go with "sarcastic".
Not sure if Owen noticed... :-)
> I'm sure it's clear to you that "no one's doing it now" is not a valid
> response to prophylactic secure network planning...
Well, no and yes. There's only a few panes of glass keeping people out of most houses. We know glass is easy to break. We know it gets broken and people get in who aren't wanted there once in a while. Still only a few people see the need to install steel bars in front of their windows.
In real life we take risks all the time. In the networked world somehow it always has to be all or nothing, with few people occupying the reasonable middle ground.
But in this case, we know there's a potential problem and waiting for it to become acute is not the best approach.
> So, you're not going to actually address the problem seriously?
Vendors should modify their neighbor discovery implementations such that it still works even when large numbers of addresses are scanned. The easiest way would be to keep only a limited number of incomplete ND cache entries and throw those away on an LRU base, but create a full ND cache entry that is kept around when a neighbor advertisement is received, even if there is no incomplete ND cache entry at that time. AFAIK the incomplete ND cache entries don't do anything we can't do without.
"Solving" this with NAT is the classic example of shooting a mosquito with a canon.
I also don't think any protocol modifications are necessary.
More information about the NANOG