NIST IPv6 document

Jeff Wheeler jsw at inconcepts.biz
Wed Jan 5 06:15:25 UTC 2011


On Tue, Jan 4, 2011 at 11:35 PM, Kevin Oberman <oberman at es.net> wrote:
> The PDF is available at:

I notice that this document, in its nearly 200 pages, makes only
casual mention of ARP/NDP table overflow attacks, which may be among
the first real DoS challenges production IPv6 networks, and equipment
vendors, have to resolve.  Some platforms have far worse failure modes
than others when subjected to such an attack, and information on this
subject is not widely-available.

Unless operators press their vendors for information, and more knobs,
to deal with this problem, we may all be waiting for some group like
"Anonymous" to take advantage of this vulnerability in IPv6 networks
with large /64 subnets configured on LANs; at which point we may all
find ourselves scrambling to request knobs, or worse, redesigning and
renumbering our LANs.

RFC5157 does not touch on this topic at all, and that is the sole
reference I see in the NIST publication to scanning attacks.

I continue to believe that a heck of a lot of folks are missing the
boat on this issue, including some major equipment vendors.  It has
been pointed out to me that I should have been more vocal when IPv6
was still called IPng, but in 16 years, there has been nothing done
about this problem other than water-cooler talk.  I suspect that will
continue to be the case until those of us who have configured our
networks carefully are having a laugh at the networks who haven't.
However, until that time, it's also been pointed out to me that
customers will expect /64 LANs, and not offering it may put networks
at a competitive disadvantage.

Vendor solutions are needed before scanning IPv6 LANs becomes a
popular way to inconvenience (at best) or disable (at worst) service
providers and their customers.

-- 
Jeff S Wheeler <jsw at inconcepts.biz>
Sr Network Operator  /  Innovative Network Concepts




More information about the NANOG mailing list