NIST IPv6 document

Jeff Wheeler jsw at inconcepts.biz
Wed Jan 5 11:19:16 CST 2011


On Wed, Jan 5, 2011 at 12:04 PM, Joel Jaeggli <joelja at bogus.com> wrote:
> no it isn't, if you've ever had your juniper router become unavailable
> because the arp policer caused it to start ignoring updates, or seen
> systems become unavailable due to an arp storm you'd know that you can
> abuse arp on a rather small subnet.

These conditions can only be triggered by malicious hosts on the LAN.
With IPv6, it can be triggered by scanning attacks originated from
"the Internet."  No misconfiguration or compromised machine on your
network is necessary.

This is why it is a fundamentally different, and much larger, problem.
 Since you seem confused about the basic nature of this issue, I will
explain it for you in more detail:

IPv4) I can scan your v4 subnet, let's say it's a /24, and your router
might send 250 ARP requests and may even add 250 "incomplete" entries
to its ARP table.  This is not a disaster for that LAN, or any others.
 No big deal.  I can also intentionally send a large amount of traffic
to unused v4 IPs on the LAN, which will be handled as unknown-unicast
and sent to all hosts on the LAN via broadcasting, but many boxes
already have knobs for this, as do many switches.  Not good, but also
does not affect any other interfaces on the router.

IPv6) I can scan your v6 /64 subnet, and your router will have to send
out NDP NS for every host I scan.  If it requires "incomplete" entries
in its table, I will use them all up, and NDP learning will be broken.
 Typically, this breaks not just on that interface, but on the entire
router.  This is much worse than the v4/ARP sitation.

I trust you will understand the depth of this problem once you realize
that no device has enough memory to prevent these attacks without
knobs that make various compromises available via configuration.

-- 
Jeff S Wheeler <jsw at inconcepts.biz>
Sr Network Operator  /  Innovative Network Concepts




More information about the NANOG mailing list