NIST IPv6 document

TJ trejrco at
Thu Jan 6 14:17:07 CST 2011

On Wed, Jan 5, 2011 at 13:14, Jeff Wheeler <jsw at> wrote:

> On Wed, Jan 5, 2011 at 1:02 PM, TJ <trejrco at> wrote:
> > Many would argue that the version of IP is irrelevant, if you are
> permitting
> > external hosts the ability to scan your internal network in an
> unrestricted
> > fashion (no stateful filtering or rate limiting) you have already lost,
> you
> How do you propose to rate-limit this scanning traffic?  More router
> knobs are needed.  This also does not solve problems with malicious
> hosts on the LAN.

Off the top of my head, maybe just slow down the generation of new NS
attempts when under attack (without impacting the NUD-based NS).

> A stateful firewall on every router interface has been suggested
> already on this thread.  It is unrealistic.
> > Even granting that, for the sake of argument - it seems like it would not
> be
> > hard for $vendor to have some sort of "emergency garbage collection"
> > routines within their NDP implementations ... ?
> How do you propose the router know what entries are "garbage" and
> which are needed?  Eliminating active, "good" entries to allow for
> more churn would make the problem much worse, not better.

Again, off the top of my head, maybe - when under duress - age out the
incomplete ND table entries faster.


More information about the NANOG mailing list