NIST IPv6 document

Jeff Wheeler jsw at inconcepts.biz
Thu Jan 6 18:18:14 CST 2011


On Thu, Jan 6, 2011 at 6:46 PM, Owen DeLong <owen at delong.com> wrote:
> On Jan 5, 2011, at 9:17 PM, Joe Greco wrote:
>> However, that's not the only potential use!  A client that initiates
>> each new outbound connection from a different IP address is doing
>> something Really Good.
> If hosts start cycling their addresses that frequently, don't you run the
> risk of that becoming a form of DOS on your router's ND tables?

Of course, Owen.  I replied to that specific point in Joe's post
earlier, although I have written so much on this thread, I have tried
to condense my replies, so anyone reading in thread mode may have
missed it.

The fact that Joe even makes that suggestion signals how little
understanding he has of the problem.  His idea would DoS his own
router.  There are many posts on this thread from folks who think of
themselves as expert, at least enough to try and tell me that I'm
wrong, when they lack basic understanding of how the forwarding
process works in operation.  That is what everyone should be afraid of
-- most of the "experts" aren't, and almost no one has practical
experience with a mission-critical IPv6 network, so conditions like
this remain unanalyzed.  It took a long time to discover a lot of
vulnerabilities as the Internet grew from academia to everyday
necessity.  We are all now making some obvious, unnecessary mistakes
with IPv6 deployments.

It is also crucial to understand that some platforms use the same
resources (in control plane or data plane) for ARP and NDP tables and
resolution, and this means that some dual-stack networks will see
their IPv4 networks melt down due to problems with their IPv6 network
design and implementation.  If you are dual-stack, this is probably
not a problem confined to v6 traffic flowing through your network; it
may also take out your mission-critical v4 services.  If you don't
know, then you need to admit you don't know and find out what the
failure mode of your routers is, before your network blows up in your
face.

-- 
Jeff S Wheeler <jsw at inconcepts.biz>
Sr Network Operator  /  Innovative Network Concepts




More information about the NANOG mailing list