NIST IPv6 document

Jeff Wheeler jsw at inconcepts.biz
Thu Jan 6 21:05:26 CST 2011


On Thu, Jan 6, 2011 at 9:31 PM, Owen DeLong <owen at delong.com> wrote:
>> You must understand that policing will not stop the NDCache from
>> becoming full almost instantly under an attack.  Since the largest
>> existing routers have about 100k entries at most, an attack can fill
>> that up in *one second.*
>>
> If the policing rate is set to ~100 requests per second, or, even
> 1000 requests per second, then, I'm not sure why you think this.

With a 100pps policer, it is trivial for an attack to make its NS
requests far more likely to make it through the policer than
legitimate NS requests that would result in discovering a valid
layer-2 mapping.  If you are hitting the policer, the subnet is
broken.  If you don't have a policer, the table is full and ... the
subnet is broken.  See how it's a problem that isn't solvable with a
simple policer?  Note that the Cisco "solution" is indeed a
configurable per-interface policer, which is better than nothing, but
does not fully solve the problem.  Policing isn't a new idea.  I'm not
sure it's a step in the right direction, or just prolonging an
inevitable change towards a real fix.

-- 
Jeff S Wheeler <jsw at inconcepts.biz>
Sr Network Operator  /  Innovative Network Concepts




More information about the NANOG mailing list