Using IPv6 with prefixes shorter than a /64 on a LAN
Owen DeLong
owen at delong.com
Tue Jan 25 18:42:29 UTC 2011
On Jan 25, 2011, at 8:58 AM, Patrick Sumby wrote:
> On 24/01/2011 22:41, Michael Loftis wrote:
>> On Mon, Jan 24, 2011 at 1:53 PM, Ray Soucy<rps at maine.edu> wrote:
>>
>>> Many cite concerns of potential DoS attacks by doing sweeps of IPv6
>>> networks. I don't think this will be a common or wide-spread problem.
>>> The general feeling is that there is simply too much address space
>>> for it to be done in any reasonable amount of time, and there is
>>> almost nothing to be gained from it.
>>
>> The problem I see is the opening of a new, simple, DoS/DDoS scenario.
>> By repetitively sweeping a targets /64 you can cause EVERYTHING in
>> that /64 to stop working by overflowing the ND/ND cache, depending on
>> the specific ND cache implementation and how big it is/etc. Routers
>> can also act as amplifiers too, DDoSing every host within a multicast
>> ND directed solicitation group (and THAT is even assuming a correctly
>> functioning switch thats limiting the multicast travel)
I love this term... "repetitively sweeping a targets /64".
Seriously? Repetitively sweeping a /64? Let's do the math...
2^64 = 18,446,744,073,709,551,616 IP addresses.
Let's assume that few networks would not be DOS'd by a 1,000 PPS
storm coming in so that's a reasonable cap on our scan rate.
That means sweeping a /64 takes 18,446,744,073,709,551 sec.
(rounded down).
There are 86,400 seconds per day.
18,446,744,073,709,551 / 86,400 = 213,503,982,334 days.
Rounding a year down to 365 days, that's 584,942,417
years to sweep the /64 once.
If we increase our scan rate to 1,000,000 packets
per second, it still takes us 584,942 years to sweep
a /64.
I don't know about you, but I do not expect to live long
enough to sweep a /64, let alone do so repetitively.
Owen
More information about the NANOG
mailing list