Using IPv6 with prefixes shorter than a /64 on a LAN

Owen DeLong owen at delong.com
Tue Jan 25 12:42:29 CST 2011


On Jan 25, 2011, at 8:58 AM, Patrick Sumby wrote:

> On 24/01/2011 22:41, Michael Loftis wrote:
>> On Mon, Jan 24, 2011 at 1:53 PM, Ray Soucy<rps at maine.edu>  wrote:
>> 
>>> Many cite concerns of potential DoS attacks by doing sweeps of IPv6
>>> networks.  I don't think this will be a common or wide-spread problem.
>>>  The general feeling is that there is simply too much address space
>>> for it to be done in any reasonable amount of time, and there is
>>> almost nothing to be gained from it.
>> 
>> The problem I see is the opening of a new, simple, DoS/DDoS scenario.
>> By repetitively sweeping a targets /64 you can cause EVERYTHING in
>> that /64 to stop working by overflowing the ND/ND cache, depending on
>> the specific ND cache implementation and how big it is/etc.  Routers
>> can also act as amplifiers too, DDoSing every host within a multicast
>> ND directed solicitation group (and THAT is even assuming a correctly
>> functioning switch thats limiting the multicast travel)

I love this term... "repetitively sweeping a targets /64".

Seriously? Repetitively sweeping a /64? Let's do the math...

2^64 = 18,446,744,073,709,551,616 IP addresses.

Let's assume that few networks would not be DOS'd by a 1,000 PPS
storm coming in so that's a reasonable cap on our scan rate.

That means sweeping a /64 takes 18,446,744,073,709,551 sec.
(rounded down).

There are 86,400 seconds per day.

18,446,744,073,709,551 / 86,400 = 213,503,982,334 days.

Rounding a year down to 365 days, that's 584,942,417
years to sweep the /64 once.

If we increase our scan rate to 1,000,000 packets
per second, it still takes us 584,942 years to sweep
a /64.

I don't know about you, but I do not expect to live long
enough to sweep a /64, let alone do so repetitively.

Owen




More information about the NANOG mailing list