Using IPv6 with prefixes shorter than a /64 on a LAN

George Bonser gbonser at seven.com
Tue Jan 25 12:49:51 CST 2011


> >
> > So I pretty strongly disagree about your statement.  Repetitively
> > sweeping an IPv6 network to DoS/DDoS the ND protocol thereby
flooding
> > the ND cache/LRUs could be extremely effective and if not payed
> > serious attention will cause serious issues.
> >
> 
> 
> Yes.... This is an issue for point-to-point links but using a longer
> prefix (/126 or similar) has been suggested as a mitigation for this
> sort of attack.
> 
> I would assume that in the LAN scenario where you have a /64 for your
> internal network that you would have some sort of stateful firewall
> sitting infront of the network to stop any un-initiated sessions. This
> therefore stops any hammering of ND cache etc. The argument then is
> that
> the number of packets hitting your firewall / bandwidth starvation
> would
> be the the alternative line of attack for a DoS/DDos but that is a
> completely different issue.
> 
> 

So for /64 subnets used for point-to-points you disable ND, configure
static neighbors and that's the end of it. No ND DDoS.






More information about the NANOG mailing list