Using IPv6 with prefixes shorter than a /64 on a LAN
rps at maine.edu
Wed Jan 26 09:55:56 CST 2011
I think we're losing focus on the discussion here.
The core issue here is that ND tables have a finite size, just like
ARP tables. Making an unsolicited request to a subnet will cause ND
on the router to try and reach find the host.
This can be a problem with subnets as small as 1024 (I constantly find
people using Linux-based routers, for example, running with the kernel
default ARP table of 127 instead of bumping it up to a sane and
network appropriate level).
I don't believe that using smaller IPv6 prefixes is an appropriate
response to the problem. In time, we will likely see protection
mechanisms come from vendors. Perhaps disabling the ability for
routers to solicit ND and just depend on connected hosts to announce
their presence would be sufficient. Perhaps not. It is something
that needs to be looked into, just like DAD DoS attacks, and rogue RA
on the LAN. But it has little to do with prefix length.
When it comes down to it. I find it hard to justify attempting to
mitigate this DoS vector by using longer prefixes. There are many
many more useful and effective DoS vectors that are lower-hanging
fruit. And the lowest hanging fruit always wins.
On Tue, Jan 25, 2011 at 1:42 PM, Owen DeLong <owen at delong.com> wrote:
> On Jan 25, 2011, at 8:58 AM, Patrick Sumby wrote:
>> On 24/01/2011 22:41, Michael Loftis wrote:
>>> On Mon, Jan 24, 2011 at 1:53 PM, Ray Soucy<rps at maine.edu> wrote:
>>>> Many cite concerns of potential DoS attacks by doing sweeps of IPv6
>>>> networks. I don't think this will be a common or wide-spread problem.
>>>> The general feeling is that there is simply too much address space
>>>> for it to be done in any reasonable amount of time, and there is
>>>> almost nothing to be gained from it.
>>> The problem I see is the opening of a new, simple, DoS/DDoS scenario.
>>> By repetitively sweeping a targets /64 you can cause EVERYTHING in
>>> that /64 to stop working by overflowing the ND/ND cache, depending on
>>> the specific ND cache implementation and how big it is/etc. Routers
>>> can also act as amplifiers too, DDoSing every host within a multicast
>>> ND directed solicitation group (and THAT is even assuming a correctly
>>> functioning switch thats limiting the multicast travel)
> I love this term... "repetitively sweeping a targets /64".
> Seriously? Repetitively sweeping a /64? Let's do the math...
> 2^64 = 18,446,744,073,709,551,616 IP addresses.
> Let's assume that few networks would not be DOS'd by a 1,000 PPS
> storm coming in so that's a reasonable cap on our scan rate.
> That means sweeping a /64 takes 18,446,744,073,709,551 sec.
> (rounded down).
> There are 86,400 seconds per day.
> 18,446,744,073,709,551 / 86,400 = 213,503,982,334 days.
> Rounding a year down to 365 days, that's 584,942,417
> years to sweep the /64 once.
> If we increase our scan rate to 1,000,000 packets
> per second, it still takes us 584,942 years to sweep
> a /64.
> I don't know about you, but I do not expect to live long
> enough to sweep a /64, let alone do so repetitively.
Epic Communications Specialist
Phone: +1 (207) 561-3526
Networkmaine, a Unit of the University of Maine System
More information about the NANOG