Using IPv6 with prefixes shorter than a /64 on a LAN

Matthew Petach mpetach at netflight.com
Sun Jan 30 17:17:19 CST 2011


On Tue, Jan 25, 2011 at 10:26 PM, Fernando Gont <fernando at gont.com.ar> wrote:
> On 24/01/2011 07:41 p.m., Michael Loftis wrote:
>
>>> Many cite concerns of potential DoS attacks by doing sweeps of IPv6
>>> networks.  I don't think this will be a common or wide-spread problem.
>>>  The general feeling is that there is simply too much address space
>>> for it to be done in any reasonable amount of time, and there is
>>> almost nothing to be gained from it.
>>
>> The problem I see is the opening of a new, simple, DoS/DDoS scenario.
>> By repetitively sweeping a targets /64 you can cause EVERYTHING in
>> that /64 to stop working by overflowing the ND/ND cache, depending on
>> the specific ND cache implementation and how big it is/etc.
>
> That depends on the ND implementation being broken enough by not
> limiting the number of neighbor cache entries that are in the INCOMPLETE
> state. (I'm not saying those broken implementations don't exist, though).

Even without completely overflowing the ND cache, informal lab testing
shows that a single laptop on a well-connected network link can send
sufficient packets at a very-large-scale backbone router's connected /64
subnet to keep the router CPU at 90%, sustained, for as long as you'd
like.  So, while it's not a direct denial of service (the network keeps
functioning, albeit under considerable pain), it's enough to impact the
ability of the network to react to other dynamic loads.  :/

Matt




More information about the NANOG mailing list