NDP DoS attack

Florian Weimer fw at deneb.enyo.de
Sun Jul 17 11:04:39 UTC 2011


* Mikael Abrahamsson:

> On Sun, 17 Jul 2011, Florian Weimer wrote:
>
>> Interesting, thnaks.  It's not the vendors I would expect, and it's
>> not based on SEND (which is not surprising at all and actually a
>> good thing).
>
> Personally I think SEND is never going to get any traction.

Last time, I was told that SEND was the way to go, despite not
actually fixing anything.  This mess is even worse than SCTP.

>> Is this actually secure in the sense that it ties addresses to
>> specific ports for both sending and receiving?  I'm asking because
>> folks have built similar systems for IPv4 which weren't.  The CLI
>> screenshots look good, better than what most folks achieve with
>> IPv4.
>
> As far as I know, it's designed to work securely in an ETTH scenario,
> which implies both sending and receiving (if I understood you
> correctly).

And it would also plug the NDP DOS vector because you've got a small
set of addresses you need to process.  Let's hope this gets buy-in
from more vendors (and across the whole switch product lines, please),
with full interoperability.




More information about the NANOG mailing list