NDP DoS attack
Florian Weimer
fw at deneb.enyo.de
Sun Jul 17 11:04:39 UTC 2011
* Mikael Abrahamsson:
> On Sun, 17 Jul 2011, Florian Weimer wrote:
>
>> Interesting, thnaks. It's not the vendors I would expect, and it's
>> not based on SEND (which is not surprising at all and actually a
>> good thing).
>
> Personally I think SEND is never going to get any traction.
Last time, I was told that SEND was the way to go, despite not
actually fixing anything. This mess is even worse than SCTP.
>> Is this actually secure in the sense that it ties addresses to
>> specific ports for both sending and receiving? I'm asking because
>> folks have built similar systems for IPv4 which weren't. The CLI
>> screenshots look good, better than what most folks achieve with
>> IPv4.
>
> As far as I know, it's designed to work securely in an ETTH scenario,
> which implies both sending and receiving (if I understood you
> correctly).
And it would also plug the NDP DOS vector because you've got a small
set of addresses you need to process. Let's hope this gets buy-in
from more vendors (and across the whole switch product lines, please),
with full interoperability.
More information about the NANOG
mailing list