NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))

• Previous message (by thread): NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))
• Next message (by thread): NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Jul 17, 2011 at 11:42 AM, William Herrin <bill at herrin.us> wrote:
> My off-the-cuff naive solution to this problem would be to discard the
> oldest incomplete solicitation to fit the new one and, upon receiving
> an apparently unsolicited response to a discarded solicitation,
> restart the process flagging that particular query non-discardable.

Do you mean to write, "flagging that ND entry non-discardable?"  Once
the ND entry is in place, it should not be purged for quite some time
(configurable is a plus), on the order of minutes or hours.  Making
them "permanent" would, however, cause the ND table to eventually
become full when foolish things like frequent source address changes
for "privacy" are in use, many clients are churning in and out of the
LAN, etc.

> Where does this naive approach break down?

It breaks down because the control-plane can't handle the relatively
small number of punts which must be generated in order to send ND
solicits, and without the ability to install "incomplete" entries into
the data-plane, those punts cannot be policed without, by design,
discarding some "good" punts along with the "bad" punts resulting from
DoS traffic.

-- 
Jeff S Wheeler <jsw at inconcepts.biz>
Sr Network Operator  /  Innovative Network Concepts

• Previous message (by thread): NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))
• Next message (by thread): NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]