Internet Edge Router replacement - IPv6 route tablesizeconsiderations

George Herbert george.herbert at gmail.com
Sat Mar 12 02:25:48 CST 2011


On Fri, Mar 11, 2011 at 8:14 PM, Jeff Wheeler <jsw at inconcepts.biz> wrote:
> It's the same thing that happens if you toss a /8 on an IPv4 LAN and
> start banging away at the ARP table, while expecting all of your
> legitimate hosts within that /8 to continue working correctly.  We all
> know that's crazy, right?

This is a valid concern.  However...

> How is it suddenly less crazy to put an
> even larger subnet on an IPv6 LAN without gaining any direct benefits
> from doing so?  [...]

This is not a valid statement.  I understand that you don't value the
benefits we find with /64 or less, but we find value there, and it's
really important to us, and they're things which were explicitly hoped
for and planned for with IPv6 transition.

The problem you pointed out, with a single host overrunning switch
tables, can be outsmarted rather than brute forced by mandating small
enough subnets that it doesn't exist.

If we presume that the originating host doesn't fake its' layer 2 MAC
as it's faking its layer 3 address, it's pretty trivial; you build in
a software option that puts a maximum number of IPs per MAC.  You
balance virtualization cluster size limits with preemptive defense
against this type of DOS when you do that, but balance points around
1E2 to 1E3 seem to me to be able to handle that just fine.  You build
in an override for switches / L2 gateways, or by port, or whatever
other tuning mechanisms make sense (default to 10, override for your
VMware cluster box and your switches...).

If the originating host does try to fake its layer 2 MAC, you can
detect new floods of new MACs via existing mechanisms.  Plenty of port
MAC map / allowed MAC mechanisms already exist for basic LAN security
purposes.  You just dump the fake MACs on the floor.

The world is not perfect, and I'm sure there are still new
vulnerabilities out there.  But we can smart this one.  If we can't
smart this one, I'll be extremely surprised and disappointed.


-- 
-george william herbert
george.herbert at gmail.com




More information about the NANOG mailing list