IPv6 prefixes longer then /64: are they possible in DOCSIS networks?

• Previous message (by thread): IPv6 prefixes longer then /64: are they possible in DOCSIS networks?
• Next message (by thread): IPv6 prefixes longer then /64: are they possible in DOCSIS networks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Nov 29, 2011 at 1:43 AM,  <Valdis.Kletnieks at vt.edu> wrote:
> It's worked for us since 1997.  We've had bigger problems with IPv4 worms

That's not a reason to deny that the problem exists.  It's even
fixable.  I'd prefer that vendors fixed it *before* there were massive
botnet armies with IPv6 connectivity, but in case they don't, I do not
deploy /64.

On Tue, Nov 29, 2011 at 2:20 AM, Jonathan Lassoff <jof at thejof.com> wrote:
> Agreed. While I don't have any good numbers that I can publicly offer up, it
> also intuitively makes sense that there's a greater proportion of IPv4 DDOS
> and resource exhaustion attacks vs IPv6 ones.

Of course.  There are comparably few hosts with IPv6 connectivity.
Bad guys aren't that familiar with IPv6 yet.  Even if they are, their
armies of compromised desktops probably can't launch an effective IPv6
attack yet.  Lack of sources, no way to get nasty IPv6 packets to the
target, or the target has different infrastructure for IPv4 and IPv6
anyway, and taking out the IPv6 one only isn't that beneficial (Happy
Eyeballs features and such.)

Further, the victim can just turn off IPv6 when they start getting
attacked in this way.  And that is exactly what sites will end up
doing, turning off IPv6 because vendors aren't addressing issues like
these.  That doesn't help anyone.

> I imagine the mitigation strategies are similar for both cases though: just
> rate-limit how often your router will attempt neighbor discovery. Are there
> other methods?

Simply rate-limiting the data-plane events that trigger ND resolution
is not good enough.  One very popular platform that is offered with
cards in horizontal or vertical orientation uses the same policer for
ARP and NDP.  That means when you do eventually start getting ND
attacks, it will break your IPv4 services also.

If you want to learn more about this, I have some slides:
http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf

-- 
Jeff S Wheeler <jsw at inconcepts.biz>
Sr Network Operator  /  Innovative Network Concepts

• Previous message (by thread): IPv6 prefixes longer then /64: are they possible in DOCSIS networks?
• Next message (by thread): IPv6 prefixes longer then /64: are they possible in DOCSIS networks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]