IPv6 Netowrk Device Numbering BP

• Previous message (by thread): IPv6 Netowrk Device Numbering BP
• Next message (by thread): IPv6 Netowrk Device Numbering BP
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Nov 1, 2012, at 4:41 PM, "Miquel van Smoorenburg" <mikevs at xs4all.net> wrote:

> In article <xs4all.963E27C7-A0C5-44AC-86AF-33E6286C9BC1 at delong.com> you write:
>> There are better ways to avoid neighbor exhaustion attacks unless you
>> have attackers
>> inside your network.
> 
> You mean filtering. I haven't tried it recently, but a while ago
> I put an output filter on a Juniper router that allowed just
> the lower /120 out of a /64 on an interface. What happened was that
> neighbor discovery happened /before/ filtering. I should probably
> test that against recent JunOS releases, but that was a firm
> reason to go with a /120 instead of a filter. Besides, configuring
> a /120 is way less work than a filter per interface (yes we
> do have per-interface filters but they're kind of generic).
> 

I mean assign your point to points from a particular /48 within your /32 or
a particular /56 within your /48 or whatever is appropriate to your situation.

Then, at your borders, filter that entire /48 or /56 or whatever it is so that
people outside simply aren't allowed to send packets to your point to point links
at all.

>> Even if you're going to do something silly like use /120s on interfaces,
>> I highly
>> recommend going ahead and reserving the enclosing /64 so that when you discover
>> /120 wasn't the best idea, you can easily retrofit.
> 
> Sure, we do that, as soon as router vendors solve the NDP CE attack
> problem we'll go back to /64s.
> 

FWIW, the NDP CE attack doesn't yield much in the way of incentives to most
attackers. As a DOS, it only prevents new nodes from joining the networks
attached to the router and they can generally only attack the NC of the
upstream router closer to them on each link, not the more distant one.

Since core routers tend to have pretty stable neighbor relations, the
actual attack surface in the real world is relatively small and there are
far more effective DOS vectors available.

Nonetheless, defense in depth is the right approach, but, do it in the
way that requires the least maintenance effort on your part. Filtering
an entire range of P2P links at the borders is about as low maintenance
as it gets. (Again, this is assuming you don't have to deal with
attackers inside your borders).

If you are a university, things get more complicated because your job
is to have attackers (or at least potential attackers) inside your
borders.

If you're not a university, then if you have attackers inside your
borders, you probably have bigger problems than NDP CE.

Owen

• Previous message (by thread): IPv6 Netowrk Device Numbering BP
• Next message (by thread): IPv6 Netowrk Device Numbering BP
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]