Re: Using IPv6 with prefixes shorter than a /64 on a LAN

[Owen DeLong <owen () delong com>]

On Jan 25, 2011, at 8:58 AM, Patrick Sumby wrote:

> On 24/01/2011 22:41, Michael Loftis wrote:
> > On Mon, Jan 24, 2011 at 1:53 PM, Ray Soucy<rps () maine edu>  wrote:
> >
> > > Many cite concerns of potential DoS attacks by doing sweeps of IPv6
> > > networks.  I don't think this will be a common or wide-spread problem.
> > >  The general feeling is that there is simply too much address space
> > > for it to be done in any reasonable amount of time, and there is
> > > almost nothing to be gained from it.
> >
> > The problem I see is the opening of a new, simple, DoS/DDoS scenario.
> > By repetitively sweeping a targets /64 you can cause EVERYTHING in
> > that /64 to stop working by overflowing the ND/ND cache, depending on
> > the specific ND cache implementation and how big it is/etc.  Routers
> > can also act as amplifiers too, DDoSing every host within a multicast
> > ND directed solicitation group (and THAT is even assuming a correctly
> > functioning switch thats limiting the multicast travel)

I love this term... "repetitively sweeping a targets /64".

Seriously? Repetitively sweeping a /64? Let's do the math...

2^64 = 18,446,744,073,709,551,616 IP addresses.

Let's assume that few networks would not be DOS'd by a 1,000 PPS
storm coming in so that's a reasonable cap on our scan rate.

That means sweeping a /64 takes 18,446,744,073,709,551 sec.
(rounded down).

There are 86,400 seconds per day.

18,446,744,073,709,551 / 86,400 = 213,503,982,334 days.

Rounding a year down to 365 days, that's 584,942,417
years to sweep the /64 once.

If we increase our scan rate to 1,000,000 packets
per second, it still takes us 584,942 years to sweep
a /64.

I don't know about you, but I do not expect to live long
enough to sweep a /64, let alone do so repetitively.

Owen