nanog mailing list archives
Re: Using IPv6 with prefixes shorter than a /64 on a LAN
From: Owen DeLong <owen () delong com>
Date: Tue, 25 Jan 2011 10:42:29 -0800
On Jan 25, 2011, at 8:58 AM, Patrick Sumby wrote:
On 24/01/2011 22:41, Michael Loftis wrote:On Mon, Jan 24, 2011 at 1:53 PM, Ray Soucy<rps () maine edu> wrote:Many cite concerns of potential DoS attacks by doing sweeps of IPv6 networks. I don't think this will be a common or wide-spread problem. The general feeling is that there is simply too much address space for it to be done in any reasonable amount of time, and there is almost nothing to be gained from it.The problem I see is the opening of a new, simple, DoS/DDoS scenario. By repetitively sweeping a targets /64 you can cause EVERYTHING in that /64 to stop working by overflowing the ND/ND cache, depending on the specific ND cache implementation and how big it is/etc. Routers can also act as amplifiers too, DDoSing every host within a multicast ND directed solicitation group (and THAT is even assuming a correctly functioning switch thats limiting the multicast travel)
I love this term... "repetitively sweeping a targets /64". Seriously? Repetitively sweeping a /64? Let's do the math... 2^64 = 18,446,744,073,709,551,616 IP addresses. Let's assume that few networks would not be DOS'd by a 1,000 PPS storm coming in so that's a reasonable cap on our scan rate. That means sweeping a /64 takes 18,446,744,073,709,551 sec. (rounded down). There are 86,400 seconds per day. 18,446,744,073,709,551 / 86,400 = 213,503,982,334 days. Rounding a year down to 365 days, that's 584,942,417 years to sweep the /64 once. If we increase our scan rate to 1,000,000 packets per second, it still takes us 584,942 years to sweep a /64. I don't know about you, but I do not expect to live long enough to sweep a /64, let alone do so repetitively. Owen
Current thread:
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN, (continued)
- Message not available
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN bmanning (Jan 24)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Douglas Otis (Jan 24)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Fernando Gont (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Douglas Otis (Jan 26)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Fernando Gont (Jan 26)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Michael Loftis (Jan 24)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Patrick Sumby (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Jack Bates (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Roland Dobbins (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Owen DeLong (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Ricky Beam (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Randy Carpenter (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Mark Smith (Jan 25)
