nanog mailing list archives

Re: NDP DoS attack

From: Florian Weimer <fw () deneb enyo de>
Date: Sun, 17 Jul 2011 13:04:39 +0200

* Mikael Abrahamsson:

On Sun, 17 Jul 2011, Florian Weimer wrote:

Interesting, thnaks.  It's not the vendors I would expect, and it's
not based on SEND (which is not surprising at all and actually a
good thing).


Personally I think SEND is never going to get any traction.


Last time, I was told that SEND was the way to go, despite not
actually fixing anything.  This mess is even worse than SCTP.

Is this actually secure in the sense that it ties addresses to
specific ports for both sending and receiving?  I'm asking because
folks have built similar systems for IPv4 which weren't.  The CLI
screenshots look good, better than what most folks achieve with
IPv4.


As far as I know, it's designed to work securely in an ETTH scenario,
which implies both sending and receiving (if I understood you
correctly).


And it would also plug the NDP DOS vector because you've got a small
set of addresses you need to process.  Let's hope this gets buy-in
from more vendors (and across the whole switch product lines, please),
with full interoperability.

_____
NANOG mailing list
NANOG () nanog org
https://mailman.nanog.org/mailman/listinfo/nanog

Current thread:

Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)), (continued)
- - - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Owen DeLong (Jul 14)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Valdis . Kletnieks (Jul 15)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Dobbins, Roland (Jul 17)
    - Re: NDP DoS attack Florian Weimer (Jul 17)
    - Re: NDP DoS attack Dobbins, Roland (Jul 17)
    - Re: NDP DoS attack Mikael Abrahamsson (Jul 17)
    - Re: NDP DoS attack Florian Weimer (Jul 17)
    - Re: NDP DoS attack Mikael Abrahamsson (Jul 17)
    - Re: NDP DoS attack Florian Weimer (Jul 17)
    - Re: NDP DoS attack Mikael Abrahamsson (Jul 17)
    - Re: NDP DoS attack Florian Weimer (Jul 17)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) William Herrin (Jul 17)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Jeff Wheeler (Jul 17)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Owen DeLong (Jul 17)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Jeff Wheeler (Jul 17)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Owen DeLong (Jul 17)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) William Herrin (Jul 17)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Owen DeLong (Jul 17)
    - Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Jeff Wheeler (Jul 11)
    - Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Owen DeLong (Jul 11)
    - Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Benson Schliesser (Jul 12)

(Thread continues...)