nanog mailing list archives

Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))

From: Jeff Wheeler <jsw () inconcepts biz>
Date: Sun, 17 Jul 2011 13:35:41 -0400

On Sun, Jul 17, 2011 at 11:42 AM, William Herrin <bill () herrin us> wrote:

My off-the-cuff naive solution to this problem would be to discard the
oldest incomplete solicitation to fit the new one and, upon receiving
an apparently unsolicited response to a discarded solicitation,
restart the process flagging that particular query non-discardable.


Do you mean to write, "flagging that ND entry non-discardable?"  Once
the ND entry is in place, it should not be purged for quite some time
(configurable is a plus), on the order of minutes or hours.  Making
them "permanent" would, however, cause the ND table to eventually
become full when foolish things like frequent source address changes
for "privacy" are in use, many clients are churning in and out of the
LAN, etc.

Where does this naive approach break down?


It breaks down because the control-plane can't handle the relatively
small number of punts which must be generated in order to send ND
solicits, and without the ability to install "incomplete" entries into
the data-plane, those punts cannot be policed without, by design,
discarding some "good" punts along with the "bad" punts resulting from
DoS traffic.

-- 
Jeff S Wheeler <jsw () inconcepts biz>
Sr Network Operator  /  Innovative Network Concepts

_____
NANOG mailing list
NANOG () nanog org
https://mailman.nanog.org/mailman/listinfo/nanog

Current thread:

Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)), (continued)
- - - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Dobbins, Roland (Jul 17)
    - Re: NDP DoS attack Florian Weimer (Jul 17)
    - Re: NDP DoS attack Dobbins, Roland (Jul 17)
    - Re: NDP DoS attack Mikael Abrahamsson (Jul 17)
    - Re: NDP DoS attack Florian Weimer (Jul 17)
    - Re: NDP DoS attack Mikael Abrahamsson (Jul 17)
    - Re: NDP DoS attack Florian Weimer (Jul 17)
    - Re: NDP DoS attack Mikael Abrahamsson (Jul 17)
    - Re: NDP DoS attack Florian Weimer (Jul 17)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) William Herrin (Jul 17)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Jeff Wheeler (Jul 17)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Owen DeLong (Jul 17)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Jeff Wheeler (Jul 17)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Owen DeLong (Jul 17)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) William Herrin (Jul 17)
    - Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?)) Owen DeLong (Jul 17)
    - Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Jeff Wheeler (Jul 11)
    - Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Owen DeLong (Jul 11)
    - Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Benson Schliesser (Jul 12)
    - Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?) William Herrin (Jul 11)
    - RE: Anybody can participate in the IETF (Was: Why is IPv6 broken?) Ronald Bonica (Jul 12)

(Thread continues...)