Point-to-point /64
Tore Anderson
tore at fud.no
Sat Jun 1 22:52:44 CEST 2013
* Arturo Servin
>> What is the problem you are trying to protect against?
>
> Against scanning the whole /64 and doing a DDoS to the router.
Hmm. The DDoS attack to PTP links would work equally well with /126,
there's no need to "scan the whole /64" - just flood a non-assigned
address with traffic, which will amplify x remaining Hop Limit, probably
saturating the link easily.
If you're instead talking about the ND cache attack to Ethernet links,
you might be able to (depending on the implementation of course) disable
Neighbour Discovery and add static Neighbour cache entries on the
attached routers.
Or just be pragmatic and use /127s...
Tore
More information about the ipv6-ops
mailing list