Question about IPAM tools for v6
Nick Hilliard
nick at foobar.org
Sat Feb 1 14:14:55 CET 2014
>> /64 netmask opens up nd cache exhaustion as a DoS vector.
>
> FUD.
I probably should have qualified this statement a little better before
posting it.
Large locally-connected connected l2 domains can open up nd cache
exhaustion and many other problems as DoS vectors if the operating systems
connected to these domains do not have resource exhaustion limitations
built in, or they are built in but not configured properly.
In particular, the large address space prevents operating systems from
implementing certain types of mitigation mechanisms that might be possible
with ipv4 (e.g. slot based rate limiting). The ND rate limiters that I've
tested all cause collateral connectivity problems as they place all ND
floods from all hosts in the same RL bucket.
While some aspects of this problem are more generic and not specifically
related to the address domain size (i.e. they're similar to what's already
seen on ipv4), the fact that the addressing domain is so large does not
help either the o/s implementer or the operator and the issues relating to
ND flooding of whatever sort (NS/RA/etc) are something that explicitly need
to be understood by both the o/s implementer and the network operator
because otherwise connectivity problems can occur in production.
Nick
More information about the ipv6-ops
mailing list