Question about IPAM tools for v6

[Alexandru Petrescu]

Messages cités pour référence (si rien alors fin de message) : Le 
31/01/2014 16:13, Fernando Gont a écrit :
> On 01/31/2014 10:59 AM, Aurélien wrote:
>> I personnally verified that this type of attack works with at least one
>> major firewall vendor, provided you know/guess reasonably well the
>> network behind it. (I'm not implying that this is a widespread attack type).
>>
>> I also found this paper: http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf
>>
>> I'm looking for other information sources, do you know other papers
>> dealing with this problem ? Why do you think this is FUD ?
> The attack does work. But the reason it works is because the
> implementations are sloppy in this respect: they don't enforce limits on
> the size of the data structures they manage.
>
> The IPv4 subnet size enforces an artificial limit on things such as the
> ARP cache. A /64 removes such artificial limit. However, you shouldn't
> be relying on such limit. You should a real one in the implementation
> itself.
>
> And it's not just the NC. There are implementations that do not limit
> the number of addresses they configure, that do not limit the number of
> entries in the routing table, etc.

There are some different needs with this limitation.

It's good to rate-limit a protocol exchange (to avoid dDoS), it's good 
to limit the size of the buffers (to avoid buffer overflows), but it may 
be arguable whether to limit the dynamic sizes of the instantiated data 
structures, especially when facing requirements of scalability - they'd 
rather be virtually infinite, like in virtual memory.

This is not a problem of implementation, it is a problem of unspoken 
assumption that the subnet prefix is always 64.  It is unspoken because 
it is little required (almost none) by RFCs.  Similarly as when the 
router of the link is always the .1.

Speaking of scalability - is there any link layer (e.g. Ethernet) that 
supports 2^64 nodes in the same link?  Any deployed such link? I doubt so.

I suppose the largest number of nodes in a single link may reach 
somewhere in the thousands of nodes, but not 2^64.

The limitation on the number of nodes on the single link comes not only 
from the access contention algorithms, but from the implementation of 
the core of the highest performance switches; these are limited in terms 
of bandwidth.  With these figures in mind, one realizes that it may be 
little reasonable to imagine subnets of maximum size 2^64 nodes.

Alex

>
> If you want to play, please take a look at the ipv6toolkit:
> <http://www.si6networks.com/tools/ipv6toolkit>. On the same page, you'll
> also find a PDF that discusses ND attacks, and that tells you how to
> reproduce the attack with the toolkit.
>
> Besides, each manual page of the toolkit (ra6(1), na6(1), etc.) has an
> EXAMPLES section that provides popular ways to run each tool.
>
> Thanks!
>
> Cheers,


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3898 bytes
Desc: Signature cryptographique S/MIME
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20140131/d880d1b4/attachment.bin