Question about IPAM tools for v6
Aurélien
footplus at gmail.com
Fri Jan 31 14:59:24 CET 2014
On Fri, Jan 31, 2014 at 2:07 PM, Ole Troan <ot at cisco.com> wrote:
> >> Consensus around here is that we support DHCPv6 for non-/64 subnets
> >> (particularly in the context of Prefix Delegation), but the immediate
> >> next question is "Why would you need that?"
> >
> > /64 netmask opens up nd cache exhaustion as a DoS vector.
>
> FUD.
>
>
Hi Ole,
I personnally verified that this type of attack works with at least one
major firewall vendor, provided you know/guess reasonably well the network
behind it. (I'm not implying that this is a widespread attack type).
I also found this paper: http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf
I'm looking for other information sources, do you know other papers dealing
with this problem ? Why do you think this is FUD ?
Thanks,
--
Aurélien Guillaume
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20140131/695fd583/attachment.htm>
More information about the ipv6-ops
mailing list