Neighbor Cache Exhaustion, was Re: Question about IPAM tools for v6

Fernando Gont fernando at gont.com.ar
Fri Jan 31 16:18:18 CET 2014


On 01/31/2014 11:16 AM, Enno Rey wrote:
> Hi Guillaume,
> 
> willing to share your lab setup / results? We did some testing
> ourselves in a Cisco-only setting and couldn't cause any problems.
> [for details see here:
> http://www.insinuator.net/2013/03/ipv6-neighbor-cache-exhaustion-attacks-risk-assessment-mitigation-strategies-part-1/]
>
>  After that I asked for other practical experience on the
> ipv6-hackers mailing list, but got no responses besides some "I heard
> this is a problem in $SOME_SETTING" and references to Jeff Wheeler's
> paper (which works on the - wrong - assumption that an "incomplete"
> entry can stay in the cache for a long time, which is not true for
> stacks implementing ND in conformance with RFC 4861). So your
> statement is actually the first first-hand proof of NCE being a
> real-world problem I ever hear of. thanks in advance for any
> additional detail.

Are we talking about Ciscos, specifically?

I recall reproducing this sort of thing on BSDs, Linux, and Windows.

Note: In some cases, the problem is that even when the entries in the
INCOMPLETE state are timeout, if the rate is lower than the rate at
which you "produce" them, it's still a problem.

Too bad -- we do have plenty of experience with this.. e.g., managing
the IP reassembly queue.

Thanks,
-- 
Fernando Gont
e-mail: fernando at gont.com.ar || fgont at si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1






More information about the ipv6-ops mailing list