Question about IPAM tools for v6
Alexandru Petrescu
alexandru.petrescu at gmail.com
Fri Jan 31 15:00:09 CET 2014
Messages cités pour référence (si rien alors fin de message) : Le
31/01/2014 14:07, Ole Troan a écrit :
>>> Consensus around here is that we support DHCPv6 for non-/64 subnets
>>> (particularly in the context of Prefix Delegation), but the immediate
>>> next question is "Why would you need that?"
>> /64 netmask opens up nd cache exhaustion as a DoS vector.
> FUD.
Sigh... as usual with brief statements it's hard to see clearly.
I think ND attacks may be eased by an always-same prefix length (64).
Some attacks may be using unsolicited NAs to deny others configuring a
particular address. That's easier if the attacker assumes the prefix
length were, as usual, 64.
Additionally, an always-64 prefix length gives a _scanning_ perspective
to the security dimension, as per section 2.2 "Target Address Space for
Network Scanning" of RFC5157.
As a side note, security is not the only reason why people would like to
configure prefixes longer than 64 on some subnets... some of the most
obvious being the address exhaustion at the very edge.
Alex
>
> cheers,
> Ole
More information about the ipv6-ops
mailing list