<p>Hi Phillip,</p>
<p>Without having checked this, weren't neighbour solicitations sent with TTL 1 to avoid specifically this problem?<br></p>
<p>Kind regards,</p>
<p>Dimitar Pavlov</p>
<div class="gmail_quote">On Aug 7, 2012 11:08 PM, "Philipp Kern" <<a href="mailto:phil@philkern.de">phil@philkern.de</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<br>
am Sun, Aug 05, 2012 at 08:00:05PM -0700 hast du folgendes geschrieben:<br>
> The whole concept of blanket ICMP restrictions in v4 was bad, doing it<br>
> for ICMPv6 is really bad.<br>
<br>
I would like to whitelist ICMPv6 to all hosts in our network, even if the<br>
TCP/UDP ports are currently filtered statefully and need explicit whitelisting.<br>
But is there a cunning plan to stop address sweeping attacks that cause a lot<br>
of neighbor solicitations and cache entries? We already have this problem with<br>
IPv4, given that we have quite a bit of unused (legacy) space. Is the only<br>
level to solve that some kind of IDS/IPS? Or is there also a way to rate-limit<br>
such traffic? (Possibly at the expence of some legitimate neighbor<br>
solicitations.)<br>
<br>
Kind regards<br>
Philipp Kern<br>
</blockquote></div>