On Jan 6, 2011, at 7:13 PM, Jeff Wheeler wrote:
On Thu, Jan 6, 2011 at 9:24 PM, Joe Greco <jgreco@ns.sol.net> wrote:
With today's implementations of things? Perhaps. However, you show yourself equally incapable of grasping the real problem by looking at the broader picture, and recognizing that problematic issues such as finding hosts on a network are very solvable problems, and that we are at an early enough phase of IPv6 that we can even expect some experiments will be tried.
Look beyond what _is_ today and see if you can figure out what it _could_ be. There's no need for what I suggest to DoS a router; that's just accepting a naive implementation and saying "well this can't be done because this one way of doing it breaks things." It is better to look for a way to fix the problem.
Actually, unlike most posters on this subject, I have a very good understanding of how everything works "under the hood." For this reason, I also understand what is possible given the size of a /64 subnet and the knowledge that we will never have adjacency tables approaching this size.
If you are someone who thinks, oh, those Cisco and Juniper developers will figure this out, they just haven't thought about it hard enough yet, I can understand why you believe that a simple fix like "no ip directed-broadcast" is on the horizon. Unfortunately, it is not. The only thing they can do is give more mitigation knobs to allow operators to choose our failure modes and thresholds. To really fix it, you need a smaller subnet or a radical protocol change that will introduce a different set of problems.
I think I have a pretty good understanding of what happens under the hood, too. The reality is that what you say is theoretically possible, but, not terribly practical from an attacker perspective. It's pretty trivial to block these attacks out from threats outside your network or at least severely limit the number of attackable addresses within the individual network. Smaller network segments are not necessary to reduce the attackable profile of the network segment. Yes, a determined host within your network segment can DOS the network segment this way. Guess what... If you've got a determined attacker on your network segment, you've already lost on multiple other levels, so, this might even be a feature. As such, while the issue you bring up can be a problem for a poorly administered network, I think you overstate it's viability as an attack vector in most real world instances. Owen