On Fri, Mar 11, 2011 at 8:14 PM, Jeff Wheeler <jsw@inconcepts.biz> wrote:
It's the same thing that happens if you toss a /8 on an IPv4 LAN and start banging away at the ARP table, while expecting all of your legitimate hosts within that /8 to continue working correctly. We all know that's crazy, right?
This is a valid concern. However...
How is it suddenly less crazy to put an even larger subnet on an IPv6 LAN without gaining any direct benefits from doing so? [...]
This is not a valid statement. I understand that you don't value the benefits we find with /64 or less, but we find value there, and it's really important to us, and they're things which were explicitly hoped for and planned for with IPv6 transition. The problem you pointed out, with a single host overrunning switch tables, can be outsmarted rather than brute forced by mandating small enough subnets that it doesn't exist. If we presume that the originating host doesn't fake its' layer 2 MAC as it's faking its layer 3 address, it's pretty trivial; you build in a software option that puts a maximum number of IPs per MAC. You balance virtualization cluster size limits with preemptive defense against this type of DOS when you do that, but balance points around 1E2 to 1E3 seem to me to be able to handle that just fine. You build in an override for switches / L2 gateways, or by port, or whatever other tuning mechanisms make sense (default to 10, override for your VMware cluster box and your switches...). If the originating host does try to fake its layer 2 MAC, you can detect new floods of new MACs via existing mechanisms. Plenty of port MAC map / allowed MAC mechanisms already exist for basic LAN security purposes. You just dump the fake MACs on the floor. The world is not perfect, and I'm sure there are still new vulnerabilities out there. But we can smart this one. If we can't smart this one, I'll be extremely surprised and disappointed. -- -george william herbert george.herbert@gmail.com