On Nov 1, 2012, at 4:41 PM, "Miquel van Smoorenburg" <mikevs@xs4all.net> wrote:
In article <xs4all.963E27C7-A0C5-44AC-86AF-33E6286C9BC1@delong.com> you write:
There are better ways to avoid neighbor exhaustion attacks unless you have attackers inside your network.
You mean filtering. I haven't tried it recently, but a while ago I put an output filter on a Juniper router that allowed just the lower /120 out of a /64 on an interface. What happened was that neighbor discovery happened /before/ filtering. I should probably test that against recent JunOS releases, but that was a firm reason to go with a /120 instead of a filter. Besides, configuring a /120 is way less work than a filter per interface (yes we do have per-interface filters but they're kind of generic).
I mean assign your point to points from a particular /48 within your /32 or a particular /56 within your /48 or whatever is appropriate to your situation. Then, at your borders, filter that entire /48 or /56 or whatever it is so that people outside simply aren't allowed to send packets to your point to point links at all.
Even if you're going to do something silly like use /120s on interfaces, I highly recommend going ahead and reserving the enclosing /64 so that when you discover /120 wasn't the best idea, you can easily retrofit.
Sure, we do that, as soon as router vendors solve the NDP CE attack problem we'll go back to /64s.
FWIW, the NDP CE attack doesn't yield much in the way of incentives to most attackers. As a DOS, it only prevents new nodes from joining the networks attached to the router and they can generally only attack the NC of the upstream router closer to them on each link, not the more distant one. Since core routers tend to have pretty stable neighbor relations, the actual attack surface in the real world is relatively small and there are far more effective DOS vectors available. Nonetheless, defense in depth is the right approach, but, do it in the way that requires the least maintenance effort on your part. Filtering an entire range of P2P links at the borders is about as low maintenance as it gets. (Again, this is assuming you don't have to deal with attackers inside your borders). If you are a university, things get more complicated because your job is to have attackers (or at least potential attackers) inside your borders. If you're not a university, then if you have attackers inside your borders, you probably have bigger problems than NDP CE. Owen