I think we're losing focus on the discussion here. The core issue here is that ND tables have a finite size, just like ARP tables. Making an unsolicited request to a subnet will cause ND on the router to try and reach find the host. This can be a problem with subnets as small as 1024 (I constantly find people using Linux-based routers, for example, running with the kernel default ARP table of 127 instead of bumping it up to a sane and network appropriate level). I don't believe that using smaller IPv6 prefixes is an appropriate response to the problem. In time, we will likely see protection mechanisms come from vendors. Perhaps disabling the ability for routers to solicit ND and just depend on connected hosts to announce their presence would be sufficient. Perhaps not. It is something that needs to be looked into, just like DAD DoS attacks, and rogue RA on the LAN. But it has little to do with prefix length. When it comes down to it. I find it hard to justify attempting to mitigate this DoS vector by using longer prefixes. There are many many more useful and effective DoS vectors that are lower-hanging fruit. And the lowest hanging fruit always wins. On Tue, Jan 25, 2011 at 1:42 PM, Owen DeLong <owen@delong.com> wrote:
On Jan 25, 2011, at 8:58 AM, Patrick Sumby wrote:
On 24/01/2011 22:41, Michael Loftis wrote:
On Mon, Jan 24, 2011 at 1:53 PM, Ray Soucy<rps@maine.edu> wrote:
Many cite concerns of potential DoS attacks by doing sweeps of IPv6 networks. I don't think this will be a common or wide-spread problem. The general feeling is that there is simply too much address space for it to be done in any reasonable amount of time, and there is almost nothing to be gained from it.
The problem I see is the opening of a new, simple, DoS/DDoS scenario. By repetitively sweeping a targets /64 you can cause EVERYTHING in that /64 to stop working by overflowing the ND/ND cache, depending on the specific ND cache implementation and how big it is/etc. Routers can also act as amplifiers too, DDoSing every host within a multicast ND directed solicitation group (and THAT is even assuming a correctly functioning switch thats limiting the multicast travel)
I love this term... "repetitively sweeping a targets /64".
Seriously? Repetitively sweeping a /64? Let's do the math...
2^64 = 18,446,744,073,709,551,616 IP addresses.
Let's assume that few networks would not be DOS'd by a 1,000 PPS storm coming in so that's a reasonable cap on our scan rate.
That means sweeping a /64 takes 18,446,744,073,709,551 sec. (rounded down).
There are 86,400 seconds per day.
18,446,744,073,709,551 / 86,400 = 213,503,982,334 days.
Rounding a year down to 365 days, that's 584,942,417 years to sweep the /64 once.
If we increase our scan rate to 1,000,000 packets per second, it still takes us 584,942 years to sweep a /64.
I don't know about you, but I do not expect to live long enough to sweep a /64, let alone do so repetitively.
Owen
-- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/