----- Original Message -----
From: "Iljitsch van Beijnum" <iljitsch@muada.com>
On 4 feb 2011, at 22:02, Dave Cardwell wrote:
Without wanting to get into whether NAT provides security to hosts that exist on the inside. I am curious if the potential to overflow ND caches with incomplete* entries exists on currently shipping CPE hardware and if NAT helps prevent this?
e.g. In v4 with a /24 on the inside an attacker can send a single packet to each consecutive address causing at most 254 arp requests to be sent on the lan segment and upto 253 incomplete entries, until they timeout. In v6 with a /64 on the inside it seems like the same tactic would lead to more outstanding ND requests than any realistically sized cache would support.
Ok, I had a hard time making up my mind whether a sarcastic or a factual response was in order...
I see you decided to go with "sarcastic".
This is of course a very big problem, and one of the reasons why everyone who's tried IPv6 immediately turns it off again: script kiddies are continuously scanning the entire IPv6 address space so this happens to regular IPv6 users all the time.
I'm sure it's clear to you that "no one's doing it now" is not a valid response to prophylactic secure network planning...
Since this is a problem that is inherent to the ND protocol that is impossible to fix without modifying the IPv6 standards significantly, the easiest way to solve this with the least amount of impact to applications, the ability to host services and the end-to-end model in particular is to use a single public IPv6 address and NAT all local stuff behind it.
So, you're not going to actually address the problem seriously? Got it. Cheers, -- jra