On Thu, Jan 6, 2011 at 9:31 PM, Owen DeLong <owen@delong.com> wrote:
You must understand that policing will not stop the NDCache from becoming full almost instantly under an attack. Since the largest existing routers have about 100k entries at most, an attack can fill that up in *one second.*
If the policing rate is set to ~100 requests per second, or, even 1000 requests per second, then, I'm not sure why you think this.
With a 100pps policer, it is trivial for an attack to make its NS requests far more likely to make it through the policer than legitimate NS requests that would result in discovering a valid layer-2 mapping. If you are hitting the policer, the subnet is broken. If you don't have a policer, the table is full and ... the subnet is broken. See how it's a problem that isn't solvable with a simple policer? Note that the Cisco "solution" is indeed a configurable per-interface policer, which is better than nothing, but does not fully solve the problem. Policing isn't a new idea. I'm not sure it's a step in the right direction, or just prolonging an inevitable change towards a real fix. -- Jeff S Wheeler <jsw@inconcepts.biz> Sr Network Operator / Innovative Network Concepts