Mark Smith wrote: > 3. the router attached to the target /64 will generate neighbor > solicitations for those non-existant destinations, towards it's > directly attached target /64. According to RFC2461, the default total > timeout for these NSes is 3 seconds. As the router keeps state for the > outstanding neighbor solicitations, if the rate the attacker is sending > traffic with changing host addresses is high enough, the > state tables in the router may be exhausted, resulting in a denial of > service. > > The router might appear to need to hold 2^64 outstanding > Neighbor Solicitation table entries to survive this attack, however, as > destinations for Neighbor Solicitations are mapped to Solicited Node > multicast addresses, using the lower 24 bits, the router would have to > "only" hold 2^24 outstanding Neighbor Solicitation entries, which still > 16 million+.
This is my take: Have a rather small table for ND entries in the INCOMPLETE state. Those are the entris for which there has never been a reachability confirmation. ND entries that correspond to real nodes that have already sent packets through the attacked router (or that have received traffic through the attacked router) would be in other states. Once the table of ND entries in the INCOMPLETE state gets full, drop randomly. Thoughts? Kind regards, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
