Hi Dusan, On Tue, 2 Feb 2010 12:37:24 -0500 "Dusan Mudric" <dmud...@avaya.com> wrote:
> Hi, > > Is there a mechanism to protect against a denial of service attack using > prefixes with very small Valid Lifetimes? RFC 2462, section 5.5.3 e) talks > about it but does not seam to cover the scenario where: > > 1) A user defines a small Preferred and Valid Lifetimes (i.e., > 10sec and 15sec), and > 2) The initial Router Advertisement message has very small > Preferred and Valid Lifetimes for a Prefix, and > 3) The received Lifetime is equal to Stored Lifetime. > > With the small lifetime, address expires quickly and is created soon after. > Applications using this address go up and down periodically and get into > trouble. > > Have this issue already been addressed? > I'm not sure if it has specifically. In general thought, the only people who should be configuring a router with these types of parameters would be trusted network administrators on trusted routers. If an untrusted network administrator is able to change the parameters on a trusted router, then I think the root problem isn't that they can maliciously configure parameters of the protocols the trusted router talks, but that they've got administrative access to the router itself. Better access control e.g. stronger passwords is the best method to prevent this. If it's an untrusted router announcing these parameters, then http://tools.ietf.org/id/draft-ietf-v6ops-ra-guard-04.txt is addressing that threat. Regards, Mark. > Regards, > > Dušan Mudrić > > Software Architect > Avaya > > > > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------