On Tue, 2011-07-12 at 11:22 +0200, Sander Steffann wrote: > > So what I was thinking of, what if a router that is under attack would
The router would need to know that it was under attack. That could be quite a complicated heuristic. It seems to me that it is simpler to treat ND slot exhaustion as the problem, and not worry too much about the cause. I have no clue how sensible these ideas are: - when slots get scarce, start favouring existing completed entries. Don't time them out as fast. That is, treat completed entries as more valuable than incomplete ones. Silly to toss out a probably-good entry in favour of a definitely-incomplete one. - when slots get very scarce, start timing out incomplete entries faster, returning the slots to the pool. There will be a useful minimum time here... - store source info with each slot. Have separate slot space for local (on-router) sources and remote (off-router) sources. This lets the local network keep working even when under attack from off-router. - when slot space reaches a critical level, start ignoring requests from sources that have no completed entries. Yes, innocent new sources will suffer, but you are heading into crisis. - when and as long as there are NO slots left: - don't delete completed entries at all while there are incomplete entries to delete - delete entries with sources with the fewest completed entries first. After them, delete the oldest entries first. > > periodically multicast to the all-nodes multicast address a message saying > > "help I'm under attack". Upon receiving such a message all nodes send a > > neighbor solication to the router. This could be a reaction to a rapid decrease in available cache slots. Do you need a special message? A ping to the all-nodes multicast address should result in all nodes responding, and the responses would have all the info in them that you need. You'd have to do that on each link, though. And you'd have to do it *fast*. In fact, it seems to me that you would be unlikely to be able to do it fast enough to make a difference - by the time your nodes had responded, the attacker would have filled the ND cache. Doing it preemptively would make for a very chatty link. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (ka...@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/kauer/ +61-428-957160 (mob) GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
signature.asc
Description: This is a digitally signed message part
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------