On Tue, 2011-07-12 at 11:22 +0200, Sander Steffann wrote: > > So what I was thinking of, what if a router that is under attack would
The router would need to know that it was under attack. That could be
quite a complicated heuristic. It seems to me that it is simpler to
treat ND slot exhaustion as the problem, and not worry too much about
the cause.
I have no clue how sensible these ideas are:
- when slots get scarce, start favouring existing completed entries.
Don't time them out as fast. That is, treat completed entries as more
valuable than incomplete ones. Silly to toss out a probably-good entry
in favour of a definitely-incomplete one.
- when slots get very scarce, start timing out incomplete entries
faster, returning the slots to the pool. There will be a useful
minimum time here...
- store source info with each slot. Have separate slot
space for local (on-router) sources and remote (off-router) sources.
This lets the local network keep working even when under attack from
off-router.
- when slot space reaches a critical level, start ignoring requests from
sources that have no completed entries. Yes, innocent new sources will
suffer, but you are heading into crisis.
- when and as long as there are NO slots left:
- don't delete completed entries at all while there are incomplete
entries to delete
- delete entries with sources with the fewest completed entries
first. After them, delete the oldest entries first.
> > periodically multicast to the all-nodes multicast address a message saying
> > "help I'm under attack". Upon receiving such a message all nodes send a
> > neighbor solication to the router.
This could be a reaction to a rapid decrease in available cache slots.
Do you need a special message? A ping to the all-nodes multicast address
should result in all nodes responding, and the responses would have all
the info in them that you need. You'd have to do that on each link,
though. And you'd have to do it *fast*. In fact, it seems to me that you
would be unlikely to be able to do it fast enough to make a difference -
by the time your nodes had responded, the attacker would have filled the
ND cache. Doing it preemptively would make for a very chatty link.
Regards, K.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (ka...@biplane.com.au) +61-2-64957160 (h)
http://www.biplane.com.au/kauer/ +61-428-957160 (mob)
GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
signature.asc
Description: This is a digitally signed message part
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
