In your letter dated Tue, 12 Jul 2011 12:40:12 +0000 you wrote: >* Philip Homburg: >> So what I was thinking of, what if a router that is under attack would >> periodically multicast to the all-nodes multicast address a message >> saying "help I'm under attack". Upon receiving such a message all >> nodes send a neighbor solication to the router. This populates the >> router's neighbor cache with entries for all of it's neighbors. Thus >> ensuring that normal traffic can flow uninterrupted. > >Assuming that neighbor discovery is vulnerable, wouldn't the same issue >affect the triggered solications? And isn't it a fine way to overload a >router on a large subnet?
One, I was thinking about a remote attack. So neighbors are trusted. Two, a NS doesn't require the router to maintain any state. The router just stores the IPv6 address and the MAC in the table and sends an NA. As long as the router is properly sized for the number of neighbors, it should be able to store it. I'd say that a router has to be able to handle one NS per address per neighbor every 30 seconds anyhow. If the router can do that, then sending one request for help every minute should do the trick. -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
