In your letter dated Tue, 12 Jul 2011 13:31:23 +0000 you wrote: >* Philip Homburg: > >> First, let me make clear that I was thinking about remote attacks. > >How would a remote attack work?
You send a stream of packets directed to a particular /64 but you make sure that each packet has a different destination address. The router that attaches to the /64 has perform ND for each packet. Assuming that those addresses are not in use, it takes 3 seconds for the ND to time out. So the router will have to maintain a huge amount of state. And, because the NS messages are multicast, you have to rate limit them. >> I think that's the most serious problem. If you have malicious hosts >> directly attached you have bigger problems, and you have to use either >> SeND or L2 filtering. > >On its own, neither SeND nor L2 filtering prevent any attacks on >neighbor discovery. You need some sort of layering violation to tie >endpoints to specific addresses, and nothing working exclusively on >layer 2 or the IP layer can achieve that. Once you can make that >connection, you can also limit the amount of processing power and state >per identified endpoint. But without that, you have zero chance against >a local attacker. For fixed ethernet (wireless is more tricky) a switch could limit the number of MAC addresses per port in time. If you then limit the number of IPv6 address per MAC (that would require a layer violation) then can prevent hosts from executing a local attack. -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------