On Tue, 12 Jul 2011, Christian Huitema wrote:
Then I am really not worried. This kind of attack is trivially mitigated by any stateful firewall on the path. In addition to all other mitigations that were listed on this thread.
Think as an ISP. We do not stateful firewall our customers, and we might be forced to have requipment in the customer /64, at least initially. This is a real problem, as this device will in some cases be a L3 switch with quite limited CPU and FIB table size.
I definitely prefer to have only link-local between me and a CPE and just route the /56 to the CPE, so I do not ever have to keep any state regarding individual customer placed devices.
We have already requested that our L3 switch vendors have ND starvation protection, but there is serious lack of documentation to point to.
-- Mikael Abrahamsson email: swm...@swm.pp.se -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
