There appear to be several different cases, which can be addressed by
different reasonable mechanisms (not firewalls, and not lengthening the
subnet prefix.)
For ISPs, I would assume the primary concern is routers connecting to
subnets used to provide services. A non-dynamic approach to ND can
address that.
For ISPs providing bridged residential services, the ISP normally
operates on the basis that it gets registration information from all the
devices in the home. Thus, it does not need to generate ND solicitations.
Yours,
Joel
On 7/13/2011 4:08 AM, Mikael Abrahamsson wrote:
On Tue, 12 Jul 2011, Christian Huitema wrote:
Then I am really not worried. This kind of attack is trivially
mitigated by any stateful firewall on the path. In addition to all
other mitigations that were listed on this thread.
Think as an ISP. We do not stateful firewall our customers, and we might
be forced to have requipment in the customer /64, at least initially.
This is a real problem, as this device will in some cases be a L3 switch
with quite limited CPU and FIB table size.
I definitely prefer to have only link-local between me and a CPE and
just route the /56 to the CPE, so I do not ever have to keep any state
regarding individual customer placed devices.
We have already requested that our L3 switch vendors have ND starvation
protection, but there is serious lack of documentation to point to.
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
