Hi, > As a defense against remote attack, I'm thinking that routers should limit > the percentage of their ND caches that are associated with nonexistent hosts. > I suspect there are circumstances when it makes sense to have "passive" > hosts, perhaps even large numbers of them, which the local router isn't aware > of until traffic from outside arrives for them. > > It might also make sense to rate-limit ND messages sent as a result of > inbound traffic - if this rate of such ND messages exceeds a certain > threshold, drop incoming packets for hosts not in the ND cache at random.
It might be a good idea to increase the timers on the hosts that are in the cache, or to start refreshing those cache entries actively before they run out. In such a situation we might want to keep the pool of verified existing hosts as large as possible to keep the dropping of good packets to a minimum. Sander -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------