Joel, Your draft mentions that the router that just rebooted would send 0-sourced solicitations to all the hosts that it knows about. What do you have in mind, exactly? If the router rebooted, it does not know anything, right? Do you mean to say, "each time it sees an incoming packet from a yet unknown local source, the router will send a solicitation?"
Of course, there is a small issue with that. If there is a server on the local link, the server can remain silent for a long time, waiting for incoming connections. We probably need to allow an incoming TCP SYN to trigger an NS for the server. Maybe with some rate control to protect against attacks. -- Christian Huitema -----Original Message----- From: ipv6-boun...@ietf.org [mailto:ipv6-boun...@ietf.org] On Behalf Of Joel M. Halpern Sent: Monday, October 24, 2011 6:34 AM To: Joel jaeggli Cc: ipv6@ietf.org Subject: Re: Fwd: I-D Action: draft-halpern-6man-nddos-mitigation-00.txt The purpose of the various exchange and triggering mechanism I describe in the last section are to enable the approach to be used before one has upgraded all the hosts on the subnet. With the RS retransmission to enable reliable discovery by the router, the rest probably become harmless but unimportant. Yours, Joel On 10/24/2011 9:28 AM, Joel jaeggli wrote: > Sorry meant to actually reply. > > I'm curious, essentially what the implications are for interaction > between an existing implimentation in a host, and an nd implimentation > which no longer does discovery. > > On 10/24/11 06:21 , Joel jaeggli wrote: >> On 10/21/11 07:44 , Joel M. Halpern wrote: >>> I would like to call people's attention to the draft below. >>> I would like to hear from folks as to what they think of this >>> complement to some of the existing work on the ND based denial of service >>> attack. >>> I do not intend to present this at the WG meeting, as I would like a >>> chance to hear from folks first. >>> >>> Yours, >>> Joel >>> >>> -------- Original Message -------- >>> Subject: I-D Action: draft-halpern-6man-nddos-mitigation-00.txt >>> Date: Mon, 17 Oct 2011 14:17:09 -0700 >>> >>> A New Internet-Draft is available from the on-line Internet-Drafts >>> directories. >>> >>> Title : Mitigating Neighbor Discovery Based Denial of >>> Service Attacks >>> Author(s) : Joel M. Halpern >>> Filename : draft-halpern-6man-nddos-mitigation-00.txt >>> Pages : 6 >>> Date : 2011-10-17 >>> >>> It has been observed that with the large space of IPv6 addresses >>> within a subnet, remote attackers can send packets that saturate a >>> rotuers ND cache, and potentially saturate a subnet with ND >>> Soliciation messages as well. Some operational techniques and small >>> protocol adjustments have been proposed that can help alleviate this >>> problem. This draft proposes a slightly more drastic optional >>> behavior for routers, which can nearly eliminate this problem. >>> >>> >>> A URL for this Internet-Draft is: >>> http://www.ietf.org/internet-drafts/draft-halpern-6man-nddos-mitigat >>> ion-00.txt >>> >>> >>> Internet-Drafts are also available by anonymous FTP at: >>> ftp://ftp.ietf.org/internet-drafts/ >>> >>> This Internet-Draft can be retrieved at: >>> ftp://ftp.ietf.org/internet-drafts/draft-halpern-6man-nddos-mitigati >>> on-00.txt >>> >>> _______________________________________________ >>> >>> >>> -------------------------------------------------------------------- >>> IETF IPv6 working group mailing list ipv6@ietf.org Administrative >>> Requests: https://www.ietf.org/mailman/listinfo/ipv6 >>> -------------------------------------------------------------------- >>> >> >> -------------------------------------------------------------------- >> IETF IPv6 working group mailing list >> ipv6@ietf.org >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 >> -------------------------------------------------------------------- >> > > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 -------------------------------------------------------------------- -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
