Clarification first. The reboot case described is when there is more
than one router on a subnet announcing a given prefix. In that case,
when the new router comes up, the existing router will notice, and it
will send the triggering messages. The new router does not have the
data it needs to send the triggers.
Yours,
Joel
On 10/25/2011 1:48 AM, Christian Huitema wrote:
Joel,
Your draft mentions that the router that just rebooted would send 0-sourced solicitations
to all the hosts that it knows about. What do you have in mind, exactly? If the router
rebooted, it does not know anything, right? Do you mean to say, "each time it sees
an incoming packet from a yet unknown local source, the router will send a
solicitation?"
Of course, there is a small issue with that. If there is a server on the local
link, the server can remain silent for a long time, waiting for incoming
connections.
We probably need to allow an incoming TCP SYN to trigger an NS for the server.
Maybe with some rate control to protect against attacks.
-- Christian Huitema
-----Original Message-----
From: ipv6-boun...@ietf.org [mailto:ipv6-boun...@ietf.org] On Behalf Of Joel M.
Halpern
Sent: Monday, October 24, 2011 6:34 AM
To: Joel jaeggli
Cc: ipv6@ietf.org
Subject: Re: Fwd: I-D Action: draft-halpern-6man-nddos-mitigation-00.txt
The purpose of the various exchange and triggering mechanism I describe in the
last section are to enable the approach to be used before one has upgraded all
the hosts on the subnet. With the RS retransmission to enable reliable
discovery by the router, the rest probably become harmless but unimportant.
Yours,
Joel
On 10/24/2011 9:28 AM, Joel jaeggli wrote:
Sorry meant to actually reply.
I'm curious, essentially what the implications are for interaction
between an existing implimentation in a host, and an nd implimentation
which no longer does discovery.
On 10/24/11 06:21 , Joel jaeggli wrote:
On 10/21/11 07:44 , Joel M. Halpern wrote:
I would like to call people's attention to the draft below.
I would like to hear from folks as to what they think of this
complement to some of the existing work on the ND based denial of service
attack.
I do not intend to present this at the WG meeting, as I would like a
chance to hear from folks first.
Yours,
Joel
-------- Original Message --------
Subject: I-D Action: draft-halpern-6man-nddos-mitigation-00.txt
Date: Mon, 17 Oct 2011 14:17:09 -0700
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
Title : Mitigating Neighbor Discovery Based Denial of
Service Attacks
Author(s) : Joel M. Halpern
Filename : draft-halpern-6man-nddos-mitigation-00.txt
Pages : 6
Date : 2011-10-17
It has been observed that with the large space of IPv6 addresses
within a subnet, remote attackers can send packets that saturate a
rotuers ND cache, and potentially saturate a subnet with ND
Soliciation messages as well. Some operational techniques and small
protocol adjustments have been proposed that can help alleviate this
problem. This draft proposes a slightly more drastic optional
behavior for routers, which can nearly eliminate this problem.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-halpern-6man-nddos-mitigat
ion-00.txt
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
This Internet-Draft can be retrieved at:
ftp://ftp.ietf.org/internet-drafts/draft-halpern-6man-nddos-mitigati
on-00.txt
_______________________________________________
--------------------------------------------------------------------
IETF IPv6 working group mailing list ipv6@ietf.org Administrative
Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------