Re: Fwd: I-D Action: draft-halpern-6man-nddos-mitigation-00.txt

[Joel M. Halpern]

Clarification first.  The reboot case described is when there is more 
than one router on a subnet announcing a given prefix.  In that case, 
when the new router comes up, the existing router will notice, and it 
will send the triggering messages.  The new router does not have the 
data it needs to send the triggers.

Yours,
Joel
On 10/25/2011 1:48 AM, Christian Huitema wrote:
Joel,

Your draft mentions that the router that just rebooted would send 0-sourced solicitations 
to all the hosts that it knows about. What do you have in mind, exactly? If the router 
rebooted, it does not know anything, right? Do you mean to say, "each time it sees 
an incoming packet from a yet unknown local source, the router will send a 
solicitation?"

Of course, there is a small issue with that. If there is a server on the local 
link, the server can remain silent for a long time, waiting for incoming 
connections.

We probably need to allow an incoming TCP SYN to trigger an NS for the server. 
Maybe with some rate control to protect against attacks.

-- Christian Huitema



-----Original Message-----
From: ipv6-boun...@ietf.org [mailto:ipv6-boun...@ietf.org] On Behalf Of Joel M. 
Halpern
Sent: Monday, October 24, 2011 6:34 AM
To: Joel jaeggli
Cc: ipv6@ietf.org
Subject: Re: Fwd: I-D Action: draft-halpern-6man-nddos-mitigation-00.txt

The purpose of the various exchange and triggering mechanism I describe in the 
last section are to enable the approach to be used before one has upgraded all 
the hosts on the subnet.  With the RS retransmission to enable reliable 
discovery by the router, the rest probably become harmless but unimportant.

Yours,
Joel

On 10/24/2011 9:28 AM, Joel jaeggli wrote:
Sorry meant to actually reply.

I'm curious, essentially what the implications are for interaction
between an existing implimentation in a host, and an nd implimentation
which no longer does discovery.

On 10/24/11 06:21 , Joel jaeggli wrote:
On 10/21/11 07:44 , Joel M. Halpern wrote:
I would like to call people's attention to the draft below.
I would like to hear from folks as to what they think of this
complement to some of the existing work on the ND based denial of service 
attack.
I do not intend to present this at the WG meeting, as I would like a
chance to hear from folks first.

Yours,
Joel

-------- Original Message --------
Subject: I-D Action: draft-halpern-6man-nddos-mitigation-00.txt
Date: Mon, 17 Oct 2011 14:17:09 -0700

A New Internet-Draft is available from the on-line Internet-Drafts
directories.

      Title           : Mitigating Neighbor Discovery Based Denial of
Service Attacks
      Author(s)       : Joel M. Halpern
      Filename        : draft-halpern-6man-nddos-mitigation-00.txt
      Pages           : 6
      Date            : 2011-10-17

     It has been observed that with the large space of IPv6 addresses
     within a subnet, remote attackers can send packets that saturate a
     rotuers ND cache, and potentially saturate a subnet with ND
     Soliciation messages as well.  Some operational techniques and small
     protocol adjustments have been proposed that can help alleviate this
     problem.  This draft proposes a slightly more drastic optional
     behavior for routers, which can nearly eliminate this problem.


A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-halpern-6man-nddos-mitigat
ion-00.txt


Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

This Internet-Draft can be retrieved at:
ftp://ftp.ietf.org/internet-drafts/draft-halpern-6man-nddos-mitigati
on-00.txt

_______________________________________________


--------------------------------------------------------------------
IETF IPv6 working group mailing list ipv6@ietf.org Administrative
Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------


--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------



--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------


--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------