On 2012-06-22 09:13, Mark Felder wrote:
All someone out on the 'net needs to do
is scan up through
your address space on the link as quickly as possible, sending single
packets at
all the non-existent addresses on the link, and watch as your router
CPU starts
to churn keeping track of all the neighbor discovery messages, state
table
updates, and incomplete age-outs.
With the link configured as a /126, there's
a very small limit to the number of neighbor discovery messages, and
the amount
of state table that needs to be maintained and updated for each PtP link.
Yeah, I think we'll stick with our /126s.
This is ridiculous. You should be allocating all your PtP links out of a
single prefix protected by an ACL at your border. All packets to the PtP
prefix need to be dropped. You should be doing this no matter the size
of your PtP links. The attack is impossible with good operational practices.
Simon
