> > > > So I pretty strongly disagree about your statement. Repetitively > > sweeping an IPv6 network to DoS/DDoS the ND protocol thereby flooding > > the ND cache/LRUs could be extremely effective and if not payed > > serious attention will cause serious issues. > > > > > Yes.... This is an issue for point-to-point links but using a longer > prefix (/126 or similar) has been suggested as a mitigation for this > sort of attack. > > I would assume that in the LAN scenario where you have a /64 for your > internal network that you would have some sort of stateful firewall > sitting infront of the network to stop any un-initiated sessions. This > therefore stops any hammering of ND cache etc. The argument then is > that > the number of packets hitting your firewall / bandwidth starvation > would > be the the alternative line of attack for a DoS/DDos but that is a > completely different issue. > >
So for /64 subnets used for point-to-points you disable ND, configure static neighbors and that's the end of it. No ND DDoS.