Occasionally the subject comes up: /64 (and SLAAC) is bad because it is
easy to DoS routers by getting to perform too much ND.
At least in theory this seems to be a valid complaint. A router can (and
should) carefully allocate resources for ND to avoid having ND interfere with
other parts of the
Hi,
So what I was thinking of, what if a router that is under attack would
periodically multicast to the all-nodes multicast address a message saying
help I'm under attack. Upon receiving such a message all nodes send a
neighbor solication to the router. This populates the router's neighbor
In your letter dated Tue, 12 Jul 2011 11:22:06 +0200 you wrote:
I have thought about this too. I wouldn't even mind if this became =
(configurable) default behaviour. One thing though: all nodes should =
send neighbour solicitations for each IPv6 address they are listening =
on.
I was thinking
On Tue, 2011-07-12 at 11:22 +0200, Sander Steffann wrote:
So what I was thinking of, what if a router that is under attack would
The router would need to know that it was under attack. That could be
quite a complicated heuristic. It seems to me that it is simpler to
treat ND slot exhaustion as
* Philip Homburg:
So what I was thinking of, what if a router that is under attack would
periodically multicast to the all-nodes multicast address a message
saying help I'm under attack. Upon receiving such a message all
nodes send a neighbor solication to the router. This populates the
I have no objections with moving it to Standards Track.
Regards,
Brian
On 7/11/11 6:12 PM, Brian E Carpenter wrote:
Does anyone object to switching this draft from BCP to Standards Track?
(See Pete Resnick's comments below.)
It is on this Thursday's IESG agenda.
Brian Carpenter
In your letter dated Tue, 12 Jul 2011 22:34:53 +1000 you wrote:
The router would need to know that it was under attack. That could be
quite a complicated heuristic. It seems to me that it is simpler to
treat ND slot exhaustion as the problem, and not worry too much about
the cause.
First, let me
In your letter dated Tue, 12 Jul 2011 12:40:12 + you wrote:
* Philip Homburg:
So what I was thinking of, what if a router that is under attack would
periodically multicast to the all-nodes multicast address a message
saying help I'm under attack. Upon receiving such a message all
nodes
In your letter dated Tue, 12 Jul 2011 13:22:32 + you wrote:
* Philip Homburg:
Two, a NS doesn't require the router to maintain any state. The router
just stores the IPv6 address and the MAC in the table and sends an NA.
Huh? If this isn't state, then what is it?
It is state, but it is not
* Philip Homburg:
First, let me make clear that I was thinking about remote attacks.
How would a remote attack work?
I think that's the most serious problem. If you have malicious hosts
directly attached you have bigger problems, and you have to use either
SeND or L2 filtering.
On its own,
we had a couple of suggestions.
http://www.ietf.org/id/draft-gashinsky-v6nd-enhance-00.txt
On Jul 12, 2011, at 1:48 AM, Philip Homburg wrote:
Occasionally the subject comes up: /64 (and SLAAC) is bad because it is
easy to DoS routers by getting to perform too much ND.
At least in theory
In your letter dated Tue, 12 Jul 2011 13:31:23 + you wrote:
* Philip Homburg:
First, let me make clear that I was thinking about remote attacks.
How would a remote attack work?
You send a stream of packets directed to a particular /64 but you make sure
that each packet has a different
In your letter dated Tue, 12 Jul 2011 06:45:59 -0700 you wrote:
we had a couple of suggestions.
http://www.ietf.org/id/draft-gashinsky-v6nd-enhance-00.txt
Yes, but I prefer something triggered by a router then just requiring
host to do something occasionally on their own.
In your letter dated Tue, 12 Jul 2011 08:17:31 -0700 you wrote:
The problem in my opinion is not that the router isn't sending enough =
messages. It's sending too many for it's own purposes.
keeping existing known hosts in the cache and learning new ones in the =
face of resource exhaustion is
You can find the current agenda at:
http://www.ietf.org/proceedings/81/agenda/6man.html
I think we were able to accommodate the requests we received.
Bob
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative
On Jul 12, 2011, at 10:04 AM, Philip Homburg wrote:
In your letter dated Tue, 12 Jul 2011 06:45:59 -0700 you wrote:
we had a couple of suggestions.
http://www.ietf.org/id/draft-gashinsky-v6nd-enhance-00.txt
Yes, but I prefer something triggered by a router then just requiring
host to do
In your letter dated Tue, 12 Jul 2011 12:09:03 -0400 you wrote:
You can't have two-party communication have only one part (the router) =
perform all the actions.
So, in my proposal, the router sends out a request for help. And all of its
neighbors respond with a Neighbor Solicitation.
Is there a
On Jul 12, 2011, at 9:39 AM, Philip Homburg wrote:
In your letter dated Tue, 12 Jul 2011 12:09:03 -0400 you wrote:
You can't have two-party communication have only one part (the router) =
perform all the actions.
So, in my proposal, the router sends out a request for help. And all of its
In your letter dated Tue, 12 Jul 2011 09:56:33 -0700 you wrote:
On Jul 12, 2011, at 9:39 AM, Philip Homburg wrote:
What does that mean? Each time I connect my laptop to a network, an =
operator
shows up from behind the bushes and configures the right parameters?
first off, beaconing is clearly
Keeping the scope on this part only...
On Jul 12, 2011, at 1:31 PM, Philip Homburg wrote:
You have 6000 hosts that wake up after a power failure and they just randomly
multicast to the all-routers address?
I think this is just an example, it's also IMHO a test that means you read the
draft
On 07/12/2011 01:48, Philip Homburg wrote:
So what I was thinking of, what if a router that is under attack would
periodically multicast to the all-nodes multicast address a message saying
help I'm under attack. Upon receiving such a message all nodes send a
neighbor solication to the
Hi Doug,
I like this idea, and would like to suggest that we name it the HHIBR
packet.
Doug (Help, help! I'm being repressed!)
Well, this is all about the violence inherent in the system! ;-)
Sander
IETF IPv6 working
On Jul 12, 2011, at 4:48 AM, Philip Homburg wrote:
Occasionally the subject comes up: /64 (and SLAAC) is bad because it is
easy to DoS routers by getting to perform too much ND.
I suppose the same might be true of ARP. Has it been observed in the wild?
I suppose the same might be true of ARP. Has it been observed in the wild?
Suppose a simple attack of:
For each address A in subnet,
Compose packet with source=local and dest=A
Send packet to router
In a typical IPv4 subnet, the loop will run 255 times.
On Jul 12, 2011, at 1:39 PM, Fred Baker wrote:
On Jul 12, 2011, at 4:48 AM, Philip Homburg wrote:
Occasionally the subject comes up: /64 (and SLAAC) is bad because it is
easy to DoS routers by getting to perform too much ND.
I suppose the same might be true of ARP. Has it been observed
In your letter dated Tue, 12 Jul 2011 20:52:11 + you wrote:
On the other hand, there are many ways for a local host to DOS a local rout=
er. I am not sure that this specific one is particularly practical, or worr=
isome.
I guess I should have been way more explicit that I was thinking about
IMHO I think this would be a vector for other attacks in ND.
You may solve a remote attack but you are opening the door to local
attacks, and a big ones I think.
Regards,
.as
On 12 Jul 2011, at 04:48, Philip Homburg wrote:
So what I was thinking of, what if a router that is
Message: 9
Date: Tue, 12 Jul 2011 13:50:16 -0400
From: Jared Mauchja...@puck.nether.net
To: Philip Homburgpch-6...@u-1.phicoh.com
Cc:ipv6@ietf.org
Subject: Re: /64 ND DoS
Message-ID:c9769852-ffd4-415a-930d-f149dc30f...@puck.nether.net
Content-Type: text/plain; charset=us-ascii
I think this
From: pch-b2b3a6...@u-1.phicoh.com [mailto:pch-b2b3a6...@u-1.phicoh.com] On
Behalf Of Philip Homburg
In your letter dated Tue, 12 Jul 2011 20:52:11 + you wrote:
On the other hand, there are many ways for a local host to DOS a local
router. I am not sure that this specific one is
On Tue, 12 Jul 2011, Fred Baker wrote:
I suppose the same might be true of ARP. Has it been observed in the wild?
Yes. At Interop they had this exact problem because they had huge subnets
(/16 or something, I don't know exactly, they had a /8 so they could
afford it), and they had to make
30 matches
Mail list logo