Re: Question about IPAM tools for v6

2014-01-31 Thread Alexandru Petrescu
Le 31/01/2014 18:13, Fernando Gont a écrit : Alex, On 01/31/2014 01:47 PM, Alexandru Petrescu wrote: It's as straightforward as this: whenever you're coding something, enforce limits. And set it to a sane default. And allow the admin to override it when necessary. I tend to agree, but I think

Re: Question about IPAM tools for v6

2014-01-31 Thread Alexandru Petrescu
Messages cités pour référence (si rien alors fin de message) : Le 31/01/2014 16:59, Fernando Gont a écrit : On 01/31/2014 12:26 PM, Alexandru Petrescu wrote: And it's not just the NC. There are implementations that do not limit the number of addresses they configure, that do not limit the number

Re: Question about IPAM tools for v6

2014-01-31 Thread Alexandru Petrescu
Le 31/01/2014 17:35, Fernando Gont a écrit : On 01/31/2014 01:12 PM, Alexandru Petrescu wrote: This is not a problem of implementation, it is a problem of unspoken assumption that the subnet prefix is always 64. Do you know what they say assumptions? -- "It's the mother of all f* ups". It's

Re: Question about IPAM tools for v6

2014-01-31 Thread Alexandru Petrescu
Messages cités pour référence (si rien alors fin de message) : Le 31/01/2014 16:59, Fernando Gont a écrit : On 01/31/2014 12:26 PM, Alexandru Petrescu wrote: And it's not just the NC. There are implementations that do not limit the number of addresses they configure, that do not limit the number

Re: Question about IPAM tools for v6

2014-01-31 Thread Alexandru Petrescu
Messages cités pour référence (si rien alors fin de message) : Le 31/01/2014 16:13, Fernando Gont a écrit : On 01/31/2014 10:59 AM, Aurélien wrote: I personnally verified that this type of attack works with at least one major firewall vendor, provided you know/guess reasonably well the network b

Re: Question about IPAM tools for v6

2014-01-31 Thread Alexandru Petrescu
Messages cités pour référence (si rien alors fin de message) : Le 31/01/2014 14:07, Ole Troan a écrit : Consensus around here is that we support DHCPv6 for non-/64 subnets (particularly in the context of Prefix Delegation), but the immediate next question is "Why would you need that?" /64 netmas

Question on DHCPv6 address assignment

2014-01-31 Thread Fernando Gont
Folks, I'm wondering about the following two aspects of different DHCPv6 implementations out there: 1) What's the pattern with which addresses are generated/assigned? Are they sequential (fc00::1, fc00::2, etc.)? Random? Something else? 2) What about their stability? Is there any intent/mechani

RE: Question about IPAM tools for v6

2014-01-31 Thread Templin, Fred L
Hi Erik, > -Original Message- > From: Erik Kline [mailto:e...@google.com] > Sent: Friday, January 31, 2014 10:46 AM > To: Templin, Fred L > Cc: Nick Hilliard; Cricket Liu; ipv6-ops@lists.cluenet.de; > draft-carpenter-6man-wh...@tools.ietf.org; > Mark Boolootian > Subject: Re: Question abo

RE: Question about IPAM tools for v6

2014-01-31 Thread Templin, Fred L
> Not if you route a /64 to each host (the way 3GPP/LTE does for mobiles). :-) A /64 for each mobile is what I would expect. It is then up to the mobile to manage the /64 responsibly by either black-holing the portions of the /64 it is not using or by assigning the /64 to a link other than the se

RE: SI6 Networks' IPv6 Toolkit v1.5.2 released!

2014-01-31 Thread Templin, Fred L
Hi Fernando, I don't know if you are looking to add to your toolkit from outside sources, but Sascha Hlusiak has created a tool called 'isatapd' that sends RS messages to an ISATAP router and processes RA messages that come back: http://www.saschahlusiak.de/linux/isatap.htm Does this look like s

Re: Question about IPAM tools for v6

2014-01-31 Thread Fernando Gont
On 01/31/2014 02:30 PM, Alexandru Petrescu wrote: > I tend to agree, but I think you talk about a different kind of limit. > This kind of limit to avoid memory overflow, thrashing, is not the > same > as to protect against security attacks. What's the difference between th

Re: Question about IPAM tools for v6

2014-01-31 Thread Fernando Gont
Alex, On 01/31/2014 01:47 PM, Alexandru Petrescu wrote: It's as straightforward as this: whenever you're coding something, enforce limits. And set it to a sane default. And allow the admin to override it when necessary. >>> >>> I tend to agree, but I think you talk about a different

Re: Question about IPAM tools for v6

2014-01-31 Thread Fernando Gont
On 01/31/2014 01:02 PM, Alexandru Petrescu wrote: >>> Speaking of scalability - is there any link layer (e.g. Ethernet) that >>> supports 2^64 nodes in the same link? Any deployed such link? I >>> doubt so. >> Scan Google's IPv6 address space, and you'll find one. (scan6 of >>

Re: Question about IPAM tools for v6

2014-01-31 Thread Fernando Gont
On 01/31/2014 01:12 PM, Alexandru Petrescu wrote: > >>> This is not a problem of implementation, it is a problem of unspoken >>> assumption that the subnet prefix is always 64. >> Do you know what they say assumptions? -- "It's the mother of all f* >> ups". >> >> It's as straightforward as this: w

SI6 Networks' IPv6 Toolkit v1.5.2 released!

2014-01-31 Thread Fernando Gont
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Folks, [I had forgotten to send a heads-up to this list -- hopefully some of you will find this useful] This is not meant to be a "big release", but it does fix some issues present in previous versions, and adds some new features (please find the cha

SI6 Networks' IPv6 Toolkit v1.5.2 released!

2014-01-31 Thread Fernando Gont
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Folks, [I had forgotten to send a heads-up to this list -- hopefully some of you will find this useful] This is not meant to be a "big release", but it does fix some issues present in previous versions, and adds some new features (please find the cha

Re: Question about IPAM tools for v6

2014-01-31 Thread Fernando Gont
On 01/31/2014 12:26 PM, Alexandru Petrescu wrote: >> >> And it's not just the NC. There are implementations that do not limit >> the number of addresses they configure, that do not limit the number of >> entries in the routing table, etc. > > There are some different needs with this limitation. >

graphic display of IPv6 table

2014-01-31 Thread Antonio Prado
hello, anyone aware of a tool like ASpath-tree for IPv6 table? thank you -- antonio

Re: Neighbor Cache Exhaustion, was Re: Question about IPAM tools for v6

2014-01-31 Thread Fernando Gont
On 01/31/2014 11:16 AM, Enno Rey wrote: > Hi Guillaume, > > willing to share your lab setup / results? We did some testing > ourselves in a Cisco-only setting and couldn't cause any problems. > [for details see here: > http://www.insinuator.net/2013/03/ipv6-neighbor-cache-exhaustion-attacks-risk-a

Re: Question about IPAM tools for v6

2014-01-31 Thread Fernando Gont
On 01/31/2014 09:33 AM, Mohacsi Janos wrote: > >> On 29/01/2014 22:19, Cricket Liu wrote: >>> Consensus around here is that we support DHCPv6 for non-/64 subnets >>> (particularly in the context of Prefix Delegation), but the immediate >>> next question is "Why would you need that?" >> >> /64 netm

Re: Question about IPAM tools for v6

2014-01-31 Thread Fernando Gont
On 01/31/2014 10:59 AM, Aurélien wrote: > > I personnally verified that this type of attack works with at least one > major firewall vendor, provided you know/guess reasonably well the > network behind it. (I'm not implying that this is a widespread attack type). > > I also found this paper: http

Neighbor Cache Exhaustion, was Re: Question about IPAM tools for v6

2014-01-31 Thread Enno Rey
Hi Guillaume, willing to share your lab setup / results? We did some testing ourselves in a Cisco-only setting and couldn't cause any problems. [for details see here: http://www.insinuator.net/2013/03/ipv6-neighbor-cache-exhaustion-attacks-risk-assessment-mitigation-strategies-part-1/] After th

Re: Question about IPAM tools for v6

2014-01-31 Thread Aurélien
On Fri, Jan 31, 2014 at 2:07 PM, Ole Troan wrote: > >> Consensus around here is that we support DHCPv6 for non-/64 subnets > >> (particularly in the context of Prefix Delegation), but the immediate > >> next question is "Why would you need that?" > > > > /64 netmask opens up nd cache exhaustion a

Re: show ipv6 destination cache on BSD host

2014-01-31 Thread Ignatios Souvatzis
On Thu, Jan 30, 2014 at 09:20:18PM +0100, Matjaz Straus Istenic wrote: > On 30. jan. 2014, at 21:13, Nick Hilliard wrote: > > > ndp -an > Well, this is for local IPv6 ND cache only. I'm looking for a command to > display the _destination_ cache in order to check for changed Path MTU. Rui's > su

Re: Question about IPAM tools for v6

2014-01-31 Thread Ole Troan
>> Consensus around here is that we support DHCPv6 for non-/64 subnets >> (particularly in the context of Prefix Delegation), but the immediate >> next question is "Why would you need that?" > > /64 netmask opens up nd cache exhaustion as a DoS vector. FUD. cheers, Ole signature.asc Descriptio

Re: Question about IPAM tools for v6

2014-01-31 Thread Mohacsi Janos
On Fri, 31 Jan 2014, Nick Hilliard wrote: On 29/01/2014 22:19, Cricket Liu wrote: Consensus around here is that we support DHCPv6 for non-/64 subnets (particularly in the context of Prefix Delegation), but the immediate next question is "Why would you need that?" /64 netmask opens up nd ca

Re: Question about IPAM tools for v6

2014-01-31 Thread Nick Hilliard
On 29/01/2014 22:19, Cricket Liu wrote: > Consensus around here is that we support DHCPv6 for non-/64 subnets > (particularly in the context of Prefix Delegation), but the immediate > next question is "Why would you need that?" /64 netmask opens up nd cache exhaustion as a DoS vector. Nick

Re: Question about IPAM tools for v6

2014-01-31 Thread Cricket Liu
Hi Mark. On Jan 29, 2014, at 11:07 AM, Mark Boolootian wrote: >> Can anyone say whether existing IP Address Management tools that >> support IPv6 have built-in assumptions or dependencies on the >> /64 subnet prefix length, or whether they simply don't care about >> subnet size? > > We use Info