[AusNOG] Sunday afternoon light reading - "Mitigating IPv6 Router Neighbor Cache DoS Using Stateless Neighbor Discovery"

Mark ZZZ Smith markzzzsmith at yahoo.com.au
Sun Oct 7 12:11:40 EST 2012


IPv6's neighbor cache (equivalent to IPv4's ARP cache) is vulnerable to a denial of service attack, as a consequence of the large size of IPv6's subnets (/64s).

I really like the operational convenience of large and fixed sized subnets (less prefix length errors, no renumbering or secondary subnets to support more hosts on the link etc.), so I'm suggesting the following method of mitigating the DoS for routers. I thought the Ausnog community might be interested to have a look.


----- Forwarded Message -----
> From: "internet-drafts at ietf.org" <internet-drafts at ietf.org>
> To: markzzzsmith at yahoo.com.au
> Cc: 
> Sent: Sunday, 7 October 2012 11:41 AM
> Subject: New Version Notification for draft-smith-6man-mitigate-nd-cache-dos-slnd-00.txt
> A new version of I-D, draft-smith-6man-mitigate-nd-cache-dos-slnd-00.txt
> has been successfully submitted by Mark Smith and posted to the
> IETF repository.
> Filename:     draft-smith-6man-mitigate-nd-cache-dos-slnd
> Revision:     00
> Title:         Mitigating IPv6 Router Neighbor Cache DoS Using Stateless 
> Neighbor Discovery
> Creation date:     2012-10-07
> WG ID:         Individual Submission
> Number of pages: 9
> URL:            
> http://www.ietf.org/internet-drafts/draft-smith-6man-mitigate-nd-cache-dos-slnd-00.txt
> Status:          
> http://datatracker.ietf.org/doc/draft-smith-6man-mitigate-nd-cache-dos-slnd
> Htmlized:        
> http://tools.ietf.org/html/draft-smith-6man-mitigate-nd-cache-dos-slnd-00
> Abstract:
>    The IPv6 neighbor discovery cache is vulernable to a Denial of
>    Service attack that purposely exhausts the state used during the
>    neighbor discovery address resolution process.  This can be very
>    disruptive when a router is successfully attacked.
>    This memo proposes a stateless form of neighbor discovery to be used
>    by routers to eliminate the opportunity for this DoS attack.  This
>    method of stateless neighbor discovery would be used for unknown or
>    untrusted packet sources, when the router's neighbor cache's state
>    capacity reaches a medium to high threshold of use.  Trusted packet
>    sources would continue to be provided with traditional stateful
>    neighbor discovery.
> The IETF Secretariat

More information about the AusNOG mailing list