[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on draft-ietf-v6ops-v6inixp-01.txt

To: Nick Hilliard <nick@inex.ie>
Subject: Re: comments on draft-ietf-v6ops-v6inixp-01.txt
From: Martin Pels <martin.pels@ams-ix.net>
Date: Thu, 30 Jul 2009 17:50:43 +0200
Cc: Roque Gagliano <roque@lacnic.net>, v6ops@ops.ietf.org
In-reply-to: <4A702AFD.6040803@inex.ie>
References: <4A6EE42A.7020809@inex.ie> <E38C65E0-F55D-49C5-9EA4-D4B594FB679A@lacnic.net> <4A702AFD.6040803@inex.ie>

Hi,

On Wed, 29 Jul 2009 11:57:01 +0100
Nick Hilliard <nick@inex.ie> wrote:

> >> - I'm still wrangling with myself about the value of an ipv6 ND
> >> sponge. Is it better for an end-user DoS attacker to trash an ipv6
> >> lan by causing persistent icmp6 multicast flooding, or by filling
> >> up the ipv6 neighbor cache on all connected routers with ipv6
> >> address entries associated the mac address of an ipv6 ND sponge?
> >> Has anyone actually measured this in practice? Is the reaction
> >> vendor specific? My worry is that attacks of this form will happen
> >> one day and right now we are not ready.

We've had a couple of students research this. The short summary is that
a ND sponge has less value than an ARP sponge. This because compared to
broadcast floods, flooded multicast frames not destined for the router
that receives them require little processing power. There are
differences per vendor though.
If you're interested, I can send you the full report.

Creating a DoS by filling up the cache on all routers with entries for
the sponge is a real risk. This can be mitigated by only sponging
addresses that are assigned to customers (or were in the past). Another
option is to implement the list of sponged addresses as a ring buffer,
where old entries are replaced by newer ones when the buffer is full.

> > so what you are proposing is that we should be able to limit the
> > number of IPv6 addresses for a given MAC addresses that is
> > advertised through ND to the switch in order to avoid the flooding
> > of unsolicited Neighbor advertisement messages that could
> > eventually fill someone's cache entries? Looks like a nice question
> > to the list.
> 
> It would be very nice to be able to limit this at the switch level.
> Dunno how you'd do it or anything, but there is a serious security
> concern here.

For ND, IPv6 unicast addresses are mapped to a multicast Ethernet
address. Depending on the addressing plan of the IXP, it might be
possible to use Layer-2 ACL's to only allow ND requests to multicast
group addresses that correspond to IPv6 addresses assigned to routers on
the platform.

Kind regards,
Martin

Follow-Ups:
- Re: comments on draft-ietf-v6ops-v6inixp-01.txt
  - From: Nick Hilliard <nick@inex.ie>

References:
- comments on draft-ietf-v6ops-v6inixp-01.txt
  - From: Nick Hilliard <nick@inex.ie>
- Re: comments on draft-ietf-v6ops-v6inixp-01.txt
  - From: Roque Gagliano <roque@lacnic.net>
- Re: comments on draft-ietf-v6ops-v6inixp-01.txt
  - From: Nick Hilliard <nick@inex.ie>

Prev by Date: Re: Simple Security - Layered Filtering should be in the document
Next by Date: RE: Simple Security - Layered Filtering should be in the document
Previous by thread: Re: comments on draft-ietf-v6ops-v6inixp-01.txt
Next by thread: Re: comments on draft-ietf-v6ops-v6inixp-01.txt
Index(es):
- Date
- Thread