On Wed, Jul 3, 2019 at 5:14 PM Pascal Thubert (pthubert) <[email protected]> wrote:
> 6LoWPAN ND is immune to the remote DOS attacks on the ND cache, the ones > coming from the outside of the subnet, i.e., from a place that is out of > touch and virtually nowhere. > This is because in an RFC 6775/8505-only network, there is no reactive > operation, a packet coming from the outside of the subnet for a node that > is not registered to the router is just dropped. Just like an AP does not > copy a packet on the wireless for a MAC that is not associated. > There are problems with registration-based models as well though. First, complexity. Recovering state in the presence of router crashes is complex. Also, depending on what guarantees the network needs to provide to hosts, a registration-based model will likely use more router memory in the common case that most hosts are well-behaved (because it cannot aggressively time out entries that with classic ND can simply be thrown away after a while). Second, an explicit registration model where the router can refuse to create an address entry provides a supported path for operators to limit the number of IP addresses used by hosts, which has the negative consequences described in RFC 7934. In fact, such a model is explicitly NOT RECOMMENDED by RFC 7934 for general-purpose hosts. The relevant text is "it is RECOMMENDED that the network give the host the ability to use new addresses without requiring explicit requests."
_______________________________________________ 6tisch mailing list [email protected] https://www.ietf.org/mailman/listinfo/6tisch
