Pascal Thubert (pthubert) <[email protected]> wrote: > 6LoWPAN ND is immune to the remote DOS attacks on the ND cache, the > ones coming from the outside of the subnet, i.e., from a place that is > out of touch and virtually nowhere.
> This is because in an RFC 6775/8505-only network, there is no reactive
> operation, a packet coming from the outside of the subnet for a node
> that is not registered to the router is just dropped. Just like an AP
> does not copy a packet on the wireless for a MAC that is not
> associated.
There are a few attacks on the ND cache that I can think of.
One of them that we see on the IETF network is the script kiddies who
sequentially scan IP addresses. We have a lot of them, and so we flood the
wifi with ARP queries (v4) and NS (v6). We have mitigations for this.
In the route-over 6tisch/RPL space, we don't (as you indicate), use NS by the
router, we know who is on our network, and we would just have no /128 routes,
and just drop the packets. Is this the attack that you are speak of as a
remote DOS?
> Your point below remains correct, since the attack you describe is from
> a node that reaches the router at L2. Arguably, that attack is
> physically much harder to perform than the DOS packet from outer
> space.
When I mentioned attacks on the ND cache, I am referring to those that can
occur from within the 6tisch network from malicious pledge nodes. We have to
limit the NCE usage by untrusted nodes so that we have space for as many
registered nodes.
I think you are agreeing with me above.
I believe that the issue that Jen is describing would for unaware leaves that
were sleepy.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ 6tisch mailing list [email protected] https://www.ietf.org/mailman/listinfo/6tisch
