On Fri, Jan 31, 2014 at 2:07 PM, Ole Troan <[email protected]> wrote: > >> Consensus around here is that we support DHCPv6 for non-/64 subnets > >> (particularly in the context of Prefix Delegation), but the immediate > >> next question is "Why would you need that?" > > > > /64 netmask opens up nd cache exhaustion as a DoS vector. > > FUD. > > Hi Ole,
I personnally verified that this type of attack works with at least one major firewall vendor, provided you know/guess reasonably well the network behind it. (I'm not implying that this is a widespread attack type). I also found this paper: http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf I'm looking for other information sources, do you know other papers dealing with this problem ? Why do you think this is FUD ? Thanks, -- Aurélien Guillaume
