On 01/28/10 04:53 AM, Mark Smith wrote:
Setting maximums for the incomplete neighbor cache entry was my first thought. The drawback I'd be concerned about is that if that limit is e.g. 1000, and an an attacker fills it up, then subsequent legitimate requests get dropped. I'm hoping we can come up with a simple and smart way, using existing mechansims as much as possible, to discriminate between legitimate and illegitimate NSes, based on something that the downstream hosts can provide, that doesn't involve basically setting a lower point where a NS DoS can be triggered.
To do this you need to be able to tell the difference between a good and a bad (unresolvable) address. But you have no a-priori knowledge to tell them apart.
Instead of a simple threshold the effect of having too many incomplete NCEs could be to effectively reduce the time until the incomplete NCEs time out. Thus instead of blocking the creation of new NCEs, discard the oldest incomplete NCE. That will favor the good ones as long as the load doesn't get so high that the lifetime of an incomplete NCE drops below the RTT of the LAN; in that case not even the good ones will see a NA before they are thrown away.
But one could also potentially create the NCE when a NA is received even if there is no longer an incomplete NCE around. I haven't looked into this in detail.
Erik -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
