Greetings,
On the heals of work on draft-ietf-6man-impatient-nud-02 and rfc 6583 the
authors have decided to take a lot at their proposal for gratuitous neighbor
advertisement. We believe that this approach has the potential to ameliorate
some problems experienced today in large broadcast domains where control plane
processors may spend a significant chunk of their cpu cycles mananging NDP even
under normal circumstances. There is some real world experience of meltdowns
not caused by deliberate DOS that we ascribe to the current handling of NDP so
we'd like to see some additional effort in this area.
A New Internet-Draft is available from the on-line Internet-Drafts directories.
Title : Neighbor Discovery Enhancement for DOS mititgation
Author(s) : Warren Kumari
Filename : draft-gashinsky-6man-v6nd-enhance-01.txt
Pages : 10
Date : 2012-09-20
Abstract:
In IPv4, subnets are generally small, made just large enough to cover
the actual number of machines on the subnet. In contrast, the
default IPv6 subnet size is a /64, a number so large it covers
trillions of addresses, the overwhelming number of which will be
unassigned. Consequently, simplistic implementations of Neighbor
Discovery can be vulnerable to denial of service attacks whereby they
attempt to perform address resolution for large numbers of unassigned
addresses. Such denial of attacks can be launched intentionally (by
an attacker), or result from legitimate operational tools that scan
networks for inventory and other purposes. As a result of these
vulnerabilities, new devices may not be able to "join" a network, it
may be impossible to establish new IPv6 flows, and existing IPv6
transported flows may be interrupted.
This document describes a modification to the [RFC4861] neighbor
discovery protocol aimed at improving the resilience of the neighbor
discovery process. We call this process Gratuitous neighbor
discovery and it derives inspiration in part from analogous IPv4
gratuitous ARP implementation.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-gashinsky-6man-v6nd-enhance
There's also a htmlized version available at:
http://tools.ietf.org/html/draft-gashinsky-6man-v6nd-enhance-01
A diff from the previous version is available at:
http://www.ietf.org/rfcdiff?url2=draft-gashinsky-6man-v6nd-enhance-01
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
