[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPv6 Netowrk Device Numbering BP

On 11/1/12 2:01 PM, Owen DeLong wrote:
> There are better ways to avoid neighbor exhaustion attacks unless you have attackers
> inside your network.
All of the migrations are compromises of one sort or another. We thought 
this one was important enough to include in an informational  status 
RFC  (6583).

Which approach is most appropriate (and whether it's necessary at all) 
will depend on the circumstances involved.
> If you have attackers inside your network, you probably have bigger problems than
> neighbor table attacks anyway, but that's a different issue.
> Even if you're going to do something silly like use /120s on interfaces, I highly
> recommend going ahead and reserving the enclosing /64 so that when you discover
> /120 wasn't the best idea, you can easily retrofit.
The problem isn't silly, I didn't find it all that funny when I first 
induced it in the lab.
> Owen
> On Nov 1, 2012, at 12:58 , David Miller <dmiller at tiggee.com> wrote:
>> Hash: SHA1
>> On 11/1/2012 1:59 PM, Valdis.Kletnieks at vt.edu wrote:
>>> On Thu, 01 Nov 2012 14:28:48 +0100, "Miquel van Smoorenburg" said:
>>>> We use a /120 subnet for servers to prevent the NDP cache
>>>> exhaustion attack. We do maintain a mapping between IPv4 and IPv6
>>>> addresses; it's simply 2001:db8:vv:ww::xx, where xx is the hex
>>>> value of the last octet of the IPv4 address.
>>> ooh.. that's a clever approach I hadn't seen before.  Who should we
>>> credit for this one?
>> /120 works well until you get > 99 (if you want the decimal
>> representations of addresses to look the same)... or if your techs
>> understand hex.
>> <-> 2001:db8:vv:ww::7b
>> I have used /116 in the past.  This gives you 1-fff at the end.
>> <-> 2001:db8:vv:ww::123
>> Hopefully, this is future proof(ish) in that IPv6 only hosts (...when
>> that happens...) on the same subnet can use
>> 2001:db8:vv:ww::[a-f][0-f][0-f] without danger of collisions with
>> IPv4/IPv6 hosts.
>> - -DMM
>> Version: GnuPG v2.0.17 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>> iQEcBAEBAgAGBQJQktR2AAoJECp6zT7OFmGauBMH/2bntbEMqdTtwPc/kMKAeikc
>> iHd3giEcstp/v5kaAgdZGm68Juy3jlHXVe7TZriQA3OWYI7dSzZhuVFQxwP2+t1t
>> fsZiU1ptoSKJMnQZhUdCOSuDXQZ4IwAWyhLq1EoXNxwGWXbM+KpddfwHtfLG6syz
>> 3RQ2BB48l+eT1fvxzd1xmyIAjOxvtsqmpLTTOmXAXtN7+e0py/VpoBvgaDfg3Xnt
>> dnc80i2bKM+DGqZJyGbkno0lANh1iZRnUWaPethlxhgQA433Yzu06ut6Vq4zIN2k
>> HZ84b7VbXbxrOmfiRca0vLgue/VyB6PlBevb9yVnqaHb3iWQKF0G8Mq1Ge/nm5I=
>> =KSjA
>> -----END PGP SIGNATURE-----