[c-nsp] IPv6 nd table on the 6500

Saku Ytti saku at ytti.fi
Thu May 5 06:17:27 EDT 2011


On (2011-05-05 08:08 +0100), Phil Mayers wrote:

> I saw some IOS roadmap stuff for IPv6 ND DoS protection recently -
> 2-phase (1: global "prevent ND DoS", 2: per-interface "Prevent") so
> Cisco are at least aware of it.

It seems terribly complex to do right, since you'd indeed need on WAN side
policer for each LAN side subinterface. So each would get their own share of ND
punts. That can be potentially thousands of new policers.

But if hardware allows it, maybe two policers could go long ways, one policer
for resolved entries being refreshed and another for fresh-entries. This way
during attack all old stuff would keep working, and new entries would come up
with delay. If you'd combine with just port based policer (not per
subinterface) than all LAN side initiated ND punts would work also, only thing
would be broken during attack would be WAN side initiated ND punt for fresh PC,
such as syslog server which never speaks to network and has higher ND cache
timeout than router.

Curiously IOS is quite a bit more robust than JunOS, since IOS seems to refresh
entries (at least ARP) bidirectioanlly, so say when linux PC every 60s tries to
rearp the cisco router, cisco router would also then refresh its entry towards
the linux PC. JunOS appears not to do this, which makes is quite a bit more
vulnarable.


-- 
  ++ytti


More information about the cisco-nsp mailing list