[c-nsp] IPv6 CoPP

Mack McBride mack.mcbride at viawest.com
Thu Jan 3 13:08:23 EST 2013 

The 24 - 39 bits are generally not an issue if you are deploying in a rational manner for the 6500/7600 platform.
Ie. Don't use addresses with those bits set.  Your carriers won't so why should you?
All of the caveats for IPv4 apply to IPv6.

As for the attack vectors against a 6500/7600, the attacks are mostly neighbor discovery related.
Neighbor discovery attacks are bad on most platforms.
The solution we use is to limit the size of subnets switched by the box.
This breaks things that depend on auto-configuration but we don't
do auto-configuration for public customer space.  That is statically assigned.

If you have to use auto-configuration, then don't use the PFC3 based supervisors or use DHCP.

LR Mack McBride
Network Architect

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nick Hilliard
Sent: Saturday, December 29, 2012 2:27 PM
To: amps at djlab.com
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] IPv6 CoPP

On 29/12/2012 14:15, Randy wrote:
> Any caveats in ipv6?  (The routers use sup7203bxl supervisors).

oh man, sup720 + ipv6.  what a world of pain.

You could start out here:

http://www.cesnet.cz/doc/techzpravy/2010/ipv6-copp/

Just be aware that some of their configurations don't actually work because (as ++ytti has previously noted on this mailing list) they haven't taken
sup720 ipv6 acl address compression into account:

http://goo.gl/TTzkw

i.e. you can have either layer 4 port information in your acl and choose to lose bits 24-39 in the ipv6 address, or else you can have all ipv6 bits, but no ports specified.

Beware also:

- ipv6 multicast (pain++ on sup720)
- ipv6 fragments (not supported in sup720 acls)
- ipv6 urpf

All things considered, it's not really a good idea to run ipv6 on a production pfc3 based box (e.g. sup720 / rsp720).  It opens up too many DoS / performance vectors.

Nick

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list