[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
NIST IPv6 document
On Wed, Jan 5, 2011 at 13:14, Jeff Wheeler <jsw at inconcepts.biz> wrote:
> On Wed, Jan 5, 2011 at 1:02 PM, TJ <trejrco at gmail.com> wrote:
> > Many would argue that the version of IP is irrelevant, if you are
> permitting
> > external hosts the ability to scan your internal network in an
> unrestricted
> > fashion (no stateful filtering or rate limiting) you have already lost,
> you
>
> How do you propose to rate-limit this scanning traffic? More router
> knobs are needed. This also does not solve problems with malicious
> hosts on the LAN.
>
Off the top of my head, maybe just slow down the generation of new NS
attempts when under attack (without impacting the NUD-based NS).
>
> A stateful firewall on every router interface has been suggested
> already on this thread. It is unrealistic.
>
> > Even granting that, for the sake of argument - it seems like it would not
> be
> > hard for $vendor to have some sort of "emergency garbage collection"
> > routines within their NDP implementations ... ?
>
> How do you propose the router know what entries are "garbage" and
> which are needed? Eliminating active, "good" entries to allow for
> more churn would make the problem much worse, not better.
Again, off the top of my head, maybe - when under duress - age out the
incomplete ND table entries faster.
/TJ