tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
introducing a limit for the number of prefixes/routes from RA (IPv6)
Hi,
at present, there is no limit to the number of prefixes (and thus, routes)
that a IPv6 autohost will accept via router advertisements.
If an attacker floods the net with random RA announcements, at several
thousand (for my laptop: 5000 and a bit) the machine slows down to not
even updating time any longer. As soon as the flood stops, at least in the
case I tested, the machine fully recovered (apart from very unseemly
ifconfig output, and ifconfig taking noteable time to complete).
Daemons may not be coping with the number of addresses gracefully, too.
Limiting just the number of routes processed already fixes the slowdown,
but not the issues network programs may run into.
In order to deal with this, I propose to set a limit on the number of
prefixes and routes an autohost will accept. I name routes separately
since RFC4191 provides a mechanism for sending routes additionally to
prefixes; we do not yet support this but may do so in the future.
A proposed patch is at http://www.netbsd.org/~spz/rtadv-limit.diff
Comments? Improvements?
regards,
spz
--
spz%serpens.de@localhost (S.P.Zeidler)
Home |
Main Index |
Thread Index |
Old Index