tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: introducing a limit for the number of prefixes/routes from RA (IPv6)

On Wed, May 11, 2011 at 06:33:29PM +0800, Dennis Ferguson wrote:
> While I only know enough to be dangerous, the problem is really unlikely
> to be routes (i.e. things installed in the routing table) per se.  5000
> was a relatively reasonable number of routes 20 years ago when machines
> running this code were way, way slower than they are now.  I commonly test
> the kernel routing table with a 1 million prefix dump obtained from someone's
> core router.

As I see it the original problem (a host accepting any random prefixes from
spoofed RAs) is not only the slow down; it's also that you end up with
an interface with a very large number of IPv6 addresses. This is not
only a performance issue, but also a connectivity DoS. A configurable
limit on this will restrict the effect of the DoS, and ease the job of
the human which will have to cleanup the mess ...

Manuel Bouyer <>
     NetBSD: 26 ans d'experience feront toujours la difference

Home | Main Index | Thread Index | Old Index