[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: introducing a limit for the number of prefixes/routes from RA (IPv6)
In article <iqdgq4$hhs$1%serpens.de@localhost>, S.P.Zeidler
>at present, there is no limit to the number of prefixes (and thus, routes=
>that a IPv6 autohost will accept via router advertisements.
>If an attacker floods the net with random RA announcements, at several
>thousand (for my laptop: 5000 and a bit) the machine slows down to not
>even updating time any longer. As soon as the flood stops, at least in th=
>case I tested, the machine fully recovered (apart from very unseemly
>ifconfig output, and ifconfig taking noteable time to complete).
>Daemons may not be coping with the number of addresses gracefully, too.
>Limiting just the number of routes processed already fixes the slowdown,
>but not the issues network programs may run into.
>In order to deal with this, I propose to set a limit on the number of
>prefixes and routes an autohost will accept. I name routes separately
>since RFC4191 provides a mechanism for sending routes additionally to
>prefixes; we do not yet support this but may do so in the future.
>A proposed patch is at http://www.netbsd.org/~spz/rtadv-limit.diff
I would also add a sysctl to print the current numroutes.
Main Index |
Thread Index |