tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ndp

On 20/02/2013, at 1:52 PM, George Michaelson <> wrote:

> On Tue, 19 Feb 2013 09:23:44 -0300, Fernando Gont wrote:
>> even a remote address scanning attack might cause that as a side effect.
> I have accidentally participated in an apparent DoS like this, 

So, the slightly rhetorical question is, why do we have entries in the NDP 
cache for hosts that don't exist? 

I'm not 100% comfortable with cleanup threads and timers because they don't 
actually stop the data structure from becoming full, they just place a time 
limit on how long you can spend filling up the data structure. If incomplete or 
negative NDP entries were stored in a separate data structure from NDP cache, 
then a safer data structure could be used. An LRU cache or similar would result 
in entries being discarded when the cache is full rather than after a set time, 
but since this is only for incomplete or negative NDP entries, this is no great 
sin. An LRU cache would add a few cycles to the time taken for neighbour 
discovery, but that's no great sin either.

It should also be possible to borrow (very loosely) from the SYN cache & cookie 
hybrid to allow a fallback to some sort of stateless NDP. That would require 
more care and attention than I'm prepared to put into this email message though.


Home | Main Index | Thread Index | Old Index