Re: introducing a limit for the number of prefixes/routes from RA (IPv6)

To: Dennis Ferguson <dennis.c.ferguson%gmail.com@localhost>
Subject: Re: introducing a limit for the number of prefixes/routes from RA (IPv6)
From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Date: Wed, 11 May 2011 12:43:51 +0200

On Wed, May 11, 2011 at 06:33:29PM +0800, Dennis Ferguson wrote:
> While I only know enough to be dangerous, the problem is really unlikely
> to be routes (i.e. things installed in the routing table) per se.  5000
> was a relatively reasonable number of routes 20 years ago when machines
> running this code were way, way slower than they are now.  I commonly test
> the kernel routing table with a 1 million prefix dump obtained from someone's
> core router.

As I see it the original problem (a host accepting any random prefixes from
spoofed RAs) is not only the slow down; it's also that you end up with
an interface with a very large number of IPv6 addresses. This is not
only a performance issue, but also a connectivity DoS. A configurable
limit on this will restrict the effect of the DoS, and ease the job of
the human which will have to cleanup the mess ...

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--

References:
- introducing a limit for the number of prefixes/routes from RA (IPv6)
  - From: S.P.Zeidler
- Re: introducing a limit for the number of prefixes/routes from RA (IPv6)
  - From: Dennis Ferguson

Prev by Date: Re: introducing a limit for the number of prefixes/routes from RA (IPv6)
Next by Date: Re: introducing a limit for the number of prefixes/routes from RA (IPv6)
Previous by Thread: Re: introducing a limit for the number of prefixes/routes from RA (IPv6)
Next by Thread: Re: introducing a limit for the number of prefixes/routes from RA (IPv6)
Indexes:

Home | Main Index | Thread Index | Old Index