Re: introducing a limit for the number of prefixes/routes from RA (IPv6)

To: tech-net%netbsd.org@localhost
Subject: Re: introducing a limit for the number of prefixes/routes from RA (IPv6)
From: christos%astron.com@localhost (Christos Zoulas)
Date: Thu, 12 May 2011 00:54:45 +0000 (UTC)

In article <iqdgq4$hhs$1%serpens.de@localhost>, S.P.Zeidler 
<spz%serpens.de@localhost> wrote:
>Hi,
>
>at present, there is no limit to the number of prefixes (and thus, routes=
>)
>that a IPv6 autohost will accept via router advertisements.
>
>If an attacker floods the net with random RA announcements, at several
>thousand (for my laptop: 5000 and a bit) the machine slows down to not
>even updating time any longer. As soon as the flood stops, at least in th=
>e
>case I tested, the machine fully recovered (apart from very unseemly
>ifconfig output, and ifconfig taking noteable time to complete).
>Daemons may not be coping with the number of addresses gracefully, too.
>
>Limiting just the number of routes processed already fixes the slowdown,
>but not the issues network programs may run into.
>
>In order to deal with this, I propose to set a limit on the number of
>prefixes and routes an autohost will accept. I name routes separately
>since RFC4191 provides a mechanism for sending routes additionally to
>prefixes; we do not yet support this but may do so in the future.
>
>A proposed patch is at http://www.netbsd.org/~spz/rtadv-limit.diff

I would also add a sysctl to print the current numroutes.

christos

References:
- introducing a limit for the number of prefixes/routes from RA (IPv6)
  - From: S.P.Zeidler

Prev by Date: Re: introducing a limit for the number of prefixes/routes from RA (IPv6)
Next by Date: Re: What should be the abstraction for ethernet switches?
Previous by Thread: Re: introducing a limit for the number of prefixes/routes from RA (IPv6)
Next by Thread: "panic: pool 'pfrktable' is IPL_NONE, but called from interrupt context"
Indexes:

Home | Main Index | Thread Index | Old Index