SlideShare uma empresa Scribd logo

Ipv6 neighbor discovery problems and mitigations

Karunakant Rai
Karunakant Rai
Tecnologia
1 de 12
Baixar para ler offline
IPv6 Neighbor Discovery Problems (and mitigations) Joel Jaeggli For BaJUG October 2012 1
Background  IPv4 subnets typically span rather small address ranges. In IPv6 however the default subnet size is a /64. As a result implementations of the Neighbor Discovery Protocol, which replaces the functionality of IPv4 ARP are typically vulnerable to deliberate or accidental denial of service due to the large address span.  Myself plus colleagues from Yahoo Google and elsewhere saw this as enoguh of a problem to put pen to paper. 2
Background continued  Result: – RFC 6583 Operational Neighbor Discovery Problems  Work in progress – draft-ietf-6man-impatient-nud-02 – draft-gashinsky-6man-v6nd-enhance-01 3
Nature of the problem  Simplistic implementations of Neighbor Discovery may fail to perform as desired when they perform address resolution of large numbers of unassigned addresses.  Failures can be triggered either: – intentionally by an attacker launching a denial-of- service attack (DoS) – Unintentionally due to the use of legitimate operational tools that scan networks for inventory and other purposes. – e.g. a couple of instances of the equivalent of nmap -sn -6 2001:DB8::/64 (nmap doesn't support masks on v6 address) starting at different offsets is enough to blow up the NDP 4 process on plently of existing routers.
What causes this?  The router's process of testing (RFC 4861) for the (non)existence of neighbors can induce a denial-of-service condition, where: – The number of necessary Neighbor Discovery requests overwhelms the implementation's capacity to process them. – Exhausts available memory. – And/or replaces existing in-use mappings with incomplete entries that will never be completed. 5
Continued  When a packet arrives at (or is generated by) a router for a destination on an attached link, the router needs to determine the correct link-layer address to use in the destination field of the Layer 2 encapsulation.  The router checks the Neighbor Cache for an existing Neighbor Cache Entry for the neighbor.  If none exists, the router invokes the address resolution portions of the IPv6 Neighbor Discovery protocol to determine the link-layer address of the neighbor. 6
What can be done about this?  Implementation and protocol changes are possible and several implementations have been tweaked to good effect...  Some techniques are suitable for hardening networks that provide public facing internet services that are not in fact feasible elsewhere. – e.g. subnets where SLAAC, Privacy addresses and so forth are required are not good candidates for these mitigations. 7
Operational Mitigations.  Filter unused space. – Have a /64 subnet, but assigning addresses using stateful dhcpv6 (or static). Apply an ACL limiting access to only the address range in use. – A /120 or even something as large as a /112 is a dramatic reduction in surface area. – Means you're not using SLAAC or privacy addresses. 8
Continued.  Use genuinely smaller subnets. – RFC 6164 says we can use /127 for point-to- point links. – If SLAAC is not required either because devices are statically or programmaticaly configured prefixes longer than a /64 can be used. – Example load-balancer tier using /120 sized subnet. 9
Routing mitigation  Limit which subnets appear in the FIB of upstream routers such that only more specific routes injected by the hosts using EBGP appear in the routing table. – Example a load balancer tier which inject's /128 prefixes into upstream router(s) routing table. – This is analogous to the IPv4 approach of using private address space to number the subnet in front of a public service. 10
Router knobs.  The most dire condition when dealing with NDP related resource starvation is losing track of existing peers.  If you have the knob available (and Junos does) you can allow the interval that you'll continue to consider a node reachable once NUD kicks off to be longer than the default (which is 0)  This will help in degenerate circumstances from losing track of existing neighbors.  http://www.juniper.net/techpubs/en_US/junos12.2/information-products/pathway-pages/config-guide-routing/config-guide-routing-neighbor-discovery.pdf 11
Limitations.  None of these mitigations is a general purpose solution. /64 subnets are still required in many circumstances.  Hardening public facing infrastructure was really our principle consideration for undertaking this work.  Longer term implementors have a pretty good idea how to address the business as usual interal cases. 12

Recomendados

IPv6 Neighbor Discovery Problems (and mitigations)
IPv6 Neighbor Discovery Problems (and mitigations)IPv6 Neighbor Discovery Problems (and mitigations)
IPv6 Neighbor Discovery Problems (and mitigations)Juniper Networks
 
I Pv6 Nd
I Pv6 NdI Pv6 Nd
I Pv6 NdRam Dutt Shukla
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatDigicomp Academy AG
 
IPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryIPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryHeba_a
 
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPTImplementation of isp mpls backbone network on i pv6 using 6 pe routers main PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPTSatish Kumar
 
Introduction to IPv6-UoN
Introduction to IPv6-UoNIntroduction to IPv6-UoN
Introduction to IPv6-UoNMwendwa Kivuva
 
RASHMI VT REPORT
RASHMI VT REPORTRASHMI VT REPORT
RASHMI VT REPORTRashmi kumari
 
IPv6
IPv6IPv6
IPv6edgarjgonzalezg
 

Recomendados

IPv6 Neighbor Discovery Problems (and mitigations)
IPv6 Neighbor Discovery Problems (and mitigations)IPv6 Neighbor Discovery Problems (and mitigations)
IPv6 Neighbor Discovery Problems (and mitigations)Juniper Networks
 
I Pv6 Nd
I Pv6 NdI Pv6 Nd
I Pv6 NdRam Dutt Shukla
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatDigicomp Academy AG
 
IPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryIPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryHeba_a
 
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPTImplementation of isp mpls backbone network on i pv6 using 6 pe routers main PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPTSatish Kumar
 
Introduction to IPv6-UoN
Introduction to IPv6-UoNIntroduction to IPv6-UoN
Introduction to IPv6-UoNMwendwa Kivuva
 
RASHMI VT REPORT
RASHMI VT REPORTRASHMI VT REPORT
RASHMI VT REPORTRashmi kumari
 
IPv6
IPv6IPv6
IPv6edgarjgonzalezg
 
IPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideIPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideParthiban Nallathambi
 
IPv6 Best Practice
IPv6 Best PracticeIPv6 Best Practice
IPv6 Best Practiceflyingpotato
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsSiena Perry
 
Top 20 ccna interview questions and answers pdf
Top 20 ccna interview questions and answers pdfTop 20 ccna interview questions and answers pdf
Top 20 ccna interview questions and answers pdfHub4Tech.com
 
IPv6 theoryfinalx
IPv6 theoryfinalxIPv6 theoryfinalx
IPv6 theoryfinalxPawan Sharma
 
IPV6
IPV6 IPV6
IPV6 Arnold Derrick Kinney
 
Ospf
OspfOspf
Ospfgopi1985
 
Cisco presentation2
Cisco presentation2Cisco presentation2
Cisco presentation2ehsan nazer
 
ISP core routing project
ISP core routing projectISP core routing project
ISP core routing projectvishal sharma
 
Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504Erik Ginalick
 
Cisco IPv6 Tutorial
Cisco IPv6 TutorialCisco IPv6 Tutorial
Cisco IPv6 Tutorialkriz5
 
IPV6 Hands on Lab
IPV6 Hands on Lab IPV6 Hands on Lab
IPV6 Hands on Lab Cisco Canada
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6mithilak
 
Ipv6up
Ipv6upIpv6up
Ipv6upasimnawaz54
 
Morphology of Modern Data Center Networks - YaC 2013
Morphology of Modern Data Center Networks - YaC 2013Morphology of Modern Data Center Networks - YaC 2013
Morphology of Modern Data Center Networks - YaC 2013Cumulus Networks
 
Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Karunakant Rai
 
Ipv4 ppt
Ipv4 pptIpv4 ppt
Ipv4 pptSonal Chandel
 
Introduction to IPv6
Introduction to IPv6Introduction to IPv6
Introduction to IPv6Sara Q. Abedulridha
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?Mark Smith
 
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6cyberjoex
 
Addressing plans
Addressing plansAddressing plans
Addressing plansenes373
 
ION San Diego - US Federal IPv6 Deployments
ION San Diego - US Federal IPv6 DeploymentsION San Diego - US Federal IPv6 Deployments
ION San Diego - US Federal IPv6 DeploymentsDeploy360 Programme (Internet Society)
 

Mais conteúdo relacionado

Mais procurados

IPv6 Best Practice
IPv6 Best PracticeIPv6 Best Practice
IPv6 Best Practiceflyingpotato
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsSiena Perry
 
Top 20 ccna interview questions and answers pdf
Top 20 ccna interview questions and answers pdfTop 20 ccna interview questions and answers pdf
Top 20 ccna interview questions and answers pdfHub4Tech.com
 
Cisco presentation2
Cisco presentation2Cisco presentation2
Cisco presentation2ehsan nazer
 
ISP core routing project
ISP core routing projectISP core routing project
ISP core routing projectvishal sharma
 
Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504Erik Ginalick
 
Cisco IPv6 Tutorial
Cisco IPv6 TutorialCisco IPv6 Tutorial
Cisco IPv6 Tutorialkriz5
 
IPV6 Hands on Lab
IPV6 Hands on Lab IPV6 Hands on Lab
IPV6 Hands on Lab Cisco Canada
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6mithilak
 
Morphology of Modern Data Center Networks - YaC 2013
Morphology of Modern Data Center Networks - YaC 2013Morphology of Modern Data Center Networks - YaC 2013
Morphology of Modern Data Center Networks - YaC 2013Cumulus Networks
 
Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Karunakant Rai
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?Mark Smith
 
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6cyberjoex
 

Mais procurados (20)

IPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideIPv6_Quick_Start_Guide
IPv6_Quick_Start_Guide
 
IPv6 Best Practice
IPv6 Best PracticeIPv6 Best Practice
IPv6 Best Practice
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
 
Top 20 ccna interview questions and answers pdf
Top 20 ccna interview questions and answers pdfTop 20 ccna interview questions and answers pdf
Top 20 ccna interview questions and answers pdf
 
IPv6 theoryfinalx
IPv6 theoryfinalxIPv6 theoryfinalx
IPv6 theoryfinalx
 
IPV6
IPV6 IPV6
IPV6
 
Ospf
OspfOspf
Ospf
 
Cisco presentation2
Cisco presentation2Cisco presentation2
Cisco presentation2
 
ISP core routing project
ISP core routing projectISP core routing project
ISP core routing project
 
Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504
 
Cisco IPv6 Tutorial
Cisco IPv6 TutorialCisco IPv6 Tutorial
Cisco IPv6 Tutorial
 
IPV6 Hands on Lab
IPV6 Hands on Lab IPV6 Hands on Lab
IPV6 Hands on Lab
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6
 
Ipv6up
Ipv6upIpv6up
Ipv6up
 
Morphology of Modern Data Center Networks - YaC 2013
Morphology of Modern Data Center Networks - YaC 2013Morphology of Modern Data Center Networks - YaC 2013
Morphology of Modern Data Center Networks - YaC 2013
 
Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Introduction to ipv6 v1.3
Introduction to ipv6 v1.3
 
Ipv4 ppt
Ipv4 pptIpv4 ppt
Ipv4 ppt
 
Introduction to IPv6
Introduction to IPv6Introduction to IPv6
Introduction to IPv6
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
 
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
 

Semelhante a Ipv6 neighbor discovery problems and mitigations

Addressing plans
Addressing plansAddressing plans
Addressing plansenes373
 
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsAusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsMark Smith
 
Hdfs 2016-hadoop-summit-san-jose-v4
Hdfs 2016-hadoop-summit-san-jose-v4Hdfs 2016-hadoop-summit-san-jose-v4
Hdfs 2016-hadoop-summit-san-jose-v4Chris Nauroth
 
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat64
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat642009 11 06 3gpp Ietf Ipv6 Shanghai Nat64
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat64yacc2000
 
IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?Steve Simlo
 
Learning series fundamentals of Networking and Medical Imaging
Learning series fundamentals of Networking and Medical ImagingLearning series fundamentals of Networking and Medical Imaging
Learning series fundamentals of Networking and Medical ImagingRyan Furlough, BSCPE CPAS
 
IPv6 translation methods
IPv6 translation methodsIPv6 translation methods
IPv6 translation methodsAhmad Hijazi
 
Presentation Template - NCOAUG Conference Presentation - 16 9
Presentation Template - NCOAUG Conference Presentation - 16 9Presentation Template - NCOAUG Conference Presentation - 16 9
Presentation Template - NCOAUG Conference Presentation - 16 9Mohamed Sadek
 
Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃
Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃
Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃Etu Solution
 
Successes and Challenges of IPv6 Transition at APNIC
Successes and Challenges of IPv6 Transition at APNICSuccesses and Challenges of IPv6 Transition at APNIC
Successes and Challenges of IPv6 Transition at APNICAPNIC
 
Transition to ipv6 cgv6-edited
Transition to ipv6 cgv6-editedTransition to ipv6 cgv6-edited
Transition to ipv6 cgv6-editedFred Bovy
 
Research the issues that you might face as a network administrator whe.docx
Research the issues that you might face as a network administrator whe.docxResearch the issues that you might face as a network administrator whe.docx
Research the issues that you might face as a network administrator whe.docxacarolyn
 
Ipv Technical White Paper Wp111504
Ipv Technical White Paper Wp111504Ipv Technical White Paper Wp111504
Ipv Technical White Paper Wp111504Erik Ginalick
 
ARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities ReportARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities ReportARIN
 
Neutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveNeutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveMirantis
 
Network Configuration Example: Configuring a Dual Stack That Uses NDRA and DH...
Network Configuration Example: Configuring a Dual Stack That Uses NDRA and DH...Network Configuration Example: Configuring a Dual Stack That Uses NDRA and DH...
Network Configuration Example: Configuring a Dual Stack That Uses NDRA and DH...Juniper Networks
 

Semelhante a Ipv6 neighbor discovery problems and mitigations (20)

Addressing plans
Addressing plansAddressing plans
Addressing plans
 
ION San Diego - US Federal IPv6 Deployments
ION San Diego - US Federal IPv6 DeploymentsION San Diego - US Federal IPv6 Deployments
ION San Diego - US Federal IPv6 Deployments
 
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsAusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
 
Hdfs 2016-hadoop-summit-san-jose-v4
Hdfs 2016-hadoop-summit-san-jose-v4Hdfs 2016-hadoop-summit-san-jose-v4
Hdfs 2016-hadoop-summit-san-jose-v4
 
IPv6 at CSCS
IPv6 at CSCSIPv6 at CSCS
IPv6 at CSCS
 
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat64
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat642009 11 06 3gpp Ietf Ipv6 Shanghai Nat64
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat64
 
IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?
 
Learning series fundamentals of Networking and Medical Imaging
Learning series fundamentals of Networking and Medical ImagingLearning series fundamentals of Networking and Medical Imaging
Learning series fundamentals of Networking and Medical Imaging
 
IPv6 translation methods
IPv6 translation methodsIPv6 translation methods
IPv6 translation methods
 
Presentation Template - NCOAUG Conference Presentation - 16 9
Presentation Template - NCOAUG Conference Presentation - 16 9Presentation Template - NCOAUG Conference Presentation - 16 9
Presentation Template - NCOAUG Conference Presentation - 16 9
 
Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃
Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃
Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃
 
3hows
3hows3hows
3hows
 
Neutron IPv6
Neutron IPv6Neutron IPv6
Neutron IPv6
 
Successes and Challenges of IPv6 Transition at APNIC
Successes and Challenges of IPv6 Transition at APNICSuccesses and Challenges of IPv6 Transition at APNIC
Successes and Challenges of IPv6 Transition at APNIC
 
Transition to ipv6 cgv6-edited
Transition to ipv6 cgv6-editedTransition to ipv6 cgv6-edited
Transition to ipv6 cgv6-edited
 
Research the issues that you might face as a network administrator whe.docx
Research the issues that you might face as a network administrator whe.docxResearch the issues that you might face as a network administrator whe.docx
Research the issues that you might face as a network administrator whe.docx
 
Ipv Technical White Paper Wp111504
Ipv Technical White Paper Wp111504Ipv Technical White Paper Wp111504
Ipv Technical White Paper Wp111504
 
ARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities ReportARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities Report
 
Neutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveNeutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep Dive
 
Network Configuration Example: Configuring a Dual Stack That Uses NDRA and DH...
Network Configuration Example: Configuring a Dual Stack That Uses NDRA and DH...Network Configuration Example: Configuring a Dual Stack That Uses NDRA and DH...
Network Configuration Example: Configuring a Dual Stack That Uses NDRA and DH...
 

Último

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 

Último (20)

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 

Ipv6 neighbor discovery problems and mitigations

  • 1. IPv6 Neighbor Discovery Problems (and mitigations) Joel Jaeggli For BaJUG October 2012 1
  • 2. Background  IPv4 subnets typically span rather small address ranges. In IPv6 however the default subnet size is a /64. As a result implementations of the Neighbor Discovery Protocol, which replaces the functionality of IPv4 ARP are typically vulnerable to deliberate or accidental denial of service due to the large address span.  Myself plus colleagues from Yahoo Google and elsewhere saw this as enoguh of a problem to put pen to paper. 2
  • 3. Background continued  Result: – RFC 6583 Operational Neighbor Discovery Problems  Work in progress – draft-ietf-6man-impatient-nud-02 – draft-gashinsky-6man-v6nd-enhance-01 3
  • 4. Nature of the problem  Simplistic implementations of Neighbor Discovery may fail to perform as desired when they perform address resolution of large numbers of unassigned addresses.  Failures can be triggered either: – intentionally by an attacker launching a denial-of- service attack (DoS) – Unintentionally due to the use of legitimate operational tools that scan networks for inventory and other purposes. – e.g. a couple of instances of the equivalent of nmap -sn -6 2001:DB8::/64 (nmap doesn't support masks on v6 address) starting at different offsets is enough to blow up the NDP 4 process on plently of existing routers.
  • 5. What causes this?  The router's process of testing (RFC 4861) for the (non)existence of neighbors can induce a denial-of-service condition, where: – The number of necessary Neighbor Discovery requests overwhelms the implementation's capacity to process them. – Exhausts available memory. – And/or replaces existing in-use mappings with incomplete entries that will never be completed. 5
  • 6. Continued  When a packet arrives at (or is generated by) a router for a destination on an attached link, the router needs to determine the correct link-layer address to use in the destination field of the Layer 2 encapsulation.  The router checks the Neighbor Cache for an existing Neighbor Cache Entry for the neighbor.  If none exists, the router invokes the address resolution portions of the IPv6 Neighbor Discovery protocol to determine the link-layer address of the neighbor. 6
  • 7. What can be done about this?  Implementation and protocol changes are possible and several implementations have been tweaked to good effect...  Some techniques are suitable for hardening networks that provide public facing internet services that are not in fact feasible elsewhere. – e.g. subnets where SLAAC, Privacy addresses and so forth are required are not good candidates for these mitigations. 7
  • 8. Operational Mitigations.  Filter unused space. – Have a /64 subnet, but assigning addresses using stateful dhcpv6 (or static). Apply an ACL limiting access to only the address range in use. – A /120 or even something as large as a /112 is a dramatic reduction in surface area. – Means you're not using SLAAC or privacy addresses. 8
  • 9. Continued.  Use genuinely smaller subnets. – RFC 6164 says we can use /127 for point-to- point links. – If SLAAC is not required either because devices are statically or programmaticaly configured prefixes longer than a /64 can be used. – Example load-balancer tier using /120 sized subnet. 9
  • 10. Routing mitigation  Limit which subnets appear in the FIB of upstream routers such that only more specific routes injected by the hosts using EBGP appear in the routing table. – Example a load balancer tier which inject's /128 prefixes into upstream router(s) routing table. – This is analogous to the IPv4 approach of using private address space to number the subnet in front of a public service. 10
  • 11. Router knobs.  The most dire condition when dealing with NDP related resource starvation is losing track of existing peers.  If you have the knob available (and Junos does) you can allow the interval that you'll continue to consider a node reachable once NUD kicks off to be longer than the default (which is 0)  This will help in degenerate circumstances from losing track of existing neighbors.  http://www.juniper.net/techpubs/en_US/junos12.2/information-products/pathway-pages/config-guide-routing/config-guide-routing-neighbor-discovery.pdf 11
  • 12. Limitations.  None of these mitigations is a general purpose solution. /64 subnets are still required in many circumstances.  Hardening public facing infrastructure was really our principle consideration for undertaking this work.  Longer term implementors have a pretty good idea how to address the business as usual interal cases. 12