SlideShare une entreprise Scribd logo

Ipv6 neighbor discovery problems and mitigations

Karunakant Rai
Karunakant Rai
Technologie
1  sur  12
Télécharger pour lire hors ligne
IPv6 Neighbor Discovery Problems (and mitigations) Joel Jaeggli For BaJUG October 2012 1
Background  IPv4 subnets typically span rather small address ranges. In IPv6 however the default subnet size is a /64. As a result implementations of the Neighbor Discovery Protocol, which replaces the functionality of IPv4 ARP are typically vulnerable to deliberate or accidental denial of service due to the large address span.  Myself plus colleagues from Yahoo Google and elsewhere saw this as enoguh of a problem to put pen to paper. 2
Background continued  Result: – RFC 6583 Operational Neighbor Discovery Problems  Work in progress – draft-ietf-6man-impatient-nud-02 – draft-gashinsky-6man-v6nd-enhance-01 3
Nature of the problem  Simplistic implementations of Neighbor Discovery may fail to perform as desired when they perform address resolution of large numbers of unassigned addresses.  Failures can be triggered either: – intentionally by an attacker launching a denial-of- service attack (DoS) – Unintentionally due to the use of legitimate operational tools that scan networks for inventory and other purposes. – e.g. a couple of instances of the equivalent of nmap -sn -6 2001:DB8::/64 (nmap doesn't support masks on v6 address) starting at different offsets is enough to blow up the NDP 4 process on plently of existing routers.
What causes this?  The router's process of testing (RFC 4861) for the (non)existence of neighbors can induce a denial-of-service condition, where: – The number of necessary Neighbor Discovery requests overwhelms the implementation's capacity to process them. – Exhausts available memory. – And/or replaces existing in-use mappings with incomplete entries that will never be completed. 5
Continued  When a packet arrives at (or is generated by) a router for a destination on an attached link, the router needs to determine the correct link-layer address to use in the destination field of the Layer 2 encapsulation.  The router checks the Neighbor Cache for an existing Neighbor Cache Entry for the neighbor.  If none exists, the router invokes the address resolution portions of the IPv6 Neighbor Discovery protocol to determine the link-layer address of the neighbor. 6
What can be done about this?  Implementation and protocol changes are possible and several implementations have been tweaked to good effect...  Some techniques are suitable for hardening networks that provide public facing internet services that are not in fact feasible elsewhere. – e.g. subnets where SLAAC, Privacy addresses and so forth are required are not good candidates for these mitigations. 7
Operational Mitigations.  Filter unused space. – Have a /64 subnet, but assigning addresses using stateful dhcpv6 (or static). Apply an ACL limiting access to only the address range in use. – A /120 or even something as large as a /112 is a dramatic reduction in surface area. – Means you're not using SLAAC or privacy addresses. 8
Continued.  Use genuinely smaller subnets. – RFC 6164 says we can use /127 for point-to- point links. – If SLAAC is not required either because devices are statically or programmaticaly configured prefixes longer than a /64 can be used. – Example load-balancer tier using /120 sized subnet. 9
Routing mitigation  Limit which subnets appear in the FIB of upstream routers such that only more specific routes injected by the hosts using EBGP appear in the routing table. – Example a load balancer tier which inject's /128 prefixes into upstream router(s) routing table. – This is analogous to the IPv4 approach of using private address space to number the subnet in front of a public service. 10
Router knobs.  The most dire condition when dealing with NDP related resource starvation is losing track of existing peers.  If you have the knob available (and Junos does) you can allow the interval that you'll continue to consider a node reachable once NUD kicks off to be longer than the default (which is 0)  This will help in degenerate circumstances from losing track of existing neighbors.  http://www.juniper.net/techpubs/en_US/junos12.2/information-products/pathway-pages/config-guide-routing/config-guide-routing-neighbor-discovery.pdf 11
Limitations.  None of these mitigations is a general purpose solution. /64 subnets are still required in many circumstances.  Hardening public facing infrastructure was really our principle consideration for undertaking this work.  Longer term implementors have a pretty good idea how to address the business as usual interal cases. 12

Recommandé

IPv6 Neighbor Discovery Problems (and mitigations)
IPv6 Neighbor Discovery Problems (and mitigations)IPv6 Neighbor Discovery Problems (and mitigations)
IPv6 Neighbor Discovery Problems (and mitigations)Juniper Networks
 
I Pv6 Nd
I Pv6 NdI Pv6 Nd
I Pv6 NdRam Dutt Shukla
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatDigicomp Academy AG
 
IPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryIPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryHeba_a
 
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPTImplementation of isp mpls backbone network on i pv6 using 6 pe routers main PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPTSatish Kumar
 
Introduction to IPv6-UoN
Introduction to IPv6-UoNIntroduction to IPv6-UoN
Introduction to IPv6-UoNMwendwa Kivuva
 
RASHMI VT REPORT
RASHMI VT REPORTRASHMI VT REPORT
RASHMI VT REPORTRashmi kumari
 
IPv6
IPv6IPv6
IPv6edgarjgonzalezg
 

Recommandé

IPv6 Neighbor Discovery Problems (and mitigations)
IPv6 Neighbor Discovery Problems (and mitigations)IPv6 Neighbor Discovery Problems (and mitigations)
IPv6 Neighbor Discovery Problems (and mitigations)Juniper Networks
 
I Pv6 Nd
I Pv6 NdI Pv6 Nd
I Pv6 NdRam Dutt Shukla
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatDigicomp Academy AG
 
IPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryIPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryHeba_a
 
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPTImplementation of isp mpls backbone network on i pv6 using 6 pe routers main PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPTSatish Kumar
 
Introduction to IPv6-UoN
Introduction to IPv6-UoNIntroduction to IPv6-UoN
Introduction to IPv6-UoNMwendwa Kivuva
 
RASHMI VT REPORT
RASHMI VT REPORTRASHMI VT REPORT
RASHMI VT REPORTRashmi kumari
 
IPv6
IPv6IPv6
IPv6edgarjgonzalezg
 
IPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideIPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideParthiban Nallathambi
 
IPv6 Best Practice
IPv6 Best PracticeIPv6 Best Practice
IPv6 Best Practiceflyingpotato
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsSiena Perry
 
Top 20 ccna interview questions and answers pdf
Top 20 ccna interview questions and answers pdfTop 20 ccna interview questions and answers pdf
Top 20 ccna interview questions and answers pdfHub4Tech.com
 
IPv6 theoryfinalx
IPv6 theoryfinalxIPv6 theoryfinalx
IPv6 theoryfinalxPawan Sharma
 
IPV6
IPV6 IPV6
IPV6 Arnold Derrick Kinney
 
Ospf
OspfOspf
Ospfgopi1985
 
Cisco presentation2
Cisco presentation2Cisco presentation2
Cisco presentation2ehsan nazer
 
ISP core routing project
ISP core routing projectISP core routing project
ISP core routing projectvishal sharma
 
Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504Erik Ginalick
 
Cisco IPv6 Tutorial
Cisco IPv6 TutorialCisco IPv6 Tutorial
Cisco IPv6 Tutorialkriz5
 
IPV6 Hands on Lab
IPV6 Hands on Lab IPV6 Hands on Lab
IPV6 Hands on Lab Cisco Canada
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6mithilak
 
Ipv6up
Ipv6upIpv6up
Ipv6upasimnawaz54
 
Morphology of Modern Data Center Networks - YaC 2013
Morphology of Modern Data Center Networks - YaC 2013Morphology of Modern Data Center Networks - YaC 2013
Morphology of Modern Data Center Networks - YaC 2013Cumulus Networks
 
Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Karunakant Rai
 
Ipv4 ppt
Ipv4 pptIpv4 ppt
Ipv4 pptSonal Chandel
 
Introduction to IPv6
Introduction to IPv6Introduction to IPv6
Introduction to IPv6Sara Q. Abedulridha
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?Mark Smith
 
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6cyberjoex
 
Addressing plans
Addressing plansAddressing plans
Addressing plansenes373
 
ION San Diego - US Federal IPv6 Deployments
ION San Diego - US Federal IPv6 DeploymentsION San Diego - US Federal IPv6 Deployments
ION San Diego - US Federal IPv6 DeploymentsDeploy360 Programme (Internet Society)
 

Contenu connexe

Tendances

IPv6 Best Practice
IPv6 Best PracticeIPv6 Best Practice
IPv6 Best Practiceflyingpotato
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsSiena Perry
 
Top 20 ccna interview questions and answers pdf
Top 20 ccna interview questions and answers pdfTop 20 ccna interview questions and answers pdf
Top 20 ccna interview questions and answers pdfHub4Tech.com
 
Cisco presentation2
Cisco presentation2Cisco presentation2
Cisco presentation2ehsan nazer
 
ISP core routing project
ISP core routing projectISP core routing project
ISP core routing projectvishal sharma
 
Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504Erik Ginalick
 
Cisco IPv6 Tutorial
Cisco IPv6 TutorialCisco IPv6 Tutorial
Cisco IPv6 Tutorialkriz5
 
IPV6 Hands on Lab
IPV6 Hands on Lab IPV6 Hands on Lab
IPV6 Hands on Lab Cisco Canada
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6mithilak
 
Morphology of Modern Data Center Networks - YaC 2013
Morphology of Modern Data Center Networks - YaC 2013Morphology of Modern Data Center Networks - YaC 2013
Morphology of Modern Data Center Networks - YaC 2013Cumulus Networks
 
Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Karunakant Rai
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?Mark Smith
 
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6cyberjoex
 

Tendances (20)

IPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideIPv6_Quick_Start_Guide
IPv6_Quick_Start_Guide
 
IPv6 Best Practice
IPv6 Best PracticeIPv6 Best Practice
IPv6 Best Practice
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
 
Top 20 ccna interview questions and answers pdf
Top 20 ccna interview questions and answers pdfTop 20 ccna interview questions and answers pdf
Top 20 ccna interview questions and answers pdf
 
IPv6 theoryfinalx
IPv6 theoryfinalxIPv6 theoryfinalx
IPv6 theoryfinalx
 
IPV6
IPV6 IPV6
IPV6
 
Ospf
OspfOspf
Ospf
 
Cisco presentation2
Cisco presentation2Cisco presentation2
Cisco presentation2
 
ISP core routing project
ISP core routing projectISP core routing project
ISP core routing project
 
Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504
 
Cisco IPv6 Tutorial
Cisco IPv6 TutorialCisco IPv6 Tutorial
Cisco IPv6 Tutorial
 
IPV6 Hands on Lab
IPV6 Hands on Lab IPV6 Hands on Lab
IPV6 Hands on Lab
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6
 
Ipv6up
Ipv6upIpv6up
Ipv6up
 
Morphology of Modern Data Center Networks - YaC 2013
Morphology of Modern Data Center Networks - YaC 2013Morphology of Modern Data Center Networks - YaC 2013
Morphology of Modern Data Center Networks - YaC 2013
 
Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Introduction to ipv6 v1.3
Introduction to ipv6 v1.3
 
Ipv4 ppt
Ipv4 pptIpv4 ppt
Ipv4 ppt
 
Introduction to IPv6
Introduction to IPv6Introduction to IPv6
Introduction to IPv6
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
 
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
 

Similaire à Ipv6 neighbor discovery problems and mitigations

Addressing plans
Addressing plansAddressing plans
Addressing plansenes373
 
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsAusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsMark Smith
 
Hdfs 2016-hadoop-summit-san-jose-v4
Hdfs 2016-hadoop-summit-san-jose-v4Hdfs 2016-hadoop-summit-san-jose-v4
Hdfs 2016-hadoop-summit-san-jose-v4Chris Nauroth
 
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat64
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat642009 11 06 3gpp Ietf Ipv6 Shanghai Nat64
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat64yacc2000
 
IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?Steve Simlo
 
Learning series fundamentals of Networking and Medical Imaging
Learning series fundamentals of Networking and Medical ImagingLearning series fundamentals of Networking and Medical Imaging
Learning series fundamentals of Networking and Medical ImagingRyan Furlough, BSCPE CPAS
 
IPv6 translation methods
IPv6 translation methodsIPv6 translation methods
IPv6 translation methodsAhmad Hijazi
 
Presentation Template - NCOAUG Conference Presentation - 16 9
Presentation Template - NCOAUG Conference Presentation - 16 9Presentation Template - NCOAUG Conference Presentation - 16 9
Presentation Template - NCOAUG Conference Presentation - 16 9Mohamed Sadek
 
Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃
Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃
Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃Etu Solution
 
Successes and Challenges of IPv6 Transition at APNIC
Successes and Challenges of IPv6 Transition at APNICSuccesses and Challenges of IPv6 Transition at APNIC
Successes and Challenges of IPv6 Transition at APNICAPNIC
 
Transition to ipv6 cgv6-edited
Transition to ipv6 cgv6-editedTransition to ipv6 cgv6-edited
Transition to ipv6 cgv6-editedFred Bovy
 
Research the issues that you might face as a network administrator whe.docx
Research the issues that you might face as a network administrator whe.docxResearch the issues that you might face as a network administrator whe.docx
Research the issues that you might face as a network administrator whe.docxacarolyn
 
Ipv Technical White Paper Wp111504
Ipv Technical White Paper Wp111504Ipv Technical White Paper Wp111504
Ipv Technical White Paper Wp111504Erik Ginalick
 
ARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities ReportARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities ReportARIN
 
Neutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveNeutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveMirantis
 
Network Configuration Example: Configuring a Dual Stack That Uses NDRA and DH...
Network Configuration Example: Configuring a Dual Stack That Uses NDRA and DH...Network Configuration Example: Configuring a Dual Stack That Uses NDRA and DH...
Network Configuration Example: Configuring a Dual Stack That Uses NDRA and DH...Juniper Networks
 

Similaire à Ipv6 neighbor discovery problems and mitigations (20)

Addressing plans
Addressing plansAddressing plans
Addressing plans
 
ION San Diego - US Federal IPv6 Deployments
ION San Diego - US Federal IPv6 DeploymentsION San Diego - US Federal IPv6 Deployments
ION San Diego - US Federal IPv6 Deployments
 
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsAusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
 
Hdfs 2016-hadoop-summit-san-jose-v4
Hdfs 2016-hadoop-summit-san-jose-v4Hdfs 2016-hadoop-summit-san-jose-v4
Hdfs 2016-hadoop-summit-san-jose-v4
 
IPv6 at CSCS
IPv6 at CSCSIPv6 at CSCS
IPv6 at CSCS
 
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat64
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat642009 11 06 3gpp Ietf Ipv6 Shanghai Nat64
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat64
 
IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?
 
Learning series fundamentals of Networking and Medical Imaging
Learning series fundamentals of Networking and Medical ImagingLearning series fundamentals of Networking and Medical Imaging
Learning series fundamentals of Networking and Medical Imaging
 
IPv6 translation methods
IPv6 translation methodsIPv6 translation methods
IPv6 translation methods
 
Presentation Template - NCOAUG Conference Presentation - 16 9
Presentation Template - NCOAUG Conference Presentation - 16 9Presentation Template - NCOAUG Conference Presentation - 16 9
Presentation Template - NCOAUG Conference Presentation - 16 9
 
Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃
Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃
Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃
 
3hows
3hows3hows
3hows
 
Neutron IPv6
Neutron IPv6Neutron IPv6
Neutron IPv6
 
Successes and Challenges of IPv6 Transition at APNIC
Successes and Challenges of IPv6 Transition at APNICSuccesses and Challenges of IPv6 Transition at APNIC
Successes and Challenges of IPv6 Transition at APNIC
 
Transition to ipv6 cgv6-edited
Transition to ipv6 cgv6-editedTransition to ipv6 cgv6-edited
Transition to ipv6 cgv6-edited
 
Research the issues that you might face as a network administrator whe.docx
Research the issues that you might face as a network administrator whe.docxResearch the issues that you might face as a network administrator whe.docx
Research the issues that you might face as a network administrator whe.docx
 
Ipv Technical White Paper Wp111504
Ipv Technical White Paper Wp111504Ipv Technical White Paper Wp111504
Ipv Technical White Paper Wp111504
 
ARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities ReportARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities Report
 
Neutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveNeutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep Dive
 
Network Configuration Example: Configuring a Dual Stack That Uses NDRA and DH...
Network Configuration Example: Configuring a Dual Stack That Uses NDRA and DH...Network Configuration Example: Configuring a Dual Stack That Uses NDRA and DH...
Network Configuration Example: Configuring a Dual Stack That Uses NDRA and DH...
 

Dernier

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Dernier (20)

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

Ipv6 neighbor discovery problems and mitigations

  • 1. IPv6 Neighbor Discovery Problems (and mitigations) Joel Jaeggli For BaJUG October 2012 1
  • 2. Background  IPv4 subnets typically span rather small address ranges. In IPv6 however the default subnet size is a /64. As a result implementations of the Neighbor Discovery Protocol, which replaces the functionality of IPv4 ARP are typically vulnerable to deliberate or accidental denial of service due to the large address span.  Myself plus colleagues from Yahoo Google and elsewhere saw this as enoguh of a problem to put pen to paper. 2
  • 3. Background continued  Result: – RFC 6583 Operational Neighbor Discovery Problems  Work in progress – draft-ietf-6man-impatient-nud-02 – draft-gashinsky-6man-v6nd-enhance-01 3
  • 4. Nature of the problem  Simplistic implementations of Neighbor Discovery may fail to perform as desired when they perform address resolution of large numbers of unassigned addresses.  Failures can be triggered either: – intentionally by an attacker launching a denial-of- service attack (DoS) – Unintentionally due to the use of legitimate operational tools that scan networks for inventory and other purposes. – e.g. a couple of instances of the equivalent of nmap -sn -6 2001:DB8::/64 (nmap doesn't support masks on v6 address) starting at different offsets is enough to blow up the NDP 4 process on plently of existing routers.
  • 5. What causes this?  The router's process of testing (RFC 4861) for the (non)existence of neighbors can induce a denial-of-service condition, where: – The number of necessary Neighbor Discovery requests overwhelms the implementation's capacity to process them. – Exhausts available memory. – And/or replaces existing in-use mappings with incomplete entries that will never be completed. 5
  • 6. Continued  When a packet arrives at (or is generated by) a router for a destination on an attached link, the router needs to determine the correct link-layer address to use in the destination field of the Layer 2 encapsulation.  The router checks the Neighbor Cache for an existing Neighbor Cache Entry for the neighbor.  If none exists, the router invokes the address resolution portions of the IPv6 Neighbor Discovery protocol to determine the link-layer address of the neighbor. 6
  • 7. What can be done about this?  Implementation and protocol changes are possible and several implementations have been tweaked to good effect...  Some techniques are suitable for hardening networks that provide public facing internet services that are not in fact feasible elsewhere. – e.g. subnets where SLAAC, Privacy addresses and so forth are required are not good candidates for these mitigations. 7
  • 8. Operational Mitigations.  Filter unused space. – Have a /64 subnet, but assigning addresses using stateful dhcpv6 (or static). Apply an ACL limiting access to only the address range in use. – A /120 or even something as large as a /112 is a dramatic reduction in surface area. – Means you're not using SLAAC or privacy addresses. 8
  • 9. Continued.  Use genuinely smaller subnets. – RFC 6164 says we can use /127 for point-to- point links. – If SLAAC is not required either because devices are statically or programmaticaly configured prefixes longer than a /64 can be used. – Example load-balancer tier using /120 sized subnet. 9
  • 10. Routing mitigation  Limit which subnets appear in the FIB of upstream routers such that only more specific routes injected by the hosts using EBGP appear in the routing table. – Example a load balancer tier which inject's /128 prefixes into upstream router(s) routing table. – This is analogous to the IPv4 approach of using private address space to number the subnet in front of a public service. 10
  • 11. Router knobs.  The most dire condition when dealing with NDP related resource starvation is losing track of existing peers.  If you have the knob available (and Junos does) you can allow the interval that you'll continue to consider a node reachable once NUD kicks off to be longer than the default (which is 0)  This will help in degenerate circumstances from losing track of existing neighbors.  http://www.juniper.net/techpubs/en_US/junos12.2/information-products/pathway-pages/config-guide-routing/config-guide-routing-neighbor-discovery.pdf 11
  • 12. Limitations.  None of these mitigations is a general purpose solution. /64 subnets are still required in many circumstances.  Hardening public facing infrastructure was really our principle consideration for undertaking this work.  Longer term implementors have a pretty good idea how to address the business as usual interal cases. 12