The Fear And Loathing Of /64s On Point-To-Point Links
Posted by
Jeff Doyle
October 04, 2011
In the other corner is RFC 6164, “Using 127-Bit IPv6 Prefixes on Inter-Router Links.” This document starts off saying pretty much what I said above about the concerns of RFC 3627: That Subnet-Router Anycast addresses shouldn’t be a problem on point-to-point links. Then it gets to a more valid concern: Ping-pong attacks.
A ping-pong attack exploits implementations which follow the now obsolete RFC 2463 specification of ICMPv6. That RFC says that if an IPv6 interface receives a packet that belongs to the subnet to which the interface is attached, but not to an address of that interface, forward the packet back onto the subnet. So an attacker can flood a bunch of packets to unused addresses on a link and the packets will bounce back and forth (ping-pong) between the two routers, using up bandwidth and router resources.
One way to guard against such an attack, and the position of RFC 6164, is to insure that there are no unused addresses on the point-to-point link – use a /127, so there are only two addresses. But there is a better way to guard against the ping-pong vulnerability, and that is to use routers that support the modern version of ICMPv6. RFC 4443 corrects the error in the earlier specification, requiring an interface to drop a packet addressed to an address on the subnet rather than forward the packet back onto the subnet.
RFC 4443 has been around since March of 2006. There is no reason for a vendor to continue to support a version of ICMPv6 that has been obsolete for five years. And it is, in my opinion, absurd for a vendor to advocate using a /127 subnet on point-to-point links, in violation of all other IPv6 recommendations, simply to avoid updating their ICMPv6 code. Rather than bend your IPv6 address design to accommodate a vendor inadequacy, pressure your vendor to modernize.
There is another potential vulnerability citied in RFC 6164: If a point-to-point link supports Neighbor Discovery Protocol (NDP), a packet to an unused IPv6 address on the subnet will cause an Incomplete entry in the routers’ neighbor cache and cause a Neighbor Solicitation message to be sent on the link. A flood of packets to many unused addresses might fill up a neighbor cache, and congest the link with NS messages, constituting a DoS action. RFC 6164 recommends preventing such an attack by, again, using /127 prefixes.
Page: « Previous Page | 1 | 2 | 3 | 4 | 5 | Next Page »
