Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

  1. Home
  2. Networking
  3. Fear-and-loathing-64s-point-point-links
  4. Page
  5. The Fear And Loathing Of /64s On Point-To-Point Links: Page 3 of 5
Networking

The Fear And Loathing Of /64s On Point-To-Point Links: Page 3 of 5

I discussed in a previous article the necessity of abandoning IPv4 thinking when creating IPv6 address designs, and how our deeply ingrained need to conserve addresses can muddle our thinking. Nowhere does this conservative aversion to address waste snarl at us as menacingly as when we consider – completely compliant with the recommendations of ARIN and other RIRs – assigning /64 subnets to point-to-point links.
Jeff Doyle
October 04, 2011

  • In the other corner is RFC 6164, “Using 127-Bit IPv6 Prefixes on Inter-Router Links.” This document starts off saying pretty much what I said above about the concerns of RFC 3627: That Subnet-Router Anycast addresses shouldn’t be a problem on point-to-point links. Then it gets to a more valid concern: Ping-pong attacks.

    A ping-pong attack exploits implementations which follow the now obsolete RFC 2463 specification of ICMPv6. That RFC says that if an IPv6 interface receives a packet that belongs to the subnet to which the interface is attached, but not to an address of that interface, forward the packet back onto the subnet. So an attacker can flood a bunch of packets to unused addresses on a link and the packets will bounce back and forth (ping-pong) between the two routers, using up bandwidth and router resources.

    One way to guard against such an attack, and the position of RFC 6164, is to insure that there are no unused addresses on the point-to-point link – use a /127, so there are only two addresses. But there is a better way to guard against the ping-pong vulnerability, and that is to use routers that support the modern version of ICMPv6. RFC 4443 corrects the error in the earlier specification, requiring an interface to drop a packet addressed to an address on the subnet rather than forward the packet back onto the subnet.

    RFC 4443 has been around since March of 2006. There is no reason for a vendor to continue to support a version of ICMPv6 that has been obsolete for five years. And it is, in my opinion, absurd for a vendor to advocate using a /127 subnet on point-to-point links, in violation of all other IPv6 recommendations, simply to avoid updating their ICMPv6 code. Rather than bend your IPv6 address design to accommodate a vendor inadequacy, pressure your vendor to modernize.

    There is another potential vulnerability citied in RFC 6164: If a point-to-point link supports Neighbor Discovery Protocol (NDP), a packet to an unused IPv6 address on the subnet will cause an Incomplete entry in the routers’ neighbor cache and cause a Neighbor Solicitation message to be sent on the link. A flood of packets to many unused addresses might fill up a neighbor cache, and congest the link with NS messages, constituting a DoS action. RFC 6164 recommends preventing such an attack by, again, using /127 prefixes.

Tags:

Commentary
Networking