database logo graphic

RFC 6583

"Operational Neighbor Discovery Problems", March 2012

Canonical URL:
http://www.rfc-editor.org/rfc/rfc6583.txt
This document is also available in this non-normative format: PDF.
Status:
INFORMATIONAL
Authors:
I. Gashinsky
J. Jaeggli
W. Kumari
Stream:
IETF
Source:
v6ops (ops)

Cite this RFC: TXT  |  XML

Other actions: Find Errata (if any)  |  Submit Errata  |  Find IPR Disclosures from the IETF


Abstract

In IPv4, subnets are generally small, made just large enough to cover the actual number of machines on the subnet. In contrast, the default IPv6 subnet size is a /64, a number so large it covers trillions of addresses, the overwhelming number of which will be unassigned. Consequently, simplistic implementations of Neighbor Discovery (ND) can be vulnerable to deliberate or accidental denial of service (DoS), whereby they attempt to perform address resolution for large numbers of unassigned addresses. Such denial-of-service attacks can be launched intentionally (by an attacker) or result from legitimate operational tools or accident conditions. As a result of these vulnerabilities, new devices may not be able to "join" a network, it may be impossible to establish new IPv6 flows, and existing IPv6 transported flows may be interrupted. This document describes the potential for DoS in detail and suggests possible implementation improvements as well as operational mitigation techniques that can, in some cases, be used to protect against or at least alleviate the impact of such attacks. [STANDARDS-TRACK]


For the definition of Status, see RFC 2026.

For the definition of Stream, see RFC 4844.


Go to the RFC Editor Homepage.