SlideShare a Scribd company logo

IPv6 Neighbor Discovery Problems and Mitigations

Juniper Networks
Juniper Networks

This presentation provides background information to the problems and provides insight into mitigations.

1 of 12
Download to read offline
IPv6 Neighbor Discovery Problems (and mitigations) Joel Jaeggli For BaJUG October 2012 1
Background  IPv4 subnets typically span rather small address ranges. In IPv6 however the default subnet size is a /64. As a result implementations of the Neighbor Discovery Protocol, which replaces the functionality of IPv4 ARP are typically vulnerable to deliberate or accidental denial of service due to the large address span.  Myself plus colleagues from Yahoo Google and elsewhere saw this as enoguh of a problem to put pen to paper. 2
Background continued  Result: – RFC 6583 Operational Neighbor Discovery Problems  Work in progress – draft-ietf-6man-impatient-nud-02 – draft-gashinsky-6man-v6nd-enhance-01 3
Nature of the problem  Simplistic implementations of Neighbor Discovery may fail to perform as desired when they perform address resolution of large numbers of unassigned addresses.  Failures can be triggered either: – intentionally by an attacker launching a denial-of- service attack (DoS) – Unintentionally due to the use of legitimate operational tools that scan networks for inventory and other purposes. – e.g. a couple of instances of the equivalent of nmap -sn -6 2001:DB8::/64 (nmap doesn't support masks on v6 address) starting at different offsets is enough to blow up the NDP 4 process on plently of existing routers.
What causes this?  The router's process of testing (RFC 4861) for the (non)existence of neighbors can induce a denial-of-service condition, where: – The number of necessary Neighbor Discovery requests overwhelms the implementation's capacity to process them. – Exhausts available memory. – And/or replaces existing in-use mappings with incomplete entries that will never be completed. 5
Continued  When a packet arrives at (or is generated by) a router for a destination on an attached link, the router needs to determine the correct link-layer address to use in the destination field of the Layer 2 encapsulation.  The router checks the Neighbor Cache for an existing Neighbor Cache Entry for the neighbor.  If none exists, the router invokes the address resolution portions of the IPv6 Neighbor Discovery protocol to determine the link-layer address of the neighbor. 6
What can be done about this?  Implementation and protocol changes are possible and several implementations have been tweaked to good effect...  Some techniques are suitable for hardening networks that provide public facing internet services that are not in fact feasible elsewhere. – e.g. subnets where SLAAC, Privacy addresses and so forth are required are not good candidates for these mitigations. 7
Operational Mitigations.  Filter unused space. – Have a /64 subnet, but assigning addresses using stateful dhcpv6 (or static). Apply an ACL limiting access to only the address range in use. – A /120 or even something as large as a /112 is a dramatic reduction in surface area. – Means you're not using SLAAC or privacy addresses. 8
Continued.  Use genuinely smaller subnets. – RFC 6164 says we can use /127 for point-to- point links. – If SLAAC is not required either because devices are statically or programmaticaly configured prefixes longer than a /64 can be used. – Example load-balancer tier using /120 sized subnet. 9
Routing mitigation  Limit which subnets appear in the FIB of upstream routers such that only more specific routes injected by the hosts using EBGP appear in the routing table. – Example a load balancer tier which inject's /128 prefixes into upstream router(s) routing table. – This is analogous to the IPv4 approach of using private address space to number the subnet in front of a public service. 10
Router knobs.  The most dire condition when dealing with NDP related resource starvation is losing track of existing peers.  If you have the knob available (and Junos does) you can allow the interval that you'll continue to consider a node reachable once NUD kicks off to be longer than the default (which is 0)  This will help in degenerate circumstances from losing track of existing neighbors.  http://www.juniper.net/techpubs/en_US/junos12.2/information-products/pathway-pages/config-guide-routing/config-guide-routing-neighbor-discovery.pdf 11
Limitations.  None of these mitigations is a general purpose solution. /64 subnets are still required in many circumstances.  Hardening public facing infrastructure was really our principle consideration for undertaking this work.  Longer term implementors have a pretty good idea how to address the business as usual interal cases. 12

Recommended

I Pv6 Nd
I Pv6 NdI Pv6 Nd
I Pv6 NdRam Dutt Shukla
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatDigicomp Academy AG
 
IPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryIPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryHeba_a
 
Introduction to IPv6-UoN
Introduction to IPv6-UoNIntroduction to IPv6-UoN
Introduction to IPv6-UoNMwendwa Kivuva
 
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPTImplementation of isp mpls backbone network on i pv6 using 6 pe routers main PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPTSatish Kumar
 
IPv6
IPv6IPv6
IPv6edgarjgonzalezg
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsSiena Perry
 
RASHMI VT REPORT
RASHMI VT REPORTRASHMI VT REPORT
RASHMI VT REPORTRashmi kumari
 

Recommended

I Pv6 Nd
I Pv6 NdI Pv6 Nd
I Pv6 NdRam Dutt Shukla
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatDigicomp Academy AG
 
IPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryIPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryHeba_a
 
Introduction to IPv6-UoN
Introduction to IPv6-UoNIntroduction to IPv6-UoN
Introduction to IPv6-UoNMwendwa Kivuva
 
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPTImplementation of isp mpls backbone network on i pv6 using 6 pe routers main PPT
Implementation of isp mpls backbone network on i pv6 using 6 pe routers main PPTSatish Kumar
 
IPv6
IPv6IPv6
IPv6edgarjgonzalezg
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsSiena Perry
 
RASHMI VT REPORT
RASHMI VT REPORTRASHMI VT REPORT
RASHMI VT REPORTRashmi kumari
 
IPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideIPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideParthiban Nallathambi
 
Ipv6up
Ipv6upIpv6up
Ipv6upasimnawaz54
 
Top 20 ccna interview questions and answers pdf
Top 20 ccna interview questions and answers pdfTop 20 ccna interview questions and answers pdf
Top 20 ccna interview questions and answers pdfHub4Tech.com
 
IPv6 Best Practice
IPv6 Best PracticeIPv6 Best Practice
IPv6 Best Practiceflyingpotato
 
IPv6 theoryfinalx
IPv6 theoryfinalxIPv6 theoryfinalx
IPv6 theoryfinalxPawan Sharma
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6mithilak
 
IPV6
IPV6 IPV6
IPV6 Arnold Derrick Kinney
 
Ospf
OspfOspf
Ospfgopi1985
 
Cisco presentation2
Cisco presentation2Cisco presentation2
Cisco presentation2ehsan nazer
 
I pv4 and ipv6
I pv4 and ipv6I pv4 and ipv6
I pv4 and ipv6manirajan12
 
Cisco IPv6 Tutorial
Cisco IPv6 TutorialCisco IPv6 Tutorial
Cisco IPv6 Tutorialkriz5
 
ISP core routing project
ISP core routing projectISP core routing project
ISP core routing projectvishal sharma
 
IPv6: Internet Protocol version 6
IPv6: Internet Protocol version 6IPv6: Internet Protocol version 6
IPv6: Internet Protocol version 6Ankita Mahajan
 
IPV6 Hands on Lab
IPV6 Hands on Lab IPV6 Hands on Lab
IPV6 Hands on Lab Cisco Canada
 
Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Karunakant Rai
 
Custom_IP_Network_Protocol_and_Router
Custom_IP_Network_Protocol_and_RouterCustom_IP_Network_Protocol_and_Router
Custom_IP_Network_Protocol_and_RouterVishal Vasudev
 
Introduction to IPv6
Introduction to IPv6Introduction to IPv6
Introduction to IPv6Sara Q. Abedulridha
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniquesinbroker
 
DCHP,NAT,forwarding of ip packets
DCHP,NAT,forwarding of ip packetsDCHP,NAT,forwarding of ip packets
DCHP,NAT,forwarding of ip packetsrajshreemuthiah
 
Comparative study of IPv4 and IPv6 on Windows and Linux.
Comparative study of IPv4 and IPv6 on Windows and Linux. Comparative study of IPv4 and IPv6 on Windows and Linux.
Comparative study of IPv4 and IPv6 on Windows and Linux. Shourya Puri
 
Presentation For NDP Process
Presentation For NDP ProcessPresentation For NDP Process
Presentation For NDP ProcessTanworth Development Plan
 
Neighbor discoverydhcp
Neighbor discoverydhcpNeighbor discoverydhcp
Neighbor discoverydhcpFred Bovy
 

More Related Content

What's hot

Top 20 ccna interview questions and answers pdf
Top 20 ccna interview questions and answers pdfTop 20 ccna interview questions and answers pdf
Top 20 ccna interview questions and answers pdfHub4Tech.com
 
IPv6 Best Practice
IPv6 Best PracticeIPv6 Best Practice
IPv6 Best Practiceflyingpotato
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6mithilak
 
Cisco presentation2
Cisco presentation2Cisco presentation2
Cisco presentation2ehsan nazer
 
Cisco IPv6 Tutorial
Cisco IPv6 TutorialCisco IPv6 Tutorial
Cisco IPv6 Tutorialkriz5
 
ISP core routing project
ISP core routing projectISP core routing project
ISP core routing projectvishal sharma
 
IPv6: Internet Protocol version 6
IPv6: Internet Protocol version 6IPv6: Internet Protocol version 6
IPv6: Internet Protocol version 6Ankita Mahajan
 
IPV6 Hands on Lab
IPV6 Hands on Lab IPV6 Hands on Lab
IPV6 Hands on Lab Cisco Canada
 
Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Karunakant Rai
 
Custom_IP_Network_Protocol_and_Router
Custom_IP_Network_Protocol_and_RouterCustom_IP_Network_Protocol_and_Router
Custom_IP_Network_Protocol_and_RouterVishal Vasudev
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniquesinbroker
 
DCHP,NAT,forwarding of ip packets
DCHP,NAT,forwarding of ip packetsDCHP,NAT,forwarding of ip packets
DCHP,NAT,forwarding of ip packetsrajshreemuthiah
 
Comparative study of IPv4 and IPv6 on Windows and Linux.
Comparative study of IPv4 and IPv6 on Windows and Linux. Comparative study of IPv4 and IPv6 on Windows and Linux.
Comparative study of IPv4 and IPv6 on Windows and Linux. Shourya Puri
 

What's hot (20)

IPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideIPv6_Quick_Start_Guide
IPv6_Quick_Start_Guide
 
Ipv6up
Ipv6upIpv6up
Ipv6up
 
Top 20 ccna interview questions and answers pdf
Top 20 ccna interview questions and answers pdfTop 20 ccna interview questions and answers pdf
Top 20 ccna interview questions and answers pdf
 
IPv6 Best Practice
IPv6 Best PracticeIPv6 Best Practice
IPv6 Best Practice
 
IPv6 theoryfinalx
IPv6 theoryfinalxIPv6 theoryfinalx
IPv6 theoryfinalx
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6
 
IPV6
IPV6 IPV6
IPV6
 
Ospf
OspfOspf
Ospf
 
Cisco presentation2
Cisco presentation2Cisco presentation2
Cisco presentation2
 
I pv4 and ipv6
I pv4 and ipv6I pv4 and ipv6
I pv4 and ipv6
 
Cisco IPv6 Tutorial
Cisco IPv6 TutorialCisco IPv6 Tutorial
Cisco IPv6 Tutorial
 
ISP core routing project
ISP core routing projectISP core routing project
ISP core routing project
 
IPv6: Internet Protocol version 6
IPv6: Internet Protocol version 6IPv6: Internet Protocol version 6
IPv6: Internet Protocol version 6
 
IPV6 Hands on Lab
IPV6 Hands on Lab IPV6 Hands on Lab
IPV6 Hands on Lab
 
Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Introduction to ipv6 v1.3
Introduction to ipv6 v1.3
 
Custom_IP_Network_Protocol_and_Router
Custom_IP_Network_Protocol_and_RouterCustom_IP_Network_Protocol_and_Router
Custom_IP_Network_Protocol_and_Router
 
Introduction to IPv6
Introduction to IPv6Introduction to IPv6
Introduction to IPv6
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniques
 
DCHP,NAT,forwarding of ip packets
DCHP,NAT,forwarding of ip packetsDCHP,NAT,forwarding of ip packets
DCHP,NAT,forwarding of ip packets
 
Comparative study of IPv4 and IPv6 on Windows and Linux.
Comparative study of IPv4 and IPv6 on Windows and Linux. Comparative study of IPv4 and IPv6 on Windows and Linux.
Comparative study of IPv4 and IPv6 on Windows and Linux.
 

Viewers also liked

Neighbor discoverydhcp
Neighbor discoverydhcpNeighbor discoverydhcp
Neighbor discoverydhcpFred Bovy
 
Layer3protocols
Layer3protocolsLayer3protocols
Layer3protocolsassinha
 
Networking standards
Networking standardsNetworking standards
Networking standardsOnline
 
NETWORK STANDARD
NETWORK STANDARDNETWORK STANDARD
NETWORK STANDARDKak Yong
 
types of computer networks, protocols and standards
types of computer networks, protocols and standardstypes of computer networks, protocols and standards
types of computer networks, protocols and standardsMidhun Menon
 
Networking Standards And Protocols
Networking Standards And ProtocolsNetworking Standards And Protocols
Networking Standards And ProtocolsSteven Cahill
 

Viewers also liked (9)

Presentation For NDP Process
Presentation For NDP ProcessPresentation For NDP Process
Presentation For NDP Process
 
Neighbor discoverydhcp
Neighbor discoverydhcpNeighbor discoverydhcp
Neighbor discoverydhcp
 
Layer3protocols
Layer3protocolsLayer3protocols
Layer3protocols
 
Networking standards
Networking standardsNetworking standards
Networking standards
 
NETWORK STANDARD
NETWORK STANDARDNETWORK STANDARD
NETWORK STANDARD
 
Ipv6
Ipv6Ipv6
Ipv6
 
types of computer networks, protocols and standards
types of computer networks, protocols and standardstypes of computer networks, protocols and standards
types of computer networks, protocols and standards
 
Networking Standards And Protocols
Networking Standards And ProtocolsNetworking Standards And Protocols
Networking Standards And Protocols
 
IPv6
IPv6IPv6
IPv6
 

Similar to IPv6 Neighbor Discovery Problems and Mitigations

Addressing plans
Addressing plansAddressing plans
Addressing plansenes373
 
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsAusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsMark Smith
 
Hdfs 2016-hadoop-summit-san-jose-v4
Hdfs 2016-hadoop-summit-san-jose-v4Hdfs 2016-hadoop-summit-san-jose-v4
Hdfs 2016-hadoop-summit-san-jose-v4Chris Nauroth
 
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat64
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat642009 11 06 3gpp Ietf Ipv6 Shanghai Nat64
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat64yacc2000
 
IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?Steve Simlo
 
Learning series fundamentals of Networking and Medical Imaging
Learning series fundamentals of Networking and Medical ImagingLearning series fundamentals of Networking and Medical Imaging
Learning series fundamentals of Networking and Medical ImagingRyan Furlough, BSCPE CPAS
 
IPv6 translation methods
IPv6 translation methodsIPv6 translation methods
IPv6 translation methodsAhmad Hijazi
 
Presentation Template - NCOAUG Conference Presentation - 16 9
Presentation Template - NCOAUG Conference Presentation - 16 9Presentation Template - NCOAUG Conference Presentation - 16 9
Presentation Template - NCOAUG Conference Presentation - 16 9Mohamed Sadek
 
Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃
Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃
Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃Etu Solution
 
Successes and Challenges of IPv6 Transition at APNIC
Successes and Challenges of IPv6 Transition at APNICSuccesses and Challenges of IPv6 Transition at APNIC
Successes and Challenges of IPv6 Transition at APNICAPNIC
 
Transition to ipv6 cgv6-edited
Transition to ipv6 cgv6-editedTransition to ipv6 cgv6-edited
Transition to ipv6 cgv6-editedFred Bovy
 
Research the issues that you might face as a network administrator whe.docx
Research the issues that you might face as a network administrator whe.docxResearch the issues that you might face as a network administrator whe.docx
Research the issues that you might face as a network administrator whe.docxacarolyn
 
Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504Erik Ginalick
 
Ipv Technical White Paper Wp111504
Ipv Technical White Paper Wp111504Ipv Technical White Paper Wp111504
Ipv Technical White Paper Wp111504Erik Ginalick
 
ARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities ReportARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities ReportARIN
 
Neutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveNeutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveMirantis
 

Similar to IPv6 Neighbor Discovery Problems and Mitigations (20)

Addressing plans
Addressing plansAddressing plans
Addressing plans
 
ION San Diego - US Federal IPv6 Deployments
ION San Diego - US Federal IPv6 DeploymentsION San Diego - US Federal IPv6 Deployments
ION San Diego - US Federal IPv6 Deployments
 
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsAusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
 
Hdfs 2016-hadoop-summit-san-jose-v4
Hdfs 2016-hadoop-summit-san-jose-v4Hdfs 2016-hadoop-summit-san-jose-v4
Hdfs 2016-hadoop-summit-san-jose-v4
 
IPv6 at CSCS
IPv6 at CSCSIPv6 at CSCS
IPv6 at CSCS
 
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat64
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat642009 11 06 3gpp Ietf Ipv6 Shanghai Nat64
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat64
 
IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?
 
Learning series fundamentals of Networking and Medical Imaging
Learning series fundamentals of Networking and Medical ImagingLearning series fundamentals of Networking and Medical Imaging
Learning series fundamentals of Networking and Medical Imaging
 
IPv6 translation methods
IPv6 translation methodsIPv6 translation methods
IPv6 translation methods
 
Presentation Template - NCOAUG Conference Presentation - 16 9
Presentation Template - NCOAUG Conference Presentation - 16 9Presentation Template - NCOAUG Conference Presentation - 16 9
Presentation Template - NCOAUG Conference Presentation - 16 9
 
Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃
Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃
Track B-3 解構大數據架構 - 大數據系統的伺服器與網路資源規劃
 
3hows
3hows3hows
3hows
 
Neutron IPv6
Neutron IPv6Neutron IPv6
Neutron IPv6
 
Successes and Challenges of IPv6 Transition at APNIC
Successes and Challenges of IPv6 Transition at APNICSuccesses and Challenges of IPv6 Transition at APNIC
Successes and Challenges of IPv6 Transition at APNIC
 
Transition to ipv6 cgv6-edited
Transition to ipv6 cgv6-editedTransition to ipv6 cgv6-edited
Transition to ipv6 cgv6-edited
 
Research the issues that you might face as a network administrator whe.docx
Research the issues that you might face as a network administrator whe.docxResearch the issues that you might face as a network administrator whe.docx
Research the issues that you might face as a network administrator whe.docx
 
Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504
 
Ipv Technical White Paper Wp111504
Ipv Technical White Paper Wp111504Ipv Technical White Paper Wp111504
Ipv Technical White Paper Wp111504
 
ARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities ReportARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities Report
 
Neutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveNeutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep Dive
 

More from Juniper Networks

Why Juniper, Driven by Mist AI, Leads the Market
Why Juniper, Driven by Mist AI, Leads the Market Why Juniper, Driven by Mist AI, Leads the Market
Why Juniper, Driven by Mist AI, Leads the MarketJuniper Networks
 
Experience the AI-Driven Enterprise
Experience the AI-Driven EnterpriseExperience the AI-Driven Enterprise
Experience the AI-Driven EnterpriseJuniper Networks
 
How AI Simplifies Troubleshooting Your WAN
How AI Simplifies Troubleshooting Your WANHow AI Simplifies Troubleshooting Your WAN
How AI Simplifies Troubleshooting Your WANJuniper Networks
 
Real AI. Real Results. Mist AI Customer Testimonials.
Real AI. Real Results. Mist AI Customer Testimonials.Real AI. Real Results. Mist AI Customer Testimonials.
Real AI. Real Results. Mist AI Customer Testimonials.Juniper Networks
 
Are you able to deliver reliable experiences for connected devices
Are you able to deliver reliable experiences for connected devicesAre you able to deliver reliable experiences for connected devices
Are you able to deliver reliable experiences for connected devicesJuniper Networks
 
Stop Doing These 5 Things with Your SD-WAN
Stop Doing These 5 Things with Your SD-WANStop Doing These 5 Things with Your SD-WAN
Stop Doing These 5 Things with Your SD-WANJuniper Networks
 
Securing IoT at Scale Requires a Holistic Approach
Securing IoT at Scale Requires a Holistic ApproachSecuring IoT at Scale Requires a Holistic Approach
Securing IoT at Scale Requires a Holistic ApproachJuniper Networks
 
Smart Solutions for Smart Communities: What's Next & Who's Responsible?
Smart Solutions for Smart Communities: What's Next & Who's Responsible?Smart Solutions for Smart Communities: What's Next & Who's Responsible?
Smart Solutions for Smart Communities: What's Next & Who's Responsible?Juniper Networks
 
Are You Ready for Digital Cohesion?
Are You Ready for Digital Cohesion?Are You Ready for Digital Cohesion?
Are You Ready for Digital Cohesion?Juniper Networks
 
Juniper vSRX - Fast Performance, Low TCO
Juniper vSRX - Fast Performance, Low TCOJuniper vSRX - Fast Performance, Low TCO
Juniper vSRX - Fast Performance, Low TCOJuniper Networks
 
SDN and NFV: Transforming the Service Provider Organization
SDN and NFV: Transforming the Service Provider OrganizationSDN and NFV: Transforming the Service Provider Organization
SDN and NFV: Transforming the Service Provider OrganizationJuniper Networks
 
Navigating the Uncertain World Facing Service Providers - Juniper's Perspective
Navigating the Uncertain World Facing Service Providers - Juniper's PerspectiveNavigating the Uncertain World Facing Service Providers - Juniper's Perspective
Navigating the Uncertain World Facing Service Providers - Juniper's PerspectiveJuniper Networks
 
vSRX Buyer’s Guide infographic - Juniper Networks
vSRX Buyer’s Guide infographic - Juniper Networks vSRX Buyer’s Guide infographic - Juniper Networks
vSRX Buyer’s Guide infographic - Juniper Networks Juniper Networks
 
NFV Solutions for the Telco Cloud
NFV Solutions for the Telco Cloud NFV Solutions for the Telco Cloud
NFV Solutions for the Telco Cloud Juniper Networks
 
Juniper SRX5800 Infographic
Juniper SRX5800 InfographicJuniper SRX5800 Infographic
Juniper SRX5800 InfographicJuniper Networks
 
Infographic: 90% MetaFabric Customer Satisfaction
Infographic: 90% MetaFabric Customer SatisfactionInfographic: 90% MetaFabric Customer Satisfaction
Infographic: 90% MetaFabric Customer SatisfactionJuniper Networks
 
Infographic: Whack Hackers Lightning Fast
Infographic: Whack Hackers Lightning FastInfographic: Whack Hackers Lightning Fast
Infographic: Whack Hackers Lightning FastJuniper Networks
 
High performance data center computing using manageable distributed computing
High performance data center computing using manageable distributed computingHigh performance data center computing using manageable distributed computing
High performance data center computing using manageable distributed computingJuniper Networks
 

More from Juniper Networks (20)

Why Juniper, Driven by Mist AI, Leads the Market
Why Juniper, Driven by Mist AI, Leads the Market Why Juniper, Driven by Mist AI, Leads the Market
Why Juniper, Driven by Mist AI, Leads the Market
 
Experience the AI-Driven Enterprise
Experience the AI-Driven EnterpriseExperience the AI-Driven Enterprise
Experience the AI-Driven Enterprise
 
How AI Simplifies Troubleshooting Your WAN
How AI Simplifies Troubleshooting Your WANHow AI Simplifies Troubleshooting Your WAN
How AI Simplifies Troubleshooting Your WAN
 
Real AI. Real Results. Mist AI Customer Testimonials.
Real AI. Real Results. Mist AI Customer Testimonials.Real AI. Real Results. Mist AI Customer Testimonials.
Real AI. Real Results. Mist AI Customer Testimonials.
 
SD-WAN, Meet MARVIS.
SD-WAN, Meet MARVIS.SD-WAN, Meet MARVIS.
SD-WAN, Meet MARVIS.
 
Are you able to deliver reliable experiences for connected devices
Are you able to deliver reliable experiences for connected devicesAre you able to deliver reliable experiences for connected devices
Are you able to deliver reliable experiences for connected devices
 
Stop Doing These 5 Things with Your SD-WAN
Stop Doing These 5 Things with Your SD-WANStop Doing These 5 Things with Your SD-WAN
Stop Doing These 5 Things with Your SD-WAN
 
Securing IoT at Scale Requires a Holistic Approach
Securing IoT at Scale Requires a Holistic ApproachSecuring IoT at Scale Requires a Holistic Approach
Securing IoT at Scale Requires a Holistic Approach
 
Smart Solutions for Smart Communities: What's Next & Who's Responsible?
Smart Solutions for Smart Communities: What's Next & Who's Responsible?Smart Solutions for Smart Communities: What's Next & Who's Responsible?
Smart Solutions for Smart Communities: What's Next & Who's Responsible?
 
What's Your IT Alter Ego?
What's Your IT Alter Ego?What's Your IT Alter Ego?
What's Your IT Alter Ego?
 
Are You Ready for Digital Cohesion?
Are You Ready for Digital Cohesion?Are You Ready for Digital Cohesion?
Are You Ready for Digital Cohesion?
 
Juniper vSRX - Fast Performance, Low TCO
Juniper vSRX - Fast Performance, Low TCOJuniper vSRX - Fast Performance, Low TCO
Juniper vSRX - Fast Performance, Low TCO
 
SDN and NFV: Transforming the Service Provider Organization
SDN and NFV: Transforming the Service Provider OrganizationSDN and NFV: Transforming the Service Provider Organization
SDN and NFV: Transforming the Service Provider Organization
 
Navigating the Uncertain World Facing Service Providers - Juniper's Perspective
Navigating the Uncertain World Facing Service Providers - Juniper's PerspectiveNavigating the Uncertain World Facing Service Providers - Juniper's Perspective
Navigating the Uncertain World Facing Service Providers - Juniper's Perspective
 
vSRX Buyer’s Guide infographic - Juniper Networks
vSRX Buyer’s Guide infographic - Juniper Networks vSRX Buyer’s Guide infographic - Juniper Networks
vSRX Buyer’s Guide infographic - Juniper Networks
 
NFV Solutions for the Telco Cloud
NFV Solutions for the Telco Cloud NFV Solutions for the Telco Cloud
NFV Solutions for the Telco Cloud
 
Juniper SRX5800 Infographic
Juniper SRX5800 InfographicJuniper SRX5800 Infographic
Juniper SRX5800 Infographic
 
Infographic: 90% MetaFabric Customer Satisfaction
Infographic: 90% MetaFabric Customer SatisfactionInfographic: 90% MetaFabric Customer Satisfaction
Infographic: 90% MetaFabric Customer Satisfaction
 
Infographic: Whack Hackers Lightning Fast
Infographic: Whack Hackers Lightning FastInfographic: Whack Hackers Lightning Fast
Infographic: Whack Hackers Lightning Fast
 
High performance data center computing using manageable distributed computing
High performance data center computing using manageable distributed computingHigh performance data center computing using manageable distributed computing
High performance data center computing using manageable distributed computing
 

IPv6 Neighbor Discovery Problems and Mitigations

  • 1. IPv6 Neighbor Discovery Problems (and mitigations) Joel Jaeggli For BaJUG October 2012 1
  • 2. Background  IPv4 subnets typically span rather small address ranges. In IPv6 however the default subnet size is a /64. As a result implementations of the Neighbor Discovery Protocol, which replaces the functionality of IPv4 ARP are typically vulnerable to deliberate or accidental denial of service due to the large address span.  Myself plus colleagues from Yahoo Google and elsewhere saw this as enoguh of a problem to put pen to paper. 2
  • 3. Background continued  Result: – RFC 6583 Operational Neighbor Discovery Problems  Work in progress – draft-ietf-6man-impatient-nud-02 – draft-gashinsky-6man-v6nd-enhance-01 3
  • 4. Nature of the problem  Simplistic implementations of Neighbor Discovery may fail to perform as desired when they perform address resolution of large numbers of unassigned addresses.  Failures can be triggered either: – intentionally by an attacker launching a denial-of- service attack (DoS) – Unintentionally due to the use of legitimate operational tools that scan networks for inventory and other purposes. – e.g. a couple of instances of the equivalent of nmap -sn -6 2001:DB8::/64 (nmap doesn't support masks on v6 address) starting at different offsets is enough to blow up the NDP 4 process on plently of existing routers.
  • 5. What causes this?  The router's process of testing (RFC 4861) for the (non)existence of neighbors can induce a denial-of-service condition, where: – The number of necessary Neighbor Discovery requests overwhelms the implementation's capacity to process them. – Exhausts available memory. – And/or replaces existing in-use mappings with incomplete entries that will never be completed. 5
  • 6. Continued  When a packet arrives at (or is generated by) a router for a destination on an attached link, the router needs to determine the correct link-layer address to use in the destination field of the Layer 2 encapsulation.  The router checks the Neighbor Cache for an existing Neighbor Cache Entry for the neighbor.  If none exists, the router invokes the address resolution portions of the IPv6 Neighbor Discovery protocol to determine the link-layer address of the neighbor. 6
  • 7. What can be done about this?  Implementation and protocol changes are possible and several implementations have been tweaked to good effect...  Some techniques are suitable for hardening networks that provide public facing internet services that are not in fact feasible elsewhere. – e.g. subnets where SLAAC, Privacy addresses and so forth are required are not good candidates for these mitigations. 7
  • 8. Operational Mitigations.  Filter unused space. – Have a /64 subnet, but assigning addresses using stateful dhcpv6 (or static). Apply an ACL limiting access to only the address range in use. – A /120 or even something as large as a /112 is a dramatic reduction in surface area. – Means you're not using SLAAC or privacy addresses. 8
  • 9. Continued.  Use genuinely smaller subnets. – RFC 6164 says we can use /127 for point-to- point links. – If SLAAC is not required either because devices are statically or programmaticaly configured prefixes longer than a /64 can be used. – Example load-balancer tier using /120 sized subnet. 9
  • 10. Routing mitigation  Limit which subnets appear in the FIB of upstream routers such that only more specific routes injected by the hosts using EBGP appear in the routing table. – Example a load balancer tier which inject's /128 prefixes into upstream router(s) routing table. – This is analogous to the IPv4 approach of using private address space to number the subnet in front of a public service. 10
  • 11. Router knobs.  The most dire condition when dealing with NDP related resource starvation is losing track of existing peers.  If you have the knob available (and Junos does) you can allow the interval that you'll continue to consider a node reachable once NUD kicks off to be longer than the default (which is 0)  This will help in degenerate circumstances from losing track of existing neighbors.  http://www.juniper.net/techpubs/en_US/junos12.2/information-products/pathway-pages/config-guide-routing/config-guide-routing-neighbor-discovery.pdf 11
  • 12. Limitations.  None of these mitigations is a general purpose solution. /64 subnets are still required in many circumstances.  Hardening public facing infrastructure was really our principle consideration for undertaking this work.  Longer term implementors have a pretty good idea how to address the business as usual interal cases. 12