{"draft":"draft-ietf-v6ops-v6nd-problems-04","doc_id":"RFC6583","title":"Operational Neighbor Discovery Problems","authors":["I. Gashinsky","J. Jaeggli","W. Kumari"],"format":["ASCII","HTML"],"page_count":"12","pub_status":"INFORMATIONAL","status":"INFORMATIONAL","source":"IPv6 Operations","abstract":"In IPv4, subnets are generally small, made just large enough to cover\r\nthe actual number of machines on the subnet.  In contrast, the\r\ndefault IPv6 subnet size is a \/64, a number so large it covers\r\ntrillions of addresses, the overwhelming number of which will be\r\nunassigned.  Consequently, simplistic implementations of Neighbor\r\nDiscovery (ND) can be vulnerable to deliberate or accidental denial\r\nof service (DoS), whereby they attempt to perform address resolution\r\nfor large numbers of unassigned addresses.  Such denial-of-service\r\nattacks can be launched intentionally (by an attacker) or result from\r\nlegitimate operational tools or accident conditions.  As a result of\r\nthese vulnerabilities, new devices may not be able to \"join\" a\r\nnetwork, it may be impossible to establish new IPv6 flows, and\r\nexisting IPv6 transported flows may be interrupted.\r\n\r\nThis document describes the potential for DoS in detail and suggests\r\npossible implementation improvements as well as operational\r\nmitigation techniques that can, in some cases, be used to protect\r\nagainst or at least alleviate the impact of such attacks.  \r\n[STANDARDS-TRACK]","pub_date":"March 2012","keywords":[],"obsoletes":[],"obsoleted_by":[],"updates":[],"updated_by":[],"see_also":[],"doi":"10.17487\/RFC6583","errata_url":null}