Hacker News new | past | comments | ask | show | jobs | submit login

You say that but in a few years we'll probably be fighting neighbour discovery DoS attacks. /64 prefixes seem to be the worst thought out idea of IPv6.



IIRC (and I may not RC), ND traffic is supposed to be constrained to a local link.

If this is true, then it would be totally safe to drop ND traffic that didn't originate on your network, and drop ND traffic that occurs on networks that you manage that have manually configured addresses.

So, how would you DoS anything other than your upstream router [0], or the nodes on your own LAN?

[0] Even this DoS seems trivially preventable by dropping ND requests that happen too frequently. If you assume that there is one router on each end of a link, then the rate of ND messages would have to be very low in the ordinary course of operation, no?




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: