> IPv6) I can scan your v6 /64 subnet, and your router will have to send > out NDP NS for every host I scan. If it requires "incomplete" entries > in its table, I will use them all up, and NDP learning will be broken. > Typically, this breaks not just on that interface, but on the entire > router. This is much worse than the v4/ARP sitation.
I'm guessing you're referring to this paragraph of RFC 4861: " When a node has a unicast packet to send to a neighbor, but does not know the neighbor's link-layer address, it performs address resolution. For multicast-capable interfaces, this entails creating a Neighbor Cache entry in the INCOMPLETE state and transmitting a Neighbor Solicitation message targeted at the neighbor. The solicitation is sent to the solicited-node multicast address corresponding to the target address. " <http://tools.ietf.org/html/rfc4861#section-7.2.2> It's worth noting that nothing in this paragraph is normative (there's no RFC 2119 language), so implementations are free to ignore it. I haven't read the NIST document, but it wouldn't conflict with the RFC if they recommended ignoring this paragraph and just relying on the ND cache they already have when a packet arrives. --Richard
