Jeff Wheeler (jsw) writes: > are badly needed. The largest current routing devices have room for > about 100,000 ARP/NDP entries, which can be used up in a fraction of a > second with a gigabit of malicious traffic flow. What happens after > that is the problem, and we need to tell our vendors what knobs we > want so we can "choose our own failure mode" and limit damage to one > interface/LAN.
Well there are *some* knobs: http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-addrg_bsc_con.html#wp1369018 Not very smart, as it just controls how fast you run out of entries. I haven't read all entries in this thread yet, but I wonder if http://tools.ietf.org/html/draft-jiang-v6ops-nc-protection-01 has been mentioned ? Seems also that this topic has been brought up here a year ago give or take a couple of weeks: http://www.mail-archive.com/nanog@nanog.org/msg18841.html Cheers, Phil