On Wed, Jan 5, 2011 at 13:14, Jeff Wheeler <j...@inconcepts.biz> wrote:
> On Wed, Jan 5, 2011 at 1:02 PM, TJ <trej...@gmail.com> wrote: > > Many would argue that the version of IP is irrelevant, if you are > permitting > > external hosts the ability to scan your internal network in an > unrestricted > > fashion (no stateful filtering or rate limiting) you have already lost, > you > > How do you propose to rate-limit this scanning traffic? More router > knobs are needed. This also does not solve problems with malicious > hosts on the LAN. > Off the top of my head, maybe just slow down the generation of new NS attempts when under attack (without impacting the NUD-based NS). > > A stateful firewall on every router interface has been suggested > already on this thread. It is unrealistic. > > > Even granting that, for the sake of argument - it seems like it would not > be > > hard for $vendor to have some sort of "emergency garbage collection" > > routines within their NDP implementations ... ? > > How do you propose the router know what entries are "garbage" and > which are needed? Eliminating active, "good" entries to allow for > more churn would make the problem much worse, not better. Again, off the top of my head, maybe - when under duress - age out the incomplete ND table entries faster. /TJ
