Search RFCs

RFC Editor

File formats:

Status:

INFORMATIONAL

Authors:

I. Gashinsky
J. Jaeggli
W. Kumari

Stream:

IETF

Source:

v6ops (ops)

Cite this RFC:TXT  | XML  |  BibTeX

DOI:  https://doi.org/10.17487/RFC6583

Discuss this RFC: Send questions or comments to the mailing listv6ops@ietf.org

Other actions:Submit Errata  | Find IPR Disclosures from the IETF  | View History of RFC 6583

Abstract

In IPv4, subnets are generally small, made just large enough to coverthe actual number of machines on the subnet. In contrast, thedefault IPv6 subnet size is a /64, a number so large it coverstrillions of addresses, the overwhelming number of which will beunassigned. Consequently, simplistic implementations of NeighborDiscovery (ND) can be vulnerable to deliberate or accidental denialof service (DoS), whereby they attempt to perform address resolutionfor large numbers of unassigned addresses. Such denial-of-serviceattacks can be launched intentionally (by an attacker) or result fromlegitimate operational tools or accident conditions. As a result ofthese vulnerabilities, new devices may not be able to "join" anetwork, it may be impossible to establish new IPv6 flows, andexisting IPv6 transported flows may be interrupted.

This document describes the potential for DoS in detail and suggestspossible implementation improvements as well as operationalmitigation techniques that can, in some cases, be used to protectagainst or at least alleviate the impact of such attacks. [STANDARDS-TRACK]

For the definition ofStatus,seeRFC 2026.

For the definition ofStream, seeRFC 8729.