Re: [v6ops] [EXTERNAL] Improving ND security

"Bjoern A. Zeeb" <> Fri, 31 July 2020 19:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5E86D3A044E; Fri, 31 Jul 2020 12:03:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DrfQSMI0oIKQ; Fri, 31 Jul 2020 12:03:55 -0700 (PDT)
Received: from ( [IPv6:2a01:4f8:13b:39f::9f:25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 60A783A0476; Fri, 31 Jul 2020 12:03:10 -0700 (PDT)
Received: from ( [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EFC7D8D4A161; Fri, 31 Jul 2020 19:03:08 +0000 (UTC)
Received: from ( [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3D9E4E707B7; Fri, 31 Jul 2020 19:03:08 +0000 (UTC)
X-Virus-Scanned: amavisd-new at
Received: from ([IPv6:fde9:577b:c1a9:31::2013:587]) by ( [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id S6f1v5dinMGa; Fri, 31 Jul 2020 19:03:06 +0000 (UTC)
Received: from [] (unknown [IPv6:fde9:577b:c1a9:4902:582a:9aa7:5038:eec3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 4E0E0E707AD; Fri, 31 Jul 2020 19:03:06 +0000 (UTC)
From: "Bjoern A. Zeeb" <>
To: "v6ops list" <>
Cc: 6man <>
Date: Fri, 31 Jul 2020 19:03:05 +0000
X-Mailer: MailMate (2.0BETAr6146)
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [v6ops] [EXTERNAL] Improving ND security
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 31 Jul 2020 19:03:58 -0000

On 31 Jul 2020, at 16:58, Fernando Gont wrote:

>> Is there agreement that this is a serious problem in any case?
> It is a problem... which seems to be more cost-effective solved with 
> smaller prefixes for P2P links and/or better management of the 
> neighbor cache (e.g. be more aggressive flushing/policing NC entries 
> in the incomplete state).

I agree that there are quite a few intelligent things which can be done 
on neighbour tables under attack to a certain level. People had this 
discussions [felt] like a decade ago as well and they should be in the 

> SEND seems to me like a nice idea, but overly complex for the problem 
> it's trying to address.

It is these unbacked statements which people will use to reason against 
“complex” is not a cause unless it is backed by proper arguments.
“trust distribution” is a thing, which doesn’t really work in a 
coffee shop around the corner.

I do agree that SeND does not solve all the problems either but having 
had it running since Ana Kukec (some might remember her from IETF) did 
this in 2009/2010 for FreeBSD [1] we’ve been shipping a mixed 
kernel/user space solution based on the DoCoMo NTT works which alos run 
on Linux and others.  People later produced WinSeND for Windows [2] and 
their paper read a lot like Ana’s.

I have no idea how the support for major OSes and router vendors is a 
decade later, but I’d be curious if someone would do a proper survey 
and post the results.  I think that would be super helpful (not as an 
RFC, but as a “state snapshot”);  could be a blog post or a cloud 
based spreadsheet somewhere.


  (I hope the link is good, I cannot currently reach their site)