IPv6 prefixes longer then /64: are they possible in DOCSIS networks?

Hello everybody,

It is commonly agreed that /64 is maximal length for LANs because if
we use longer prefix we introduce conflict with stateless address
autoconfiguration (SLAAC) based on EUI-64 spec. But SLAAC is not used
in DOCSIS networks. So there seems to be no objections to use smaller
networks per cable interfaces of CMTS. I was not able to find any
recommendations anywhere including Cable Labs specs for using
prefixes not greater then /64 in DOCSIS networks. Some tech from ISP
assumed that DHCPv6 server may generate interface ID part of IPv6
address similarly to EUI-64 so MAC address of the device can easily be
obtained from its IPv6 address, but this does not seem like convincing
argument. What do you think?

Dmitry Cherkasov

It's a good practice to reserve a 64-bit prefix for each network.
That's a good general rule. For point to point or link networks you
can use something as small as a 126-bit prefix (we do).

When it comes to implementation, though, it's not as simple as a yes
or no answer.

The actual use of 64-bit prefixes is not something I would currently
recommend for large-scale deployments due to the denial of service
attack vector it opens up (neighbor table exhaustion).

Not using 64-bit prefixes tosses SLAAC out the window; but for many
networks SLAAC may not be desirable anyway due to the lack of control
it presents.

Once vendors come out with routers that are able to protect against
neighbor table exhaustion, moving to a 64-bit prefix (which you
hopefully reserved) will allow you to be more flexible in what
addressing methods are used.

You can probably do it, but, what do you gain by doing so?

Owen

Technically, absent buggy {firm,soft}ware, you can use a /127. There's no
actual benefit to doing anything longer than a /64 unless you have
buggy *ware (ping pong attacks only work against buggy *ware),
and there can be some advantages to choosing addresses other than
::1 and ::2 in some cases. If you're letting outside packets target your
point-to-point links, you have bigger problems than neighbor table
attacks. If not, then the neighbor table attack is a bit of a red-herring.

Owen

The context is DOCSIS, i.e., primarily residential cable modem users, and
the cable company ISPs do not want to spend time on customer care and
hand-holding. How are most v6 machines configured by default? That is,
what did Microsoft do for Windows Vista and Windows 7? If they're set for
stateless autoconfig, I strongly suspect that most ISPs will want to stick
with that and hand out /64s to each network. (That's apart from the larger
question of why they should want to do anything else...)

    --Steve Bellovin, https://www.cs.columbia.edu/~smb

Dmitry,

You could consider the use of prefixes longer than the /64 on CMTS
interfaces, however, it is not clear to me why this would be done.
Further, most DHCPv6 implementations do not require that the generated
IPv6 address be eui-64 based. A randomized algorithm could also be used.
Another consideration is what happens after IPv6 is used for addressing
cable modems. What happens when you want to address CPE or CPE routers?
You are right back to /64 or shorter depending on the type of device being
provisioned.

FWIW - we have found that there are distinct benefits to using IPv6 beyond
the amount of addresses that are available. The use of /64 is tightly
coupled with these benefits.

Can you elaborate as to why one would want to or need to use prefixes
longer than /64?

John

It's a good practice to reserve a 64-bit prefix for each network.
That's a good general rule. For point to point or link networks you
can use something as small as a 126-bit prefix (we do).

[jjmb] for point to point I agree with this point. If a /64 is reserved
one has greater flexibility as far as what is configured on the interfaces.

When it comes to implementation, though, it's not as simple as a yes
or no answer.

The actual use of 64-bit prefixes is not something I would currently
recommend for large-scale deployments due to the denial of service
attack vector it opens up (neighbor table exhaustion).

[jjmb] not sure I agree, this depends on where the prefix is being
installed in the network.

I mentioned this in an earlier reply. CM vs CPE vs CPE router are all
different use cases. From a CPE or CPE router point of view SLAAC will
likely not be used to provisioned devices, stateful DHCPv6 is required.
As such Vista/7 machines that are directly connected to cable modems will
receive an IPv6 address and configuration options via stateful DHCPv6.
The same now applies to OSX Lion.

I do agree that many host implementations have been built around /64
assumptions and departures from the same at this time will seemingly
introduce more problems that benefits.

John

Basically, if the address used by a host is allocated using RFC 3971/4861/4941, the host assumes a /64 from the router and concocts a 64 bit EID as specified. If the address used by the host is allocated using DHCP/DHCPv6, it is the 128 bit number assigned by the DHCP server. I see no reason you couldn't use a /127 prefix if the link was point to point.

As you note, there is significant deployment of ND, and insignificant deployment of DHCPv6. However, any network that is in control of all of its hosts should be able to specify the use of DHCPv6.

Basically, if the address used by a host is allocated using RFC
3971/4861/4941, the host assumes a /64 from the router and concocts a 64
bit EID as specified. If the address used by the host is allocated using
DHCP/DHCPv6, it is the 128 bit number assigned by the DHCP server. I see
no reason you couldn't use a /127 prefix if the link was point to point.

[jjmb] How would this address be assigned? Statically? Practically, I do
not see how this would be useful. I do agree it is possible.

As you note, there is significant deployment of ND, and insignificant
deployment of DHCPv6. However, any network that is in control of all of
its hosts should be able to specify the use of DHCPv6.

[jjmb] I do not agree about the insignificance of DHCPv6 deployment, ND
support is certainly greater. Having control over hosts ie an enterprise
environment, creates the opportunity to mandate DHCPv6, it does not always
it should be required. Again this depends on the deployment scenario.

Owen and I have discussed this in great detail off-list. Nearly every
time this topic comes up, he posts in public that neighbor table
exhaustion is a non-issue. I thought I'd mention that his plan for
handling neighbor table attacks against his networks is whack-a-mole.
That's right, wait for customer services to break, then have NOC guys
attempt to clear tables, filter traffic, or disable services; and
repeat that if the attacker is determined or going after his network
rather than one of his downstream customers.

I hate to drag a frank, private discussion like that into the public
list; but every time Owen says this is a non-issue, you should keep in
mind that his own plan is totally unacceptable for any production
service. Only one of the following things can be true: either 1) Owen
thinks it is okay for services to break repeatedly and require
operator intervention to fix them if subjected to a trivial attack; or
2) he is lieing. Take that as you will.

Technically, absent buggy {firm,soft}ware, you can use a /127. There's no
actual benefit to doing anything longer than a /64 unless you have
buggy *ware (ping pong attacks only work against buggy *ware),
and there can be some advantages to choosing addresses other than
::1 and ::2 in some cases. If you're letting outside packets target your
point-to-point links, you have bigger problems than neighbor table
attacks. If not, then the neighbor table attack is a bit of a red-herring.

Owen and I have discussed this in great detail off-list. Nearly every
time this topic comes up, he posts in public that neighbor table
exhaustion is a non-issue. I thought I'd mention that his plan for
handling neighbor table attacks against his networks is whack-a-mole.
That's right, wait for customer services to break, then have NOC guys
attempt to clear tables, filter traffic, or disable services; and
repeat that if the attacker is determined or going after his network
rather than one of his downstream customers.

That's _NOT_ a fair characterization of what I said above, nor is it
a fair characterization of my approach to dealing with neighbor table
attacks.

What I said above is that if you allow random traffic aimed at your
point to point links, you're doing something dumb.

If you don't allow random traffic, you don't have a neighbor table
exhaustion attack reaching your point to point interfaces. It's that
simple.

That's what I said above.

As to my actual plan for dealing with it, what I said was that if we
ever see a neighbor table attack start causing problems with services,
we'd address it at that time. Likely we would address it more globally
and not through a whack-a-mole process.

I did not give details of all of our mitigation strategies, nor can I.

What I can say is that we do have several /64s that could be attacked
such that we'd notice the attack. Most likely the attack wouldn't break
anything that is a production service before we could mitigate it.

In more than a decade of running production IPv6 networks, we have
yet to see a neighbor table attack. Further, when you consider that
most attacks have a purpose, neighbor table attacks are both more
difficult and less effective than other attack vectors that are readily
available. As such, I think they are less attractive to would-be attackers.

I hate to drag a frank, private discussion like that into the public
list; but every time Owen says this is a non-issue, you should keep in
mind that his own plan is totally unacceptable for any production
service. Only one of the following things can be true: either 1) Owen
thinks it is okay for services to break repeatedly and require
operator intervention to fix them if subjected to a trivial attack; or
2) he is lieing. Take that as you will.

No, there is a third possibility.

I don't mind you taking a frank private discussion public (though
it's not very courteous), but, I do object to you misquoting me
and misconstruing the nature and substance of what I said.

I do not think it is OK for services to break repeatedly. I do think that
the probability of an attacker finding ND attacks useful combined with
the effort required to carry one out against a well-defended target
make them far less likely than you characterize them to be. As such,
I'm willing to limit the mitigation efforts to the steps we've already
taken until they prove inadequate. IF they prove inadequate (whether
that proof comes in the form of a service breakage or not), then we
will address mitigation more broadly.

However, investing infinite resources in preventing an unlikely
and not particularly effective attack strikes me as a poor use of
resources.

Yes, ND attacks are possible if you leave your /64 wide open to
external traffic. However, if you're using your /64 to provide services,
chances are it's pretty easy to cluster your server in a much smaller
range of addresses. A simple ACL that only permits packets to
that range (or even twice or 4 times that range) will effectively
block any meaningful ND attack.

For example, let's say you use 2001:db8:fe37:57::1000:0
to 2001:db8:fe37:57:1000:01ff as the IPv6 range for a
set of servers.

Let's say there are 200 servers in that range.

That's 200/512 good ND records for servers and 312 slots
where you can put additional servers. That gives you a total
attack surface of 312 incomplete ND records.

This was part of my frank private discussion with Jeff, but,
he seems to have forgotten it.

In my mind, if your ACL only permits those 512 addresses
to be reached from the outside (potentially attacking)
world, then, your router isn't likely to fall over from those
312 incomplete ND entries. Maybe Jeff tries to run
production services on something smaller than a
LInksys WRT54G. I don't know. I certainly don't.

Anything larger should be able to handle a few hundred
incomplete NDs that don't belong without incident.

If you have networks that you don't protect with ACLs, then,
you're asking for other troubles regardless of the protocol
anyway.

Owen

It's worked for us since 1997. We've had bigger problems with IPv4 worms that
decided to probe in multicast address space for their next target, causing CPU
exhaustion on routers as they try to set up zillions of multicast groups.

Sure, it's a consideration. But how many sites are *actually* getting hit
with this, compared to all the *other* DDOS stuff that's going on? I'm willing
to bet a large pizza with everything but anchovies that out in the *real*
world, 50-75 times as many (if not more) sites are getting hit with IPv4
DDoS attacks that they weren't prepared for than are seeing this one
particular neighbor table exhaustion attack.

Any of the guys with actual DDoS numbers want to weigh in?

Agreed. While I don't have any good numbers that I can publicly offer up,
it also intuitively makes sense that there's a greater proportion of IPv4
DDOS and resource exhaustion attacks vs IPv6 ones.
Especially on the "distributed" part; there's a heck of lot more v4-only
hosts to be 0wned and botnet'ed than dual-stacked ones.

That said, I think the risk of putting a /64 on a point-to-point link is
much greater than compared to a (incredibly wasteful) v4 /24 on a
point-to-point. Instead of ~254 IPs one can destinate traffic towards (to
cause a ARP neighbor discovery process), there's now ~18446744073709551614
addresses one can cause a router to start sending ICMPv6 messages for.

For links that will only ever be point-to-point, there's no good reason
(that I know of) to not use a /127. For peering LANs or places that have a
handful of routers, /112's are cute, but I would think the risk is then
comparable to a /64 (which has the added benefit of SLAAC).

I imagine the mitigation strategies are similar for both cases though: just
rate-limit how often your router will attempt neighbor discovery. Are there
other methods?

Cheers,
jof

* Dmitry Cherkasov:

It is commonly agreed that /64 is maximal length for LANs because if
we use longer prefix we introduce conflict with stateless address
autoconfiguration (SLAAC) based on EUI-64 spec. But SLAAC is not used
in DOCSIS networks. So there seems to be no objections to use smaller
networks per cable interfaces of CMTS.

As far as I understan the IPv6 address architecture, if the network
prefix is longer than /64, you're not running Unicast IPv6.

It's worked for us since 1997. We've had bigger problems with IPv4 worms

That's not a reason to deny that the problem exists. It's even
fixable. I'd prefer that vendors fixed it *before* there were massive
botnet armies with IPv6 connectivity, but in case they don't, I do not
deploy /64.

Agreed. While I don't have any good numbers that I can publicly offer up, it
also intuitively makes sense that there's a greater proportion of IPv4 DDOS
and resource exhaustion attacks vs IPv6 ones.

Of course. There are comparably few hosts with IPv6 connectivity.
Bad guys aren't that familiar with IPv6 yet. Even if they are, their
armies of compromised desktops probably can't launch an effective IPv6
attack yet. Lack of sources, no way to get nasty IPv6 packets to the
target, or the target has different infrastructure for IPv4 and IPv6
anyway, and taking out the IPv6 one only isn't that beneficial (Happy
Eyeballs features and such.)

Further, the victim can just turn off IPv6 when they start getting
attacked in this way. And that is exactly what sites will end up
doing, turning off IPv6 because vendors aren't addressing issues like
these. That doesn't help anyone.

I imagine the mitigation strategies are similar for both cases though: just
rate-limit how often your router will attempt neighbor discovery. Are there
other methods?

Simply rate-limiting the data-plane events that trigger ND resolution
is not good enough. One very popular platform that is offered with
cards in horizontal or vertical orientation uses the same policer for
ARP and NDP. That means when you do eventually start getting ND
attacks, it will break your IPv4 services also.

If you want to learn more about this, I have some slides:

Owen,

Currently I research on IPv6 provisioning systems and I need to decide
whether the ability to use longer then /64 prefixes should be
supported in them or not. If we restrict user to using /64 per network
we need to have convincing reasons for this. Best practice and common
sense stand for using /64 but this may be not sufficient for some
people.

Dmitry Cherkasov

John,

I am determining technical requirements to IPv6 provisioning system
for DOCSIS networks and I am deciding if it is worth to restrict user
to use not less then /64 networks on cable interface. It is obvious
that no true economy of IP addresses can be achieved with increasing
prefix length above 64 bits.

As for using EUI-64, unlike random or sequential generation it
provides predictable results that may be desired, e.g. for tracking
some device migration between different networks.

Dmitry Cherkasov

Steven,

SLAAC is prohibited for using in DOCSIS networks, router
advertisements that allow SLAAC must be ignored by end-devices,
therefore DHCPv6 is the only way of configuring (if not talking about
statical assignment). I have seen at least Windows7 handling this
properly in its default configuration: it starts DHCPv6 negotiation
instead of auto-configuration.

Dmitry Cherkasov

* Dmitry Cherkasov

I am determining technical requirements to IPv6 provisioning system
for DOCSIS networks and I am deciding if it is worth to restrict user
to use not less then /64 networks on cable interface. It is obvious
that no true economy of IP addresses can be achieved with increasing
prefix length above 64 bits.

I am not familiar with DOCSIS networks, but I thought I'd note that in
order to comply with the RIPE policies, you must assign at least a /64
or shorter to each end user: