lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Wed, 04 Jan 2012 18:02:47 +0100
From:	Eric Dumazet <>
To:	Brent Cook <>
Subject: Re: Possible DoS with 6RD border relay

Le mercredi 04 janvier 2012 à 10:48 -0600, Brent Cook a écrit :
> Hi All,
>   I have been doing some testing of Linux serving as a 6RD border relay. It 
> seems that if a client sends 6RD-encapsulated packets and varies the lower 64-
> bits of the 6RD address over the range of the neighbor table size (the bits 
> below the delegated prefix), it causes the neighbor table to quickly overflow. 
> However, viewing the neighbor table never shows more than a handful of 
> entries. When the neighbor table overflows, packet routing on my test system 
> slows from 1Gbps to a couple of Mbps at most.
> [28765.764079] net_ratelimit: 32003 callbacks suppressed
> [28765.764084] ipv6: Neighbour table overflow.
> [28765.764171] ipv6: Neighbour table overflow.
> root@...get1:~# ip neigh
> fe80::1a:c5ff:fe02:2 dev test2  router FAILED
> 2001:1234::3 dev test2 lladdr 02:1a:c5:02:00:02 REACHABLE
> dev mgmt0 lladdr 04:7d:7b:06:8d:2d REACHABLE
> dev test0 lladdr 02:1a:c5:01:00:00 REACHABLE
> If I send packets much more slowly, the system works as expected. If the 6RD 
> client sends from a constant address rather than varying the lower bits, it 
> also works fine. I tested the two neighbor table checks in sit.c and 
> The network topology looks something like this:
> 6RD client -> Router -> Linux (6RD BR) -> IPv6 host
> The 6RD client is at
> The Linux BR is at, the IPv4 router is at and the IPv6 
> host is directly attached on a second physical interface at address 
> 2001:1234::3
> A configuration script for configuring the BR follows:
> #!/bin/bash
> PREFIX1="2001:0db8"                  # 6rd ipv6 prefix
> intf1=test0
> intf2=test2
> modprobe sit
> ## Setup the tunnel, it will create an interface named '6rd'
> ip addr add dev $intf1
> ip link set $intf1 up
> sudo ip route add via
> ip addr add 2001:1234::1/64 dev $intf2
> ip link set $intf2 up
> ip tunnel add 6rd mode sit local dev $intf1 ttl 64
> ip tunnel 6rd dev 6rd 6rd-prefix ${PREFIX1}::/32
> ip addr add ${PREFIX1}::1/32 dev 6rd
> ip link set 6rd up
> sysctl -w net.ipv6.conf.all.forwarding=1

What kernel version do you use ?

To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists