Neighbor Discovery Cache Protection Overview
Routing Engines can be susceptible to certain denial-of-service (DoS) attacks in IPv6 deployment scenarios. IPv6 subnets in general tend be very large—for example, a /64 subnet might have a high number of unassigned addresses. The control plane of the Routing Engine performs the address resolution for unknown addresses. An attacker can quickly overwhelm the control plane of the Routing Engine by generating resolution requests for this unassigned address space, resulting in a cache overflow. The attacker relies on both the number of requests generated and the rate at which requests are queued up. Such scenarios can tie up router resources and prevent the Routing Engine from answering valid neighbor solicitations and maintaining existing neighbor cache entries, effectively resulting in a DoS attack for legitimate users.
The strategies for mitigating such DoS attacks are as follows:
Filter unused address space.
Minimize the size of subnets.
Configure discard routes for subnets.
Enforce limits to the size and rate of resolution for entries in the neighbor discovery cache.
Neighbor discovery cache impact can be minimized by restricting the number of IPv6 neighbors and new unresolved next-hop addresses that can be added to the cache. You can set limits per interface by using the nd6-max-cache and the nd6-new-hold-limit configuration statements or system-wide by using the nd-system-cache-limit configuration statement.
For small sized platforms such as ACX, EX22XX, EX3200, EX33XX, and SRX, default is 20,000.
For medium sized platforms such as EX4200, EX45XX, EX4300, EX62XX, QFX, and MX, default is 75,000.
For rest of the platforms, default is 100,000.