nanog mailing list archives
Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks?
From: Jeff Wheeler <jsw () inconcepts biz>
Date: Tue, 29 Nov 2011 00:15:02 -0500
On Mon, Nov 28, 2011 at 4:51 PM, Owen DeLong <owen () delong com> wrote:
Technically, absent buggy {firm,soft}ware, you can use a /127. There's no actual benefit to doing anything longer than a /64 unless you have buggy *ware (ping pong attacks only work against buggy *ware), and there can be some advantages to choosing addresses other than ::1 and ::2 in some cases. If you're letting outside packets target your point-to-point links, you have bigger problems than neighbor table attacks. If not, then the neighbor table attack is a bit of a red-herring.
Owen and I have discussed this in great detail off-list. Nearly every time this topic comes up, he posts in public that neighbor table exhaustion is a non-issue. I thought I'd mention that his plan for handling neighbor table attacks against his networks is whack-a-mole. That's right, wait for customer services to break, then have NOC guys attempt to clear tables, filter traffic, or disable services; and repeat that if the attacker is determined or going after his network rather than one of his downstream customers. I hate to drag a frank, private discussion like that into the public list; but every time Owen says this is a non-issue, you should keep in mind that his own plan is totally unacceptable for any production service. Only one of the following things can be true: either 1) Owen thinks it is okay for services to break repeatedly and require operator intervention to fix them if subjected to a trivial attack; or 2) he is lieing. Take that as you will. -- Jeff S Wheeler <jsw () inconcepts biz> Sr Network Operator / Innovative Network Concepts
Current thread:
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks?, (continued)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jimmy Hess (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jimmy Hess (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Leo Bicknell (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Owen DeLong (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Dmitry Cherkasov (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Brzozowski, John (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Ray Soucy (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Leo Bicknell (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Ray Soucy (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Owen DeLong (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jeff Wheeler (Nov 28)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Valdis . Kletnieks (Nov 28)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jonathan Lassoff (Nov 28)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Dmitry Cherkasov (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jeff Wheeler (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Valdis . Kletnieks (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Owen DeLong (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jeff Wheeler (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Dmitry Cherkasov (Nov 29)