nanog mailing list archives

Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks?

From: Jimmy Hess <mysidia () gmail com>
Date: Wed, 30 Nov 2011 10:13:56 -0600

On Wed, Nov 30, 2011 at 8:48 AM, Ray Soucy <rps () maine edu> wrote:

Saying you can mitigate neighbor table exhaustion with a "simple ACL"
is misleading (and you're not the only one who has tried to make that
claim).


It's true, though, you can.
But you can also mitigate neighbor table exhaustion by using a long prefix /126;
you create an upper bound on the number of neighbor table entries that
are possible,
and that bound is less than your device's memory capacity for neighbor
table entries.

This is a more reliable mitigation than an ACL;  it is also simpler
and less likely for an
operator to mistake to render the mitigation useless, or cause other issues.

From a pure security POV,  it's easy to reject ACL mitigation in favor

of inherent
designed-in  mitigation / non-vulnerability.

From a network design POV, there may still be reasons to prefer the ACL method.

They better be good reasons, such as a requirement for SLAAC on a large LAN.

--
-JH

Current thread:

Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks?, (continued)
- - - Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Fred Baker (Nov 28)
    - Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Brzozowski, John (Nov 28)
    - RE: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? McCall, Gabriel (Nov 29)
    - RE: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Nathan Eisenberg (Nov 29)
    - Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Ray Soucy (Nov 29)
    - Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Owen DeLong (Nov 29)
    - Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Joel jaeggli (Nov 29)
    - Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Owen DeLong (Nov 29)
    - Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jimmy Hess (Nov 29)
    - Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Ray Soucy (Nov 30)
    - Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jimmy Hess (Nov 30)
    - RE: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jamie Bowden (Nov 30)
    - Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jeff Wheeler (Nov 30)
    - Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Ray Soucy (Nov 30)
    - Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Owen DeLong (Nov 30)
    - Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jeff Wheeler (Nov 30)
    - Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Ray Soucy (Nov 30)
    - Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Mark Blackman (Nov 30)
    - RE: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Nathan Eisenberg (Nov 30)
    - Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Bill Stewart (Nov 30)
    - Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Mark Blackman (Nov 30)

(Thread continues...)