nanog mailing list archives
Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks?
From: Jimmy Hess <mysidia () gmail com>
Date: Wed, 30 Nov 2011 13:41:49 -0600
On Wed, Nov 30, 2011 at 10:39 AM, Jeff Wheeler <jsw () inconcepts biz> wrote:
On Wed, Nov 30, 2011 at 9:48 AM, Ray Soucy <rps () maine edu> wrote: Owen has suggested "stateful firewall" as a solution to me in the past. There is not currently any firewall with the necessary features to do this. We sometimes knee-jerk and think "stateful firewall has gobs of memory and can spend more CPU time on each packet, so it is a more likely solution." In this case that does not matter. You can't have 2^64 bits of memory.
In principle, a firewall doesn't need 2^64 bits of memory. You can have a single tree node that tells you "OK, all the interface IDs in the range 0x0000000000000000 through 0x000000000007ffff on Interface/network X are in state X; there comes a point where you can discard stale data long before it gets close to 2^64 bits. That's all well and good that in theory you could construct a stateful firewall to protect some /126 inter-router links, but seriously.. Why should you? Stateful firewalls are not free; neither is making a stateful firewall that can do that. What's the overwhelming benefit of forcing in a /126 on your P-t-P inter-router links if it has risks and complicates matters so much? -- -JH
Current thread:
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks?, (continued)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jeff Wheeler (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Ray Soucy (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Mark Blackman (Nov 30)
- RE: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Nathan Eisenberg (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Bill Stewart (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Mark Blackman (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Ray Soucy (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Valdis . Kletnieks (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Leo Bicknell (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jimmy Hess (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jimmy Hess (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Leo Bicknell (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Owen DeLong (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Dmitry Cherkasov (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Brzozowski, John (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Ray Soucy (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Leo Bicknell (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Ray Soucy (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Owen DeLong (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jeff Wheeler (Nov 28)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Valdis . Kletnieks (Nov 28)