Re: IPv6 Addressing Help

[Jeroen Massar <jeroen () unfix org>]

TJ wrote:
[..]
> A great counter-point to this is that if you do use /64s (or for that matter
> - anything shorter than the currently-not-recommended /127s, AFAIK), you
> should apply ACLs to them to prevent ping-pong.

One should be doing uRPF at minimum on all links anyway. BCP84 ;)

If the user (or whatever you call the place where you send packets to)
has a default route back and is not properly routing those packets can
come back quite quickly.

eg, route a /48 to the user. The user only uses the first /64, and
doesn't care about the rest and doesn't route them to lo0 to avoid the
default to match, the packets will nicely ping pong back to you.

Easy solution: source address check, then the source will not be
matching and you can drop the packet, or ICMP !A them so that the user
might once figure out what goes on.

Of course if user is sending packets with their source and their
destination you will need another kind of filter, but they will only
hurt themselves with it.

Greets,
 Jeroen

Attachment: signature.asc
Description: OpenPGP digital signature