Re: Using /126 for IPv6 router links

[Mark Smith <nanog () 85d5b20a518b8f6864949bd940457dc124746ddc nosense org>]

On Mon, 25 Jan 2010 22:34:46 -0500
Christopher Morrow <morrowc.lists () gmail com> wrote:

> On Mon, Jan 25, 2010 at 7:33 PM, Owen DeLong <owen () delong com> wrote:
> > On Jan 25, 2010, at 8:14 AM, Mathias Seiler wrote:
> >
> > > Ok let's summarize:
> > >
> > > /64:
> > > +     Sticks to the way IPv6 was designed (64 bits host part)
> > > +     Probability of renumbering very low
> > > +     simpler for ACLs and the like
> > > +     rDNS on a bit boundary
> > >
> > > <>    You can give your peers funny names, like 2001:db8::dead:beef ;)
> > >
> > > -     Prone to attacks (scans, router CPU load)
> > Unless of course you just block nonexistent addresses in the /64 at each end.
>
> uhm, how sensible is this? "Use s^64 address, block all but the first
> 2" I'm confused by the goal of using a /64 on a ptp link that never
> will have more than 2 addresses on it?
>
> I get that 'years ago' understanding what a /30 or a /31 is was 'hard'
> for people but seriously, this is 2010...

And therefore life should be getting easier, not harder. If there is no
need for variable length node addresses, why make life harder by using
them? This discussion isn't about what's hard or not to understand,
it's about whether variable length node addresses are necessary or not.
In IPv6 they're not.

Why can't IPv6 node addressing be as easy to understand and work with
as Ethernet addresses? They were designed in the early 1980s*. 28 years
or so years later, it's time for layer 3 addressing to catch up.



* "48-bit Absolute Internet and Ethernet Host Numbers"
http://ethernethistory.typepad.com/papers/HostNumbers.pdf
(well worth a read - did you know that Ethernet addresses were supposed
to be per host, not per interface?)

> > > -     "Waste" of addresses
> > > -     Peer address needs to be known, impossible to guess with 2^64 addresses
> > Most of us use ::1 for the assigning side and ::2 for the non-assigning side of
> > the connection.  On multipoints, such as exchanges, the popular alternative is
> > to use either the BCD of the ASN or the hex of the ASN for your first connection
> > and something like ::1:AS:N for subsequent connections.
>
> multipoint exchanges are out of scope of the discission, or so I had
> counted earlier.
>
> > > /126
> > > +     Only 4 addresses possible (memorable, not so error-prone at configuration-time and while debugging)
> > > +     Not prone to scan-like attacks
> >
> > Equally prone to scan like attacks, but, no ACL required to reduce vulnerability.
>
> how so? How do you reduce this without an acl or some sort somewhere
> that needs to be maintained?
> (I think I'm asking for some config snippets with explanations,
> perhaps it's documented somewhere already even? :) )
>
> -Chris
>
> > > -     Not on a bit boundary, so more complicated for ACLs and …
> > > -     … rDNS
> > > -     Perhaps need to renumber into /64 some time.
> > > -     No 64 bits for hosts
> > >
> > >
> > > /127
> > > Like /126 but there's an RFC not recommending it and an RFC (draft) which revises that non-recommendation.
> > >
> > >
> > >
> > > On 25 Jan 2010, at 10:14, Matthew Petach wrote:
> > >
> > > > On Sat, Jan 23, 2010 at 4:52 AM, Mathias Seiler
> > > > <mathias.seiler () mironet ch> wrote:
> > > > > Hi
> > > > > In reference to the discussion about /31 for router links, I d'like to know what is your experience with IPv6 in 
> > > > > this regard.
> > > > >
> > > > > I use a /126 if possible but have also configured one /64 just for the link between two routers. This works 
> > > > > great but when I think that I'm wasting 2^64 - 2 addresses here it feels plain wrong.
> > > > >
> > > > > So what do you think? Good? Bad? Ugly? /127 ? ;)
> > > > >
> > > > > Cheers
> > > > >
> > > > > Mathias Seiler
> > > > > MiroNet GmbH, Strassburgerallee 86, CH-4055 Basel
> > > > > T +41 61 201 30 90, F +41 61 201 30 99
> > > > > mathias.seiler () mironet ch
> > > > > www.mironet.ch
> > > >
> > > > As I mentioned in my lightning talk at the last NANOG, we reserved a
> > > > /64 for each
> > > > PtP link,
> > > > but configured it as the first /126 out of the /64.  That
> > > > gives us the most
> > > > flexibility for expanding to the full /64 later if necessary, but
> > > > prevents us from being
> > > > victim of the classic v6 neighbor discovery attack that you're prone
> > > > to if you configure
> > > > the entire /64 on the link.
> > >
> > > I think I will go this way. Since we've got the usual /32 assignment I have plenty of /64 to "waste".
> > > If I continue assigning a /48 to every customer I can set apart a /64 for each PtP link and still have room to 
> > > grow for a very long time (I'm not taking into account the assignment of IPv6 addresses to high amounts of M&Ms so 
> > > far ;) )
> > >
> > > This way the configuration and addressing plan is simple and understandable to anyone.
> > >
> > > > All someone out on the 'net needs to do
> > > > is scan up through
> > > > your address space on the link as quickly as possible, sending single packets at
> > > > all the non-existent addresses on the link, and watch as your router CPU starts
> > > > to churn keeping track of all the neighbor discovery messages, state table
> > > > updates, and incomplete age-outs.
> > >
> > > Well I could filter that in hardware with an interface ACL but a /126 seems much easier to maintain.
> > >
> > > > With the link configured as a /126, there's
> > > > a very small limit to the number of neighbor discovery messages, and the amount
> > > > of state table that needs to be maintained and updated for each PtP link.
> > > >
> > > > It seemed like a reasonable approach for us--but there's more than one way to
> > > > skin this particular cat.
> > > >
> > > > Hope this helps!
> > >
> > > Yes it does. Thanks!
> > >
> > >
> > > Mathias Seiler
> > >
> > > MiroNet GmbH, Strassburgerallee 86, CH-4055 Basel
> > > T +41 61 201 30 90, F +41 61 201 30 99
> > >
> > > mathias.seiler () mironet ch
> > > www.mironet.ch