nanog mailing list archives
Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks?
From: Jeff Wheeler <jsw () inconcepts biz>
Date: Wed, 30 Nov 2011 11:39:52 -0500
On Wed, Nov 30, 2011 at 9:48 AM, Ray Soucy <rps () maine edu> wrote:
1. Using a stateful firewall (not an ACL) outside the router responsible for the 64-bit prefix. This doesn't scale, and is not a design many would find acceptable (it has almost all the problems of an ISP running NAT)
Owen has suggested "stateful firewall" as a solution to me in the past. There is not currently any firewall with the necessary features to do this. We sometimes knee-jerk and think "stateful firewall has gobs of memory and can spend more CPU time on each packet, so it is a more likely solution." In this case that does not matter. You can't have 2^64 bits of memory. You could make a firewall with the needed features (or a layer-3 switch), but it would have to be the layer-3 gateway of the subnets you are protecting (not an upstream device) and it would need knowledge of all addresses in use on the subnet, which must fit within its ND table limits. Only DHCP snooping can do this and customers are not exactly keen on receiving DHCP-assigned addresses in mixed datacenter environments, even if the addresses are static ones. Once you do that, you need to limit the number of addresses that can be leased to each customer to far less than a /64 anyway. All you gain by having all that complexity is the appearance of bigger subnets, when in reality, they are non-functional except for the limited number of addresses which are actively leased out. Again the arguments for /64 are not promising. It is much less complicated to simply deploy a longer subnet. On Wed, Nov 30, 2011 at 11:13 AM, Jimmy Hess <mysidia () gmail com> wrote:
On Wed, Nov 30, 2011 at 8:48 AM, Ray Soucy <rps () maine edu> wrote:Saying you can mitigate neighbor table exhaustion with a "simple ACL" is misleading (and you're not the only one who has tried to make that claim).It's true, though, you can. From a network design POV, there may still be reasons to prefer the ACL method. They better be good reasons, such as a requirement for SLAAC on a large LAN.
No, Jimmy, you can't do that with SLAAC. I do not think you understand the problem. -- Jeff S Wheeler <jsw () inconcepts biz> Sr Network Operator / Innovative Network Concepts
Current thread:
- RE: IPv6 prefixes longer then /64: are they possible in DOCSIS networks?, (continued)
- RE: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? McCall, Gabriel (Nov 29)
- RE: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Nathan Eisenberg (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Ray Soucy (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Owen DeLong (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Joel jaeggli (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Owen DeLong (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jimmy Hess (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Ray Soucy (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jimmy Hess (Nov 30)
- RE: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jamie Bowden (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jeff Wheeler (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Ray Soucy (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Owen DeLong (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jeff Wheeler (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Ray Soucy (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Mark Blackman (Nov 30)
- RE: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Nathan Eisenberg (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Bill Stewart (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Mark Blackman (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Ray Soucy (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Valdis . Kletnieks (Nov 30)