nanog mailing list archives
Re: IPv6 Netowrk Device Numbering BP
From: "Miquel van Smoorenburg" <mikevs () xs4all net>
Date: Fri, 2 Nov 2012 00:41:28 +0100
In article <xs4all.963E27C7-A0C5-44AC-86AF-33E6286C9BC1 () delong com> you write:
There are better ways to avoid neighbor exhaustion attacks unless you have attackers inside your network.
You mean filtering. I haven't tried it recently, but a while ago I put an output filter on a Juniper router that allowed just the lower /120 out of a /64 on an interface. What happened was that neighbor discovery happened /before/ filtering. I should probably test that against recent JunOS releases, but that was a firm reason to go with a /120 instead of a filter. Besides, configuring a /120 is way less work than a filter per interface (yes we do have per-interface filters but they're kind of generic).
Even if you're going to do something silly like use /120s on interfaces, I highly recommend going ahead and reserving the enclosing /64 so that when you discover /120 wasn't the best idea, you can easily retrofit.
Sure, we do that, as soon as router vendors solve the NDP CE attack problem we'll go back to /64s. Mike.
Current thread:
- Re: IPv6 Netowrk Device Numbering BP, (continued)
- Re: IPv6 Netowrk Device Numbering BP Tore Anderson (Nov 04)
- Re: IPv6 Netowrk Device Numbering BP Owen DeLong (Nov 04)
- Re: IPv6 Netowrk Device Numbering BP Tore Anderson (Nov 04)
- Re: IPv6 Netowrk Device Numbering BP Owen DeLong (Nov 04)
- Re: IPv6 Netowrk Device Numbering BP Tore Anderson (Nov 04)
- Re: IPv6 Netowrk Device Numbering BP Valdis . Kletnieks (Nov 01)
- Re: IPv6 Netowrk Device Numbering BP David Miller (Nov 01)
- Re: IPv6 Netowrk Device Numbering BP Owen DeLong (Nov 01)
- Re: IPv6 Netowrk Device Numbering BP Miquel van Smoorenburg (Nov 01)
- Re: IPv6 Netowrk Device Numbering BP Owen DeLong (Nov 01)
- Re: IPv6 Netowrk Device Numbering BP joel jaeggli (Nov 03)
- Re: IPv6 Netowrk Device Numbering BP Randy (Nov 02)
- Re: IPv6 Netowrk Device Numbering BP Graham Beneke (Nov 02)
- Re: IPv6 Netowrk Device Numbering BP Karl Auer (Nov 02)
- Re: IPv6 Netowrk Device Numbering BP Eugeniu Patrascu (Nov 05)
- Re: IPv6 Netowrk Device Numbering BP Karl Auer (Nov 05)