Re: IPv6 Default Allocation - What size allocation are you giving out

[Baldur Norddahl <baldur.norddahl () gmail com>]

I am sorry if I stepped on something sore. I am not dismissing any
arguments, and I am genuinely interested in any advantages and
disadvantages to the approach. There is more than one way to design a
network and all I am saying is this far it is working great for me. The two
disadvantages put forward so far have not been of any consequences in my
network.

But I am concerned that you say that I am still vulnerable to NDP attacks.
Could you elaborate on that please?

About loopback not being an unique identifier, please remember that none of
the IP addresses on a host is that. An IP address belongs to the host, not
the interface. Creating addresses on interfaces is just an alias for
creating the same address as loopback and adding a net route on the
interface. Don't believe me? Try it out!

"I can’t help that your equipment is ill-behaved at best."

That is not ill-behaved. It is the correct behavior. Try unplugging the
netcable from your computer - you will NOT lose the IP-address unless you
have a DHCP daemon that takes it away.

Regards,

Baldur






On 9 October 2014 22:38, Owen DeLong <owen () delong com> wrote:

> On Oct 9, 2014, at 1:25 PM, Baldur Norddahl <baldur.norddahl () gmail com>
> wrote:
>
> > On 9 October 2014 22:01, Owen DeLong <owen () delong com> wrote:
> >
> > > > Why do people assign addresses to point-to-point links at all? You can
> > > just
> > > > use a host /128 route to the loopback address of the peer. Saves you
> the
> > > > hassle of coming up with new addresses for every link. Same trick works
> > > for
> > > > IPv4 too.
> > > >
> > > > Regards,
> > > >
> > > > Baldur
> > >
> > > <SARCASM>
> > >
> > > And it makes your trace-routes across parallel links oh so easy to
> > > identify which of them is at fault for the packet loss, too.
> > >
> > > </SARCASM>
> >
> > There are a ton of other technologies with the same problem. Do you never
> > use link aggregation? My "parallel links" are all link aggregations, so I
> > would not have a way to identify links by traceroute anyway.
>
> Your design problems don’t have to be mine.
>
> Just because you have created that problem through another mechanism
> doesn’t pose a reason anyone else should accept the same problem in a
> different circumstance.
>
> > There are a number of good technical reasons to want distinct addresses
> on
> > > point to point links.
> >
> > I am sure there are. Tell me about them.
>
> I gave you one. You decided to dismiss it on the basis of “it wouldn’t
> help me anyway because I use this other thing that is broken that way
> regardless.”
>
> Some others (not a conclusive list by any means):
>         Having public addresses in trace-routes, ideally with good reverse
> DNS is actually useful.
>         Clarity is almost always an advantage over obscurity when one is
> troubleshooting something.
>         Being able to ping the link address is useful for troubleshooting.
>         Being able to source packets from a particular link address can be
> useful for troubleshooting.
>
> > I am not disputing that there are many reasons to sometimes use link
> > addresses. My question is why do you do it by default?
>
>
> > So far we have heard two arguments:
> >
> > 1) You can ping the link address. I assume his equipment will down the
> > address if the link is down. My equipment does not do this, I can ping it
> > as long it is administrative up no matter link status. So this test is
> > useless to me. I am monitoring links by SNMP anyway.
>
> I can’t help that your equipment is ill-behaved at best. Perhaps you
> should consider alternatives.
> I certainly don’t think that designing everyone else’s network to the
> level of brokenness in your particular environment is particularly valid.
>
> > 2) Parallel links. I don't have many of those, and the ones I have are
> link
> > aggregations. MPLS interferes with this too.
> >
> > On the other hand not using link addresses has some advantages:
> >
> > 1) You don't need to assign and document them.
>
> Sure you do, it’s just harder. You’re now using essentially an “unnumbered
> interface” which needs to be documented as such so that people know that
> when a given loopback shows up, it’s not a unique identifier, but ambiguous
> across several interfaces.
>
> > 2) It is easy to think about: Router A talks to Router B on link AB.
> Every
> > router has only one address so you don't need to remember which address
> to
> > use.
>
> I don’t have to remember which address to use normally. This is not an
> advantage.
> I can always use the loopback address to talk to a router if my
> environment is correctly
> functioning. If it is not, removing the ambiguity of unnumbered link
> addresses is more
> helpful than being able to use one address for each router while unable to
> know how
> traffic is actually flowing as a result.
>
> > 3) You avoid having a lot of addresses configured on your router.
>
> I don’t see this as an advantage. For a number of reasons (some of which I
> have expressed above) it is, in fact, a disadvantage.
>
> > 4) You are immune to all the NDP attacks.
>
> No you aren’t. You just change the nature of those attacks.
>
> > 5) You are immune to the monthly NANOG debate about using /127 vs /126 vs
> > /124 vs /64. The correct answer is clearly use /128 :-).
>
> Except that it’s clearly an incorrect answer, IMHO.
>
> Owen