[116712] in North American Network Operators' Group
Re: IPv6 Addressing Help
daemon@ATHENA.MIT.EDU (Jeroen Massar)
Fri Aug 14 14:36:42 2009
Date: Fri, 14 Aug 2009 20:35:38 +0200
From: Jeroen Massar <jeroen@unfix.org>
To: TJ <trejrco@gmail.com>
In-Reply-To: <00c801ca1d01$838e8a10$8aab9e30$@com>
Cc: 'NANOG list' <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig26A4A079F41FB7D24A395770
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
TJ wrote:
[..]
> A great counter-point to this is that if you do use /64s (or for that m=
atter
> - anything shorter than the currently-not-recommended /127s, AFAIK), yo=
u
> should apply ACLs to them to prevent ping-pong.
One should be doing uRPF at minimum on all links anyway. BCP84 ;)
If the user (or whatever you call the place where you send packets to)
has a default route back and is not properly routing those packets can
come back quite quickly.
eg, route a /48 to the user. The user only uses the first /64, and
doesn't care about the rest and doesn't route them to lo0 to avoid the
default to match, the packets will nicely ping pong back to you.
Easy solution: source address check, then the source will not be
matching and you can drop the packet, or ICMP !A them so that the user
might once figure out what goes on.
Of course if user is sending packets with their source and their
destination you will need another kind of filter, but they will only
hurt themselves with it.
Greets,
Jeroen
--------------enig26A4A079F41FB7D24A395770
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFKha56KaooUjM+fCMRAknzAKCdLcoMqdCoKjuSkPorARySWVKhugCfbQ8r
bGKGT/RoJ+oH47QkCpR+FtU=
=bD9s
-----END PGP SIGNATURE-----
--------------enig26A4A079F41FB7D24A395770--
