[121707] in North American Network Operators' Group
Re: Using /126 for IPv6 router links
daemon@ATHENA.MIT.EDU (Mathias Seiler)
Mon Jan 25 11:14:53 2010
From: Mathias Seiler <mathias.seiler@mironet.ch>
In-Reply-To: <63ac96a51001250114r7a61e3a4pc4be3ad7165a1c41@mail.gmail.com>
Date: Mon, 25 Jan 2010 17:14:06 +0100
To: Matthew Petach <mpetach@netflight.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail-4-513521846
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=windows-1252
Ok let's summarize:
/64:
+ Sticks to the way IPv6 was designed (64 bits host part)
+ Probability of renumbering very low
+ simpler for ACLs and the like
+ rDNS on a bit boundary
<> You can give your peers funny names, like 2001:db8::dead:beef ;)
- Prone to attacks (scans, router CPU load)
- "Waste" of addresses
- Peer address needs to be known, impossible to guess with 2^64 =
addresses
/126
+ Only 4 addresses possible (memorable, not so error-prone at =
configuration-time and while debugging)
+ Not prone to scan-like attacks
- Not on a bit boundary, so more complicated for ACLs and =85
- =85 rDNS
- Perhaps need to renumber into /64 some time.
- No 64 bits for hosts
/127
Like /126 but there's an RFC not recommending it and an RFC (draft) =
which revises that non-recommendation.
On 25 Jan 2010, at 10:14, Matthew Petach wrote:
> On Sat, Jan 23, 2010 at 4:52 AM, Mathias Seiler
> <mathias.seiler@mironet.ch> wrote:
>> Hi
>> In reference to the discussion about /31 for router links, I d'like =
to know what is your experience with IPv6 in this regard.
>>=20
>> I use a /126 if possible but have also configured one /64 just for =
the link between two routers. This works great but when I think that I'm =
wasting 2^64 - 2 addresses here it feels plain wrong.
>>=20
>> So what do you think? Good? Bad? Ugly? /127 ? ;)
>>=20
>> Cheers
>>=20
>> Mathias Seiler
>> MiroNet GmbH, Strassburgerallee 86, CH-4055 Basel
>> T +41 61 201 30 90, F +41 61 201 30 99
>> mathias.seiler@mironet.ch
>> www.mironet.ch
>=20
> As I mentioned in my lightning talk at the last NANOG, we reserved a
> /64 for each
> PtP link,
> but configured it as the first /126 out of the /64. That
> gives us the most
> flexibility for expanding to the full /64 later if necessary, but
> prevents us from being
> victim of the classic v6 neighbor discovery attack that you're prone
> to if you configure
> the entire /64 on the link. =20
I think I will go this way. Since we've got the usual /32 assignment I =
have plenty of /64 to "waste".=20
If I continue assigning a /48 to every customer I can set apart a /64 =
for each PtP link and still have room to grow for a very long time (I'm =
not taking into account the assignment of IPv6 addresses to high amounts =
of M&Ms so far ;) )
This way the configuration and addressing plan is simple and =
understandable to anyone.=20
> All someone out on the 'net needs to do
> is scan up through
> your address space on the link as quickly as possible, sending single =
packets at
> all the non-existent addresses on the link, and watch as your router =
CPU starts
> to churn keeping track of all the neighbor discovery messages, state =
table
> updates, and incomplete age-outs. =20
Well I could filter that in hardware with an interface ACL but a /126 =
seems much easier to maintain.=20
> With the link configured as a /126, there's
> a very small limit to the number of neighbor discovery messages, and =
the amount
> of state table that needs to be maintained and updated for each PtP =
link.
>=20
> It seemed like a reasonable approach for us--but there's more than one =
way to
> skin this particular cat.
>=20
> Hope this helps!
>=20
Yes it does. Thanks!
Mathias Seiler
MiroNet GmbH, Strassburgerallee 86, CH-4055 Basel
T +41 61 201 30 90, F +41 61 201 30 99
mathias.seiler@mironet.ch
www.mironet.ch
--Apple-Mail-4-513521846
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIP0jCCAuww
ggJVoAMCAQICEBsLok/Vg5m3gzHBEh01TXIwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDMyNTEzNTYxNloXDTEwMDMyNTEzNTYx
NlowSzEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEoMCYGCSqGSIb3DQEJARYZbWF0
aGlhcy5zZWlsZXJAbWlyb25ldC5jaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANRb
abrytcI7mLkd4PzGnzsULyMBr6LFfYB3yeONSyVAdTeCgKoXZgBK0dzldGSWMYOvwT06BlQOiVUT
cV+sfjbvvduVdvsE6FYBV0UMXsWECnq0fBJyD39ln5pBS+M9kExhgrnPSocwDmBFfO/GcFIaOq0v
4vlHN27gGj+oxCBMbA3PAqp9R6jNDHGSNOMZnssLIbIAez6tfagKLJcyQnRdjTCw46q3sWWEtui7
RVoq3ZVjlbhN/vJf0SofOpz5ent1RYeRK50gmUS+XonBGhm2OeLCvH8T0FeraFitg8bN0qgfP3i3
5AdU6m3pig7MCMyPElR/Uzxb9boc0f+VgXsCAwEAAaM2MDQwJAYDVR0RBB0wG4EZbWF0aGlhcy5z
ZWlsZXJAbWlyb25ldC5jaDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4GBADJBwwtkoUiN
26zBYsRnllR8irCqjNGbVv+19inuxylIGUXBvqXgWKLQFQTOyFJ5mj+tr5N6crF0u+6uGBZNbEHT
Tpir09lWL/vRoFIjjzc1Ba/NAUVkPivgucA8w/xB5NUKhEo5OLowmcYbIfHRfje0ATfTTUq3u7HW
I3GZxIMSMIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkExFTAT
BgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUg
Q29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIG
A1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25h
bC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjEL
MAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNV
BAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAK
MNcCY1osiRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTXp6a7
n2XRxSpUhQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYBAf8CAQAw
QwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBlcnNvbmFsRnJl
ZW1haWxDQS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRl
TGFiZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aUnX9M
Ibj4Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3dqZw5jowg
T2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzCCBEYwggOvoAMCAQIC
EGb9R+PCGeToms2Z3fU6yyQwDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoT
DlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmlj
YXRpb24gQXV0aG9yaXR5MB4XDTA1MTAyODAwMDAwMFoXDTE1MTAyNzIzNTk1OVowgd0xCzAJBgNV
BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3Qg
TmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNv
bS9ycGEgKGMpMDUxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVy
aVNpZ24gQ2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMjCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMnfrOfq+PgDFMQAktXBfjbCPO98chXLwKuMPRyVzm8eECw/AO2X
Jua2x+atQx0/pIdHR0w+VPhs+Mf8sZ69MHC8l7EDBeqV8a1AxUR6SwWi8mD81zplYu//EHuiVrvF
TnAt1qIfPO2wQuhejVchrKaZ2RHp0hoHwHRHQgv8xTTq/ea6JNEdCBU3otdzzwFBL2OyOj++pRpu
9MlKWz2VphW7NQIZ+dTvvI8OcXZZu0u2Ptb8Whb01g6J8kn+bAztFenZiHWcec5gJ925rXXOL3OV
ekA6hXVJsLjfaLyrzROChRFQo+A8C67AClPN1zBvhTJGG+RJEMJs4q8fef/btLUCAwEAAaOB/zCB
/DASBgNVHRMBAf8ECDAGAQH/AgEAMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHFwEwKjAoBggrBgEF
BQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4
QgEBBAQDAgEGMC4GA1UdEQQnMCWkIzAhMR8wHQYDVQQDExZQcml2YXRlTGFiZWwzLTIwNDgtMTU1
MB0GA1UdDgQWBBQRfV4ZfTwE32ps1qKKGj8x2DuUUjAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8v
Y3JsLnZlcmlzaWduLmNvbS9wY2ExLmNybDANBgkqhkiG9w0BAQUFAAOBgQA8o9oCYzrEk6qrctPc
rVA4HgyeFkqIt+7r2f8PjZWg1rv6aguuYYTYaEeJ70+ssh9JQZtJM3aTi55uuUMcYL3C3Ioth8FF
wBFyBBprJCpsb+f8BxMp0Hc6I+f1wYVoGb/GAVQgGa41gsxiPGEJxvTV67APpp8zhZrTcY5Qj5nd
YjCCBVEwggQ5oAMCAQICEBe30KT4l8UhC6s3VlJayYEwDQYJKoZIhvcNAQEFBQAwgd0xCzAJBgNV
BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3Qg
TmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNv
bS9ycGEgKGMpMDUxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVy
aVNpZ24gQ2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMjAeFw0wOTEwMTQwMDAw
MDBaFw0xMDEwMTQyMzU5NTlaMIIBGjEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsT
FlZlcmlTaWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3Np
dG9yeS9SUEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBlcnNvbmEg
Tm90IFZhbGlkYXRlZDEzMDEGA1UECxMqRGlnaXRhbCBJRCBDbGFzcyAxIC0gTmV0c2NhcGUgRnVs
bCBTZXJ2aWNlMRcwFQYDVQQDFA5NYXRoaWFzIFNlaWxlcjEoMCYGCSqGSIb3DQEJARYZbWF0aGlh
cy5zZWlsZXJAbWlyb25ldC5jaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOltWVz0
E0/p4kh7oVOPLp+KNRoqyHcIR1RHUVymrCKxIaHwwKlMOjwuGVSaUYi1T4xqu/BlNDvVBbw4z6zj
QdW7U4kcWTaZNQaS7OhEF/On5alBRrAC9oW0gilyhAyoq8uAG0oPK1N/1J0JLJnhFuN9hDNWmuKB
B/1ly3mmQF4kuG0drPMYcCIH4B/8M0jWe48rz3VZbf404lbFmuHfupuo3gOT3QrThVkN4uS2khKR
RjyFkpD9fl0l2LIQvDZGzsN0FI0gH8GLN9orGmrtqQPB/cgpAn+p6YxBJrA4jdlZW6XFb975ct8/
n0XCxLt/p11JAVPXenbAupAVwnS+yKMCAwEAAaOBzDCByTAJBgNVHRMEAjAAMEQGA1UdIAQ9MDsw
OQYLYIZIAYb4RQEHFwEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3Jw
YTALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMEoGA1UdHwRDMEEw
P6A9oDuGOWh0dHA6Ly9JbmRDMURpZ2l0YWxJRC1jcmwudmVyaXNpZ24uY29tL0luZEMxRGlnaXRh
bElELmNybDANBgkqhkiG9w0BAQUFAAOCAQEAuRmxuyl499cvSvaOKJtGxRykVRxQdurFYpundCJT
1RwiQIhIkvOw7E4YbAMJf46l6+Wd01Fx4dp6Mkd5Szk6nNN881m4eG4d7amUaOMjOztkUwWxm1ci
7jevvv2Cr0G5NDnAinwYk7CXkB/Ay4/m/ahVNpe3Q4g3TObFmCejRytMxZ25w2j7eoCRqAHeJFGx
tEyTKXIfmjP1Kj67j+k3EyWskvtrnneIziBhx9Wv6Yi/LlXFpgZixWxplsvyn7z8VyRZtlRsx0g6
5ZxPu78k9SXaCiijr1HWArZSC8YzfJYCsohMs9CRWLwLsVnMQy8zpbrn9opzIwI9Ou886Ds2QzGC
A40wggOJAgEBMIHyMIHdMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAd
BgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOzA5BgNVBAsTMlRlcm1zIG9mIHVzZSBhdCBo
dHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhIChjKTA1MR4wHAYDVQQLExVQZXJzb25hIE5vdCBW
YWxpZGF0ZWQxNzA1BgNVBAMTLlZlcmlTaWduIENsYXNzIDEgSW5kaXZpZHVhbCBTdWJzY3JpYmVy
IENBIC0gRzICEBe30KT4l8UhC6s3VlJayYEwCQYFKw4DAhoFAKCCAW8wGAYJKoZIhvcNAQkDMQsG
CSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTAwMTI1MTYxNDA3WjAjBgkqhkiG9w0BCQQxFgQU
k7RjjssceTuQBeKApP99p9xUyJcwgYUGCSsGAQQBgjcQBDF4MHYwYjELMAkGA1UEBhMCWkExJTAj
BgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJz
b25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhAbC6JP1YOZt4MxwRIdNU1yMIGHBgsqhkiG9w0BCRAC
CzF4oHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0
ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhAbC6JP1YOZ
t4MxwRIdNU1yMA0GCSqGSIb3DQEBAQUABIIBANDaHdA1d9oJZf3BhTRpf1BygfvgRWG1xzz4Cf/P
XXwbO+hhG9Uc4v3KjKdW44d3pMsVGrKV1aJyr28whkXl5pjSTaDP8r5VreFRhyKNT37EzQACaL8f
jZE0rk4mO0oFKaVXSTd7l6b4GWEBOvB4WzH6QiYjeyXyy7dUXpJalrti7/Aj080SG5495I9lJYUp
OTXPcb59Ccbw4tvPbSaIedoXrsQcloY6JDYIfCthYHGkI87lE1Y6924KNRZG55jc3DuACJd1xIBD
5sLi/dA0xdP6kZrHZMUKUpovSUuuqfbDmzv7rbW7mlPLXXKngm/Rz2IzpWcSlZ9Z25o4KjnQV+8A
AAAAAAA=
--Apple-Mail-4-513521846--
