[121782] in North American Network Operators' Group
RE: Using /126 for IPv6 router links
daemon@ATHENA.MIT.EDU (Pekka Savola)
Wed Jan 27 00:47:57 2010
Date: Wed, 27 Jan 2010 07:47:35 +0200 (EET)
From: Pekka Savola <pekkas@netcore.fi>
To: Igor Gashinsky <igor@gashinsky.net>
In-Reply-To: <Pine.LNX.4.64.1001261929290.8427@moonbase.nullrouteit.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, 26 Jan 2010, Igor Gashinsky wrote:
> Matt meant "reserve/assign a /64 for each PtP link, but only configure the
> first */127* of the link", as that's the only way to fully mitigate the
> scanning-type attacks (with a /126, there is still the possibility of
> ping-pong on a p-t-p interface) w/o using extensive ACLs..
>
> Anyways, that's what worked for us, and, as always, YMMV...
That's still relying on the fact that your vendor won't implement
subnet-router anycast address and turn it on by default. That would
mess up the first address of the link. But I suppose those would be
pretty big ifs.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
