[121785] in North American Network Operators' Group
Re: Using /126 for IPv6 router links
daemon@ATHENA.MIT.EDU (Mark Smith)
Wed Jan 27 02:33:38 2010
Date: Wed, 27 Jan 2010 18:02:51 +1030
From: Mark Smith <nanog@85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org>
To: Pekka Savola <pekkas@netcore.fi>
In-Reply-To: <alpine.LRH.2.00.1001270746200.8080@netcore.fi>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, 27 Jan 2010 07:47:35 +0200 (EET)
Pekka Savola <pekkas@netcore.fi> wrote:
> On Tue, 26 Jan 2010, Igor Gashinsky wrote:
> > Matt meant "reserve/assign a /64 for each PtP link, but only configure the
> > first */127* of the link", as that's the only way to fully mitigate the
> > scanning-type attacks (with a /126, there is still the possibility of
> > ping-pong on a p-t-p interface) w/o using extensive ACLs..
> >
> > Anyways, that's what worked for us, and, as always, YMMV...
>
> That's still relying on the fact that your vendor won't implement
> subnet-router anycast address and turn it on by default. That would
> mess up the first address of the link. But I suppose those would be
> pretty big ifs.
>
A minor data point to this, Linux looks to be implementing the
subnet-router anycast address when IPv6 forwarding is enabled, as it's
specifying Solicited-Node multicast address membership for the
all zeros node address in it's MLD announcements when an interface
comes up.
> --
> Pekka Savola "You each name yourselves king, yet the
> Netcore Oy kingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
>
