[121787] in North American Network Operators' Group
RE: Using /126 for IPv6 router links
daemon@ATHENA.MIT.EDU (Igor Gashinsky)
Wed Jan 27 04:22:49 2010
Date: Wed, 27 Jan 2010 04:12:49 -0500 (EST)
From: Igor Gashinsky <igor@gashinsky.net>
To: Pekka Savola <pekkas@netcore.fi>
In-Reply-To: <alpine.LRH.2.00.1001270746200.8080@netcore.fi>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, 27 Jan 2010, Pekka Savola wrote:
:: On Tue, 26 Jan 2010, Igor Gashinsky wrote:
:: > Matt meant "reserve/assign a /64 for each PtP link, but only configure the
:: > first */127* of the link", as that's the only way to fully mitigate the
:: > scanning-type attacks (with a /126, there is still the possibility of
:: > ping-pong on a p-t-p interface) w/o using extensive ACLs..
:: >
:: > Anyways, that's what worked for us, and, as always, YMMV...
::
:: That's still relying on the fact that your vendor won't implement
:: subnet-router anycast address and turn it on by default. That would mess up
:: the first address of the link. But I suppose those would be pretty big ifs.
Or, relying on the fact that (most) vendors are smart enough not to
enable subnet-router anycast on any interface configured as a /127 (and
those that are not, well, why are you buying their gear?)..
If a worst-case situation arises, and you have to peer with a device that
doesn't properly support /127's, you can always fall back to using /126's
or even /64's on those few links (this is why we reserved a /64 for every
link from the begining)..
-igor
