[135441] in North American Network Operators' Group
Re: Using IPv6 with prefixes shorter than a /64 on a LAN
daemon@ATHENA.MIT.EDU (Jack Bates)
Tue Jan 25 12:45:39 2011
Date: Tue, 25 Jan 2011 11:44:49 -0600
From: Jack Bates <jbates@brightok.net>
To: Patrick Sumby <patrick.sumby@sohonet.co.uk>
In-Reply-To: <4D3F0144.70107@sohonet.co.uk>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 1/25/2011 10:58 AM, Patrick Sumby wrote:
> I would assume that in the LAN scenario where you have a /64 for your
> internal network that you would have some sort of stateful firewall
> sitting infront of the network to stop any un-initiated sessions. This
> therefore stops any hammering of ND cache etc. The argument then is that
> the number of packets hitting your firewall / bandwidth starvation would
> be the the alternative line of attack for a DoS/DDos but that is a
> completely different issue.
There are many IPv4 networks that don't implement firewall rules for
subnets which contain servers. DDoS mitigation is handled differently.
It would not be unexpected for these networks to do the same with IPv6.
Jack
