[135458] in North American Network Operators' Group
Re: Using IPv6 with prefixes shorter than a /64 on a LAN
daemon@ATHENA.MIT.EDU (Randy Carpenter)
Tue Jan 25 16:47:15 2011
Date: Tue, 25 Jan 2011 16:43:32 -0500 (EST)
From: Randy Carpenter <rcarpen@network1.net>
To: Ricky Beam <jfbeam@gmail.com>
In-Reply-To: <op.vpvvg9hvtfhldh@rbeam.xactional.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
----- Original Message -----
> On Tue, 25 Jan 2011 13:42:29 -0500, Owen DeLong <owen@delong.com>
> wrote:
> > Seriously? Repetitively sweeping a /64? Let's do the math...
> ...
>
> We've had this discussion before...
>
> If the site is using SLAAC, then that 64bit target is effectively
> 48bits.
> And I can make a reasonable guess at 24 of those bits. (esp. if I've
> seen
> the address of even one of the machines.)
I wouldn't say you could assume that because one machine is a particular manufacturer, that they are all the same. I would say you could certainly limit a scan to a set list of well-known 24-bit IDs (say ~100 or so?), that would still take a couple days at least to scan.
Could there not be something implemented in the firewall to prevent an incoming scan causing an issue with ND ? If you block all incoming by default, why would the router try to do a ND on an address that is not allowed?
-Randy
