[138595] in North American Network Operators' Group
Re: Internet Edge Router replacement - IPv6 route
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Mar 11 02:04:43 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <C0779DA1-E9D8-4850-B1C7-555AB7210943@arbor.net>
Date: Thu, 10 Mar 2011 23:02:58 -0800
To: "Dobbins, Roland" <rdobbins@arbor.net>
Cc: nanog group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 10, 2011, at 8:00 PM, Dobbins, Roland wrote:
>=20
> On Mar 11, 2011, at 10:51 AM, George Bonser wrote:
>=20
>> If you are a content provider, it doesn't make any difference if they =
take down the links between your routers or if they take down the link =
that your content farm is on.
>=20
>=20
> Of course, it does - you may have many content farms/instances, and =
taking down point-to-point links can DoS your entire set of =
farms/instances, whereas an attack against a given endpoint access =
network doesn't necessarily mean that your other =
properties/networks/services are being attacked, as well.
>=20
How is an attack against all your content farms in any way MORE =
difficult than an attack against enough
point to point links to take everything out?
If you've designed things properly, it takes more PtoP links to DOS the =
complete set than it does
End point networks.
> Limiting this vector to endpoint access networks also makes mitigation =
mechanisms far more practicable.
>=20
It's actually pretty easy to eliminate it 100% from the PtoP links even =
if they are /64s by simply not
allowing traffic to the PtoP addresses other from selected sources =
(NOC/Admin Network, required
peers, etc.). If you want to be truly anal about it, you can also block =
packets to non-existent
addresses on the PtoP links.
> There is no good reason to use /64s on point-to-point links. It is =
wasteful (please, no more about the supposed infinitude of IPv6 =
addresses; some of us reject this as being shortsighted and =
insufficiently visionary concerning eventual one-time-uses of IPv6 =
addresses at nanoscale) and turns your routers into sinkholes. It is a =
Very Bad Idea.
>=20
This isn't a one-time-use of IPv6 addresses and the one-time-uses of =
IPv6 addresses are what should be considered unscalable and absurdly =
wasteful.
There's a lot to be said for the principle of least surprise and uniform =
/64s actually help with that quite a bit.
Frankly, unless you have parallel links, there isn't a definite need to =
even number PtoP links for IPv6.
Every thing you need to do with an interface specific address on a PtoP =
link can be done with link local.
Owen
