[140332] in North American Network Operators' Group
Re: Yahoo and IPv6
daemon@ATHENA.MIT.EDU (Jeff Wheeler)
Tue May 10 00:57:13 2011
In-Reply-To: <BANLkTimBs6BNCG7L8iqWnhDOe2CMQW=rgg@mail.gmail.com>
Date: Tue, 10 May 2011 00:57:04 -0400
From: Jeff Wheeler <jsw@inconcepts.biz>
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, May 9, 2011 at 10:04 PM, Joel Maslak <jmaslak@antelope.net> wrote:
> On Mon, May 9, 2011 at 3:57 PM, Jeff Wheeler <jsw@inconcepts.biz> wrote:
> I do take issue with your suggestion that /64 LANs are in any way
>> smart in the datacenter. =A0They are not. =A0I have some slides on this
>> topic: http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf
>
> There are ways of mitigating this (the easiest is to use ACLs or firewall=
s
> to limit traffic into a subnet from untrusted sources so that only
> legitimate traffic is allowed).
Your suggestion has two main disadvantages:
1) it doesn't work on some platforms, because input ACL won't stop ND
learn/solicit -- obviously this is bad
2) it requires you to configure a potentially large input ACL on every
single interface on the box, and adjust that ACL whenever you
provision more IPv6 addresses for end-hosts -- kinda like not having a
control-plane filter, only worse
--=20
Jeff S Wheeler <jsw@inconcepts.biz>
Sr Network Operator=A0 /=A0 Innovative Network Concepts
