[140609] in North American Network Operators' Group
Re: Yahoo and IPv6
daemon@ATHENA.MIT.EDU (Robert Drake)
Sat May 14 23:02:34 2011
Date: Sat, 14 May 2011 23:01:46 -0400
From: Robert Drake <rdrake@direcpath.com>
To: <nanog@nanog.org>
In-Reply-To: <BANLkTinOHFpVjnO37MUGyOTe1ARSPV=Wbg@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 5/10/2011 12:57 AM, Jeff Wheeler wrote:
> Your suggestion has two main disadvantages:
> 1) it doesn't work on some platforms, because input ACL won't stop ND
> learn/solicit -- obviously this is bad
> 2) it requires you to configure a potentially large input ACL on every
> single interface on the box, and adjust that ACL whenever you
> provision more IPv6 addresses for end-hosts -- kinda like not having a
> control-plane filter, only worse
>
Might need to rewrite some portion of ND to do this, but can't a cookie
be encoded in the ND packet and no state kept? That should reduce the
problem to one of a packet flood which everyone already deals with now.
Sorry if this has been suggested/shot down before. The ND problems keep
being mentioned and I never see this proposed and it seems like an
obvious solution.
Robert
