[146945] in North American Network Operators' Group
Re: IPv6 prefixes longer then /64: are they possible in DOCSIS
daemon@ATHENA.MIT.EDU (Jeff Wheeler)
Tue Nov 29 00:16:38 2011
In-Reply-To: <03168C8F-5F29-4596-B835-3104B1B17530@delong.com>
Date: Tue, 29 Nov 2011 00:15:02 -0500
From: Jeff Wheeler <jsw@inconcepts.biz>
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, Nov 28, 2011 at 4:51 PM, Owen DeLong <owen@delong.com> wrote:
> Technically, absent buggy {firm,soft}ware, you can use a /127. There's no
> actual benefit to doing anything longer than a /64 unless you have
> buggy *ware (ping pong attacks only work against buggy *ware),
> and there can be some advantages to choosing addresses other than
> ::1 and ::2 in some cases. If you're letting outside packets target your
> point-to-point links, you have bigger problems than neighbor table
> attacks. If not, then the neighbor table attack is a bit of a red-herring=
.
Owen and I have discussed this in great detail off-list. Nearly every
time this topic comes up, he posts in public that neighbor table
exhaustion is a non-issue. I thought I'd mention that his plan for
handling neighbor table attacks against his networks is whack-a-mole.
That's right, wait for customer services to break, then have NOC guys
attempt to clear tables, filter traffic, or disable services; and
repeat that if the attacker is determined or going after his network
rather than one of his downstream customers.
I hate to drag a frank, private discussion like that into the public
list; but every time Owen says this is a non-issue, you should keep in
mind that his own plan is totally unacceptable for any production
service. Only one of the following things can be true: either 1) Owen
thinks it is okay for services to break repeatedly and require
operator intervention to fix them if subjected to a trivial attack; or
2) he is lieing. Take that as you will.
--=20
Jeff S Wheeler <jsw@inconcepts.biz>
Sr Network Operator=A0 /=A0 Innovative Network Concepts
