[146973] in North American Network Operators' Group
Re: IPv6 prefixes longer then /64: are they possible in DOCSIS
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Nov 29 12:26:07 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <CAP5kh1AwmHe2GRAvtP=cxQN5beDb1AjCGWmF+=Gqd1LNSySt-w@mail.gmail.com>
Date: Tue, 29 Nov 2011 09:21:13 -0800
To: Dmitry Cherkasov <doctorchd@gmail.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Nov 29, 2011, at 4:58 AM, Dmitry Cherkasov wrote:
> Thanks to everybody participating in the discussion.
> I try to summarize.
>=20
> 1) There is no any obvious benefit of using longer prefixes then /64
> in DOCSIS networks yet there are no definite objections to use them
> except that it violates best practices and may lead to some problems
> in the future
>=20
> 2) DHCPv6 server can use any algorithm to generate interface ID part
> of the address, and EUI-64 may be just one of them that can be useful
> for keeping correspondence between MAC and IPv6 addresses. Yet if we
> use EUI-64 we definitely need to use /64 prefix
>=20
> 3) Using /64 networks possesses potential security threat related to
> neighbor tables overflow. This is wide IPv6 problem and not related to
> DOCSIS only
>=20
99% of which can be easily mitigated by ACLs, especially in the context
you are describing.
> There were also notes about address usage on link networks. Though
> this was out of the scope of original question it is agreed that using
> /64 is not reasonable here. BTW, RFC6164 (Using 127-Bit IPv6 Prefixes
> on Inter-Router Links) can be mentioned here.
>=20
I don't agree that using /64 on link networks is not reasonable. It's =
perfectly
fine and there is no policy against it. There are risks (buggy router =
code
having ping pong attack exposure, ND table overflow attacks if not
protected by ACL), but, otherwise, there's nothing wrong with it.
Owen
>=20
> Dmitry Cherkasov
>=20
>=20
>=20
> 2011/11/29 Dmitry Cherkasov <doctorchd@gmail.com>:
>> Tore,
>>=20
>> To comply with this policy we delegate at least /64 to end-users
>> gateways. But this policy does not cover the network between WAN
>> interfaces of CPE and ISP access gateway.
>>=20
>> Dmitry Cherkasov
>>=20
>>=20
>>=20
>> 2011/11/29 Tore Anderson <tore.anderson@redpill-linpro.com>:
>>> * Dmitry Cherkasov
>>>=20
>>>> I am determining technical requirements to IPv6 provisioning system
>>>> for DOCSIS networks and I am deciding if it is worth to restrict =
user
>>>> to use not less then /64 networks on cable interface. It is obvious
>>>> that no true economy of IP addresses can be achieved with =
increasing
>>>> prefix length above 64 bits.
>>>=20
>>> I am not familiar with DOCSIS networks, but I thought I'd note that =
in
>>> order to comply with the RIPE policies, you must assign at least a =
/64
>>> or shorter to each end user:
>>>=20
>>> http://www.ripe.net/ripe/docs/ripe-523#assignment_size
>>>=20
>>> --
>>> Tore Anderson
>>> Redpill Linpro AS - http://www.redpill-linpro.com
