[146982] in North American Network Operators' Group
Re: IPv6 prefixes longer then /64: are they possible in DOCSIS
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Nov 29 23:30:43 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <CALFTrnNZp77u5Scdx8GXE_V3RaAYfseydkLH=gZ_tXXSHgCWEA@mail.gmail.com>
Date: Tue, 29 Nov 2011 20:28:32 -0800
To: Ray Soucy <rps@maine.edu>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Nov 29, 2011, at 9:46 AM, Ray Soucy wrote:
> Could you provide an example of such an ACL that can prevent neighbor
> table exhaustion while maintaining a usable 64-bit prefix? I am
> intrigued.
>=20
For a point-to-point link... Sure...
Router A: 2001:db8:0:0:1::
Router B: 2001:db8:0:0:2::
permit ipv6 any 2001:db8:0:0:3:: 0000:0000:0000:0000:0003:0000:0000:0000
Or, if you prefer:
Router A: 2001:db8::1
Router B: 2001:db8::2
permit ipv6 any 2001:db8::3 0000:0000:0000:0000:0000:0000:0000:0003
Owen
> On Tue, Nov 29, 2011 at 12:21 PM, Owen DeLong <owen@delong.com> wrote:
>>=20
>> On Nov 29, 2011, at 4:58 AM, Dmitry Cherkasov wrote:
>>=20
>>> Thanks to everybody participating in the discussion.
>>> I try to summarize.
>>>=20
>>> 1) There is no any obvious benefit of using longer prefixes then /64
>>> in DOCSIS networks yet there are no definite objections to use them
>>> except that it violates best practices and may lead to some problems
>>> in the future
>>>=20
>>> 2) DHCPv6 server can use any algorithm to generate interface ID part
>>> of the address, and EUI-64 may be just one of them that can be =
useful
>>> for keeping correspondence between MAC and IPv6 addresses. Yet if we
>>> use EUI-64 we definitely need to use /64 prefix
>>>=20
>>> 3) Using /64 networks possesses potential security threat related to
>>> neighbor tables overflow. This is wide IPv6 problem and not related =
to
>>> DOCSIS only
>>>=20
>> 99% of which can be easily mitigated by ACLs, especially in the =
context
>> you are describing.
>>=20
>>> There were also notes about address usage on link networks. Though
>>> this was out of the scope of original question it is agreed that =
using
>>> /64 is not reasonable here. BTW, RFC6164 (Using 127-Bit IPv6 =
Prefixes
>>> on Inter-Router Links) can be mentioned here.
>>>=20
>>=20
>> I don't agree that using /64 on link networks is not reasonable. It's =
perfectly
>> fine and there is no policy against it. There are risks (buggy router =
code
>> having ping pong attack exposure, ND table overflow attacks if not
>> protected by ACL), but, otherwise, there's nothing wrong with it.
>>=20
>> Owen
>>=20
>>>=20
>>> Dmitry Cherkasov
>>>=20
>>>=20
>>>=20
>>> 2011/11/29 Dmitry Cherkasov <doctorchd@gmail.com>:
>>>> Tore,
>>>>=20
>>>> To comply with this policy we delegate at least /64 to end-users
>>>> gateways. But this policy does not cover the network between WAN
>>>> interfaces of CPE and ISP access gateway.
>>>>=20
>>>> Dmitry Cherkasov
>>>>=20
>>>>=20
>>>>=20
>>>> 2011/11/29 Tore Anderson <tore.anderson@redpill-linpro.com>:
>>>>> * Dmitry Cherkasov
>>>>>=20
>>>>>> I am determining technical requirements to IPv6 provisioning =
system
>>>>>> for DOCSIS networks and I am deciding if it is worth to restrict =
user
>>>>>> to use not less then /64 networks on cable interface. It is =
obvious
>>>>>> that no true economy of IP addresses can be achieved with =
increasing
>>>>>> prefix length above 64 bits.
>>>>>=20
>>>>> I am not familiar with DOCSIS networks, but I thought I'd note =
that in
>>>>> order to comply with the RIPE policies, you must assign at least a =
/64
>>>>> or shorter to each end user:
>>>>>=20
>>>>> http://www.ripe.net/ripe/docs/ripe-523#assignment_size
>>>>>=20
>>>>> --
>>>>> Tore Anderson
>>>>> Redpill Linpro AS - http://www.redpill-linpro.com
>>=20
>>=20
>>=20
>=20
>=20
>=20
> --=20
> Ray Soucy
>=20
> Epic Communications Specialist
>=20
> Phone: +1 (207) 561-3526
>=20
> Networkmaine, a Unit of the University of Maine System
> http://www.networkmaine.net/
