[147017] in North American Network Operators' Group
Re: IPv6 prefixes longer then /64: are they possible in DOCSIS
daemon@ATHENA.MIT.EDU (Jimmy Hess)
Wed Nov 30 14:42:41 2011
In-Reply-To: <CAPWAtbJVXyg4xx77tvO5UASyLMhL8-OUkwA3dYawqDPx=0pO-Q@mail.gmail.com>
Date: Wed, 30 Nov 2011 13:41:49 -0600
From: Jimmy Hess <mysidia@gmail.com>
To: Jeff Wheeler <jsw@inconcepts.biz>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Nov 30, 2011 at 10:39 AM, Jeff Wheeler <jsw@inconcepts.biz> wrote:
> On Wed, Nov 30, 2011 at 9:48 AM, Ray Soucy <rps@maine.edu> wrote:
> Owen has suggested "stateful firewall" as a solution to me in the
> past. =A0There is not currently any firewall with the necessary features
> to do this. =A0We sometimes knee-jerk and think "stateful firewall has
> gobs of memory and can spend more CPU time on each packet, so it is a
> more likely solution." =A0In this case that does not matter. =A0You can't
> have 2^64 bits of memory.
In principle, a firewall doesn't need 2^64 bits of memory.
You can have a single tree node that tells you "OK, all the
interface IDs in the range 0x0000000000000000 through
0x000000000007ffff
on Interface/network X are in state X; there comes a point where
you can discard stale data long before it gets close to 2^64 bits.
That's all well and good that in theory you could construct a stateful
firewall to protect some /126 inter-router links, but seriously..
Why should you?
Stateful firewalls are not free; neither is making a stateful
firewall that can do that.
What's the overwhelming benefit of forcing in a /126 on your P-t-P
inter-router links if it has risks and complicates matters so much?
--
-JH
