[157650] in North American Network Operators' Group
Re: IPv6 Netowrk Device Numbering BP
daemon@ATHENA.MIT.EDU (Owen DeLong)
Thu Nov 1 17:06:31 2012
From: Owen DeLong <owen@delong.com>
In-Reply-To: <5092D477.5020901@tiggee.com>
Date: Thu, 1 Nov 2012 14:01:43 -0700
To: David Miller <dmiller@tiggee.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
There are better ways to avoid neighbor exhaustion attacks unless you =
have attackers
inside your network.
If you have attackers inside your network, you probably have bigger =
problems than
neighbor table attacks anyway, but that's a different issue.
Even if you're going to do something silly like use /120s on interfaces, =
I highly
recommend going ahead and reserving the enclosing /64 so that when you =
discover
/120 wasn't the best idea, you can easily retrofit.
Owen
On Nov 1, 2012, at 12:58 , David Miller <dmiller@tiggee.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>=20
>=20
>=20
> On 11/1/2012 1:59 PM, Valdis.Kletnieks@vt.edu wrote:
>> On Thu, 01 Nov 2012 14:28:48 +0100, "Miquel van Smoorenburg" said:
>>=20
>>> We use a /120 subnet for servers to prevent the NDP cache
>>> exhaustion attack. We do maintain a mapping between IPv4 and IPv6
>>> addresses; it's simply 2001:db8:vv:ww::xx, where xx is the hex
>>> value of the last octet of the IPv4 address.
>>=20
>> ooh.. that's a clever approach I hadn't seen before. Who should we
>> credit for this one?
>>=20
>=20
> /120 works well until you get > 99 (if you want the decimal
> representations of addresses to look the same)... or if your techs
> understand hex.
>=20
> 10.0.0.123 <-> 2001:db8:vv:ww::7b
>=20
> I have used /116 in the past. This gives you 1-fff at the end.
>=20
> 10.0.0.123 <-> 2001:db8:vv:ww::123
>=20
> Hopefully, this is future proof(ish) in that IPv6 only hosts (...when
> that happens...) on the same subnet can use
> 2001:db8:vv:ww::[a-f][0-f][0-f] without danger of collisions with
> IPv4/IPv6 hosts.
>=20
> - -DMM
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>=20
> iQEcBAEBAgAGBQJQktR2AAoJECp6zT7OFmGauBMH/2bntbEMqdTtwPc/kMKAeikc
> iHd3giEcstp/v5kaAgdZGm68Juy3jlHXVe7TZriQA3OWYI7dSzZhuVFQxwP2+t1t
> fsZiU1ptoSKJMnQZhUdCOSuDXQZ4IwAWyhLq1EoXNxwGWXbM+KpddfwHtfLG6syz
> 3RQ2BB48l+eT1fvxzd1xmyIAjOxvtsqmpLTTOmXAXtN7+e0py/VpoBvgaDfg3Xnt
> dnc80i2bKM+DGqZJyGbkno0lANh1iZRnUWaPethlxhgQA433Yzu06ut6Vq4zIN2k
> HZ84b7VbXbxrOmfiRca0vLgue/VyB6PlBevb9yVnqaHb3iWQKF0G8Mq1Ge/nm5I=3D
> =3DKSjA
> -----END PGP SIGNATURE-----
