[157652] in North American Network Operators' Group
Re: IPv6 Netowrk Device Numbering BP
daemon@ATHENA.MIT.EDU (Miquel van Smoorenburg)
Thu Nov 1 19:42:51 2012
Date: Fri, 2 Nov 2012 00:41:28 +0100
From: "Miquel van Smoorenburg" <mikevs@xs4all.net>
To: nanog@nanog.org
In-Reply-To: <963E27C7-A0C5-44AC-86AF-33E6286C9BC1@delong.com>
Cc:
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In article <xs4all.963E27C7-A0C5-44AC-86AF-33E6286C9BC1@delong.com> you write:
>There are better ways to avoid neighbor exhaustion attacks unless you
>have attackers
>inside your network.
You mean filtering. I haven't tried it recently, but a while ago
I put an output filter on a Juniper router that allowed just
the lower /120 out of a /64 on an interface. What happened was that
neighbor discovery happened /before/ filtering. I should probably
test that against recent JunOS releases, but that was a firm
reason to go with a /120 instead of a filter. Besides, configuring
a /120 is way less work than a filter per interface (yes we
do have per-interface filters but they're kind of generic).
>Even if you're going to do something silly like use /120s on interfaces,
>I highly
>recommend going ahead and reserving the enclosing /64 so that when you discover
>/120 wasn't the best idea, you can easily retrofit.
Sure, we do that, as soon as router vendors solve the NDP CE attack
problem we'll go back to /64s.
Mike.
