[175136] in North American Network Operators' Group
Re: IPv6 Default Allocation - What size allocation are you giving out
daemon@ATHENA.MIT.EDU (William Herrin)
Thu Oct 9 14:21:31 2014
X-Original-To: nanog@nanog.org
X-Really-To: <nanog@nanog.org>
In-Reply-To: <CA+uSw_VySgc4FG6kjQDhRKZvmFkhhpx=2B2efu2f9jYLiFDxEA@mail.gmail.com>
From: William Herrin <bill@herrin.us>
Date: Thu, 9 Oct 2014 14:06:48 -0400
To: Richard Hicks <richard.hicks@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Thu, Oct 9, 2014 at 1:55 PM, Richard Hicks <richard.hicks@gmail.com> wrote:
> On Thu, Oct 9, 2014 at 10:40 AM, William Herrin <bill@herrin.us> wrote:
>> "Regardless of the number of hosts on an individual LAN or WAN
>> segment, every multi-access network (non-point-to-point) requires at
>> least one /64 prefix."
>>
>> But using /64s on WAN links invites needless problems with neighbor
>> discovery when an attacker decides to send one ping each to half a
>> million adresses all of which happen to land on that WAN link.
>
> The BCOP specfically addresses this in 4b:
> " b. Point-to-point links should be allocated a /64 and configured with a
> /126 or /127"
It says, effectively, that a WAN link involving 3 or 4 routers (a
common redundancy design) should use a /64. I think that's nuts. It
creates a needlessly wide attack surface. Use a /124 for that.
And if our subnets should be on nibble boundaries, /126 and /127 on
ptp links aren't so wise either. Use a /124 for that too.
-Bill
--
William Herrin ................ herrin@dirtside.com bill@herrin.us
Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
May I solve your unusual networking challenges?
