[175152] in North American Network Operators' Group
Re: IPv6 Default Allocation - What size allocation are you giving out
daemon@ATHENA.MIT.EDU (Baldur Norddahl)
Thu Oct 9 16:53:58 2014
X-Original-To: nanog@nanog.org
In-Reply-To: <526C69C1-C1FF-4071-AA61-C6A5C08A3D3E@delong.com>
Date: Thu, 9 Oct 2014 22:53:50 +0200
From: Baldur Norddahl <baldur.norddahl@gmail.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
I am sorry if I stepped on something sore. I am not dismissing any
arguments, and I am genuinely interested in any advantages and
disadvantages to the approach. There is more than one way to design a
network and all I am saying is this far it is working great for me. The two
disadvantages put forward so far have not been of any consequences in my
network.
But I am concerned that you say that I am still vulnerable to NDP attacks.
Could you elaborate on that please?
About loopback not being an unique identifier, please remember that none of
the IP addresses on a host is that. An IP address belongs to the host, not
the interface. Creating addresses on interfaces is just an alias for
creating the same address as loopback and adding a net route on the
interface. Don't believe me? Try it out!
"I can=E2=80=99t help that your equipment is ill-behaved at best."
That is not ill-behaved. It is the correct behavior. Try unplugging the
netcable from your computer - you will NOT lose the IP-address unless you
have a DHCP daemon that takes it away.
Regards,
Baldur
On 9 October 2014 22:38, Owen DeLong <owen@delong.com> wrote:
>
> On Oct 9, 2014, at 1:25 PM, Baldur Norddahl <baldur.norddahl@gmail.com>
> wrote:
>
> > On 9 October 2014 22:01, Owen DeLong <owen@delong.com> wrote:
> >
> >>> Why do people assign addresses to point-to-point links at all? You ca=
n
> >> just
> >>> use a host /128 route to the loopback address of the peer. Saves you
> the
> >>> hassle of coming up with new addresses for every link. Same trick wor=
ks
> >> for
> >>> IPv4 too.
> >>>
> >>> Regards,
> >>>
> >>> Baldur
> >>
> >> <SARCASM>
> >>
> >> And it makes your trace-routes across parallel links oh so easy to
> >> identify which of them is at fault for the packet loss, too.
> >>
> >> </SARCASM>
> >>
> >
> > There are a ton of other technologies with the same problem. Do you nev=
er
> > use link aggregation? My "parallel links" are all link aggregations, so=
I
> > would not have a way to identify links by traceroute anyway.
>
> Your design problems don=E2=80=99t have to be mine.
>
> Just because you have created that problem through another mechanism
> doesn=E2=80=99t pose a reason anyone else should accept the same problem =
in a
> different circumstance.
>
> > There are a number of good technical reasons to want distinct addresses
> on
> >> point to point links.
> >>
> >
> > I am sure there are. Tell me about them.
>
> I gave you one. You decided to dismiss it on the basis of =E2=80=9Cit wou=
ldn=E2=80=99t
> help me anyway because I use this other thing that is broken that way
> regardless.=E2=80=9D
>
> Some others (not a conclusive list by any means):
> Having public addresses in trace-routes, ideally with good revers=
e
> DNS is actually useful.
> Clarity is almost always an advantage over obscurity when one is
> troubleshooting something.
> Being able to ping the link address is useful for troubleshooting=
.
> Being able to source packets from a particular link address can b=
e
> useful for troubleshooting.
>
> > I am not disputing that there are many reasons to sometimes use link
> > addresses. My question is why do you do it by default?
>
>
> >
> > So far we have heard two arguments:
> >
> > 1) You can ping the link address. I assume his equipment will down the
> > address if the link is down. My equipment does not do this, I can ping =
it
> > as long it is administrative up no matter link status. So this test is
> > useless to me. I am monitoring links by SNMP anyway.
>
> I can=E2=80=99t help that your equipment is ill-behaved at best. Perhaps =
you
> should consider alternatives.
> I certainly don=E2=80=99t think that designing everyone else=E2=80=99s ne=
twork to the
> level of brokenness in your particular environment is particularly valid.
>
> >
> > 2) Parallel links. I don't have many of those, and the ones I have are
> link
> > aggregations. MPLS interferes with this too.
> >
> > On the other hand not using link addresses has some advantages:
> >
> > 1) You don't need to assign and document them.
>
> Sure you do, it=E2=80=99s just harder. You=E2=80=99re now using essential=
ly an =E2=80=9Cunnumbered
> interface=E2=80=9D which needs to be documented as such so that people kn=
ow that
> when a given loopback shows up, it=E2=80=99s not a unique identifier, but=
ambiguous
> across several interfaces.
>
> > 2) It is easy to think about: Router A talks to Router B on link AB.
> Every
> > router has only one address so you don't need to remember which address
> to
> > use.
>
> I don=E2=80=99t have to remember which address to use normally. This is n=
ot an
> advantage.
> I can always use the loopback address to talk to a router if my
> environment is correctly
> functioning. If it is not, removing the ambiguity of unnumbered link
> addresses is more
> helpful than being able to use one address for each router while unable t=
o
> know how
> traffic is actually flowing as a result.
>
> > 3) You avoid having a lot of addresses configured on your router.
>
> I don=E2=80=99t see this as an advantage. For a number of reasons (some o=
f which I
> have expressed above) it is, in fact, a disadvantage.
>
> > 4) You are immune to all the NDP attacks.
>
> No you aren=E2=80=99t. You just change the nature of those attacks.
>
> > 5) You are immune to the monthly NANOG debate about using /127 vs /126 =
vs
> > /124 vs /64. The correct answer is clearly use /128 :-).
>
> Except that it=E2=80=99s clearly an incorrect answer, IMHO.
>
> Owen
>
>
