[195736] in North American Network Operators' Group
Re: IPv6 Loopback/Point-to-Point address allocation
daemon@ATHENA.MIT.EDU (Enno Rey)
Sun Sep 10 10:22:40 2017
X-Original-To: nanog@nanog.org
Date: Sun, 10 Sep 2017 15:03:00 +0200
From: Enno Rey <erey@ernw.de>
To: nanog@nanog.org
In-Reply-To: <20170910100859.GD1196@Vurt.local>
Errors-To: nanog-bounces@nanog.org
Hi,
On Sun, Sep 10, 2017 at 12:08:59PM +0200, Job Snijders wrote:
> Hi,
>
> On Sun, Sep 10, 2017 at 11:53:20AM +0200, Enno Rey wrote:
> > On Sun, Sep 10, 2017 at 10:47:05AM +0100, Nick Hilliard wrote:
> > > Baldur Norddahl wrote:
> > > > Loopback interfaces should be configured as /128. How you allocate these do
> > > > not matter.
> > >
> > > ..so long as there are interface ACLs on your network edge which block
> > > direct IP access to these IP addresses.
> >
> > or, maybe even more efficient, assign all loopbacks from a dedicated
> > netblock which you null-route on the edge/your border devices.
>
> Null-routing may not be sufficient, if the edge/border router has a
> route to that /128; the (forwardable) /128 entry will win from the
> blackholed /64 FIB entry since it is more-specific.
just thought about it a bit.
As mentioned (in other post) I was thinking of a specific use case/setting, but wouldn't a static null-route (of a blackholed /64) win over a /128 learned from a RP anyway (given the better AD)?
Am I missing sth here?
thanks
Enno
Applying an ingress
> interface ACL to each and every external facing interface will probably
> work best in the most common deployment scenarios.
>
> For router-to-router linknets I recommend to configure a linknet that is
> as small as possible and is supported by all sides: /127, /126, /120,
> etc. Some vendors have put in effort to mitigate the problems related to
> Neighbor Discovery Protocol cache exhaustion attacks, but the fact of
> the matter is that on small subnets like a /127, /126 or /120 such
> attacks simply are non-existent.
>
> Kind regards,
>
> Job
--
Enno Rey
ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Matthias Luft, Enno Rey
=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
Twitter: @Enno_Insinuator
=======================================================
