[195740] in North American Network Operators' Group
Re: IPv6 Loopback/Point-to-Point address allocation
daemon@ATHENA.MIT.EDU (Job Snijders)
Mon Sep 11 03:17:41 2017
X-Original-To: nanog@nanog.org
Date: Sun, 10 Sep 2017 12:08:59 +0200
From: Job Snijders <job@ntt.net>
To: nanog@nanog.org
In-Reply-To: <20170910095320.GC88553@ernw.de>
Errors-To: nanog-bounces@nanog.org
Hi,
On Sun, Sep 10, 2017 at 11:53:20AM +0200, Enno Rey wrote:
> On Sun, Sep 10, 2017 at 10:47:05AM +0100, Nick Hilliard wrote:
> > Baldur Norddahl wrote:
> > > Loopback interfaces should be configured as /128. How you allocate these do
> > > not matter.
> >
> > ..so long as there are interface ACLs on your network edge which block
> > direct IP access to these IP addresses.
>
> or, maybe even more efficient, assign all loopbacks from a dedicated
> netblock which you null-route on the edge/your border devices.
Null-routing may not be sufficient, if the edge/border router has a
route to that /128; the (forwardable) /128 entry will win from the
blackholed /64 FIB entry since it is more-specific. Applying an ingress
interface ACL to each and every external facing interface will probably
work best in the most common deployment scenarios.
For router-to-router linknets I recommend to configure a linknet that is
as small as possible and is supported by all sides: /127, /126, /120,
etc. Some vendors have put in effort to mitigate the problems related to
Neighbor Discovery Protocol cache exhaustion attacks, but the fact of
the matter is that on small subnets like a /127, /126 or /120 such
attacks simply are non-existent.
Kind regards,
Job
