[75342] in North American Network Operators' Group
Re: Important IPv6 Policy Issue -- Your Input Requested
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu Nov 11 15:35:43 2004
To: Leo Bicknell <bicknell@ufp.org>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Thu, 11 Nov 2004 15:01:36 EST."
<20041111200136.GA72482@ussenterprise.ufp.org>
From: Valdis.Kletnieks@vt.edu
Date: Thu, 11 Nov 2004 15:34:17 -0500
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_1460956150P
Content-Type: text/plain; charset=us-ascii
On Thu, 11 Nov 2004 15:01:36 EST, Leo Bicknell said:
> Having to double the size of every ACL in your network (once for
> the local address, once for the "public" address) does not seem
> simpler. It also seems dangerous, since almost all devices have a
> limit to ACL size. As if larger addresses wasn't already enough
> penality on those boxes now we have to list each machine twice.
Actually, probably not - in the majority of cases, you can put in *one*
ACL that drops (for example) all outbound packets for anything in the /32
and avoid having to list each machine twice.
Yes, it's still double - but it's two subnet entries, not two copies of
all 2,048 addresses in the subnet....
(Hint - you'd *have* to do it that way - you *cant* enumerate all the
possible addresses in an IPv6 /64 unless your router has terabytes of
memory...)
--==_Exmh_1460956150P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFBk8zJcC3lWbTT17ARAmbvAKDN44mjk2yWd9WwAhbkPYjXlox+PACdH7yi
hO7pjOQ7tpcb5ekfuVy1i1c=
=B0MH
-----END PGP SIGNATURE-----
--==_Exmh_1460956150P--
