On Thu, 21 Jun 2012 20:00:17 -0500, Daniel Ouellet <dan...@presscom.net>
wrote:
You cold read the RFC 5375 for example, or a few more like 4291, 3587,
and other like it.
Interesting. RFC 6547 moves "Use of /127 Prefix Length Between Routers
Considered Harmful" (RFC 3627) to Historic status to reflect the updated
guidance contained in "Using 127-Bit IPv6 Prefixes on Inter-Router Links"
(RFC 6164).
RFC 6164 details the use of /127s as being OK now.
Now /127s would of course be equal do using /31s in IPv4 which I find
interesting but dangerous (compatibility is sketchy outside Cisco from
what I've seen, and what happens if your emergency replacement hardware
isn't identical and can't do /31s?)
There was a lengthy discussion about this on the nanog mailing list
http://seclists.org/nanog/2010/Jan/969
I find this to be a great point:
On Mon, Jan 25, 2010 at 7:33 PM, Owen DeLong <owen () delong com> wrote:
On Jan 25, 2010, at 8:14 AM, Mathias Seiler wrote:
Ok let's summarize:
/64:
+ Sticks to the way IPv6 was designed (64 bits host part)
+ Probability of renumbering very low
+ simpler for ACLs and the like
+ rDNS on a bit boundary
<> You can give your peers funny names, like 2001:db8::dead:beef ;)
- Prone to attacks (scans, router CPU load)
Unless of course you just block nonexistent addresses in the /64 at
each end.
uhm, how sensible is this? "Use s^64 address, block all but the first
2" I'm confused by the goal of using a /64 on a ptp link that never
will have more than 2 addresses on it?
This attack is described as:
All someone out on the 'net needs to do
is scan up through
your address space on the link as quickly as possible, sending single
packets at
all the non-existent addresses on the link, and watch as your router
CPU starts
to churn keeping track of all the neighbor discovery messages, state
table
updates, and incomplete age-outs.
With the link configured as a /126, there's
a very small limit to the number of neighbor discovery messages, and the
amount
of state table that needs to be maintained and updated for each PtP link.
Yeah, I think we'll stick with our /126s.
