On Mon, May 9, 2011 at 10:04 PM, Joel Maslak <jmas...@antelope.net> wrote: > On Mon, May 9, 2011 at 3:57 PM, Jeff Wheeler <j...@inconcepts.biz> wrote: > I do take issue with your suggestion that /64 LANs are in any way >> smart in the datacenter. They are not. I have some slides on this >> topic: http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf > > There are ways of mitigating this (the easiest is to use ACLs or firewalls > to limit traffic into a subnet from untrusted sources so that only > legitimate traffic is allowed).
Your suggestion has two main disadvantages: 1) it doesn't work on some platforms, because input ACL won't stop ND learn/solicit -- obviously this is bad 2) it requires you to configure a potentially large input ACL on every single interface on the box, and adjust that ACL whenever you provision more IPv6 addresses for end-hosts -- kinda like not having a control-plane filter, only worse -- Jeff S Wheeler <j...@inconcepts.biz> Sr Network Operator / Innovative Network Concepts