On Nov 29, 2011, at 9:46 AM, Ray Soucy wrote: > Could you provide an example of such an ACL that can prevent neighbor > table exhaustion while maintaining a usable 64-bit prefix? I am > intrigued. >
For a point-to-point link... Sure... Router A: 2001:db8:0:0:1:: Router B: 2001:db8:0:0:2:: permit ipv6 any 2001:db8:0:0:3:: 0000:0000:0000:0000:0003:0000:0000:0000 Or, if you prefer: Router A: 2001:db8::1 Router B: 2001:db8::2 permit ipv6 any 2001:db8::3 0000:0000:0000:0000:0000:0000:0000:0003 Owen > On Tue, Nov 29, 2011 at 12:21 PM, Owen DeLong <o...@delong.com> wrote: >> >> On Nov 29, 2011, at 4:58 AM, Dmitry Cherkasov wrote: >> >>> Thanks to everybody participating in the discussion. >>> I try to summarize. >>> >>> 1) There is no any obvious benefit of using longer prefixes then /64 >>> in DOCSIS networks yet there are no definite objections to use them >>> except that it violates best practices and may lead to some problems >>> in the future >>> >>> 2) DHCPv6 server can use any algorithm to generate interface ID part >>> of the address, and EUI-64 may be just one of them that can be useful >>> for keeping correspondence between MAC and IPv6 addresses. Yet if we >>> use EUI-64 we definitely need to use /64 prefix >>> >>> 3) Using /64 networks possesses potential security threat related to >>> neighbor tables overflow. This is wide IPv6 problem and not related to >>> DOCSIS only >>> >> 99% of which can be easily mitigated by ACLs, especially in the context >> you are describing. >> >>> There were also notes about address usage on link networks. Though >>> this was out of the scope of original question it is agreed that using >>> /64 is not reasonable here. BTW, RFC6164 (Using 127-Bit IPv6 Prefixes >>> on Inter-Router Links) can be mentioned here. >>> >> >> I don't agree that using /64 on link networks is not reasonable. It's >> perfectly >> fine and there is no policy against it. There are risks (buggy router code >> having ping pong attack exposure, ND table overflow attacks if not >> protected by ACL), but, otherwise, there's nothing wrong with it. >> >> Owen >> >>> >>> Dmitry Cherkasov >>> >>> >>> >>> 2011/11/29 Dmitry Cherkasov <doctor...@gmail.com>: >>>> Tore, >>>> >>>> To comply with this policy we delegate at least /64 to end-users >>>> gateways. But this policy does not cover the network between WAN >>>> interfaces of CPE and ISP access gateway. >>>> >>>> Dmitry Cherkasov >>>> >>>> >>>> >>>> 2011/11/29 Tore Anderson <tore.ander...@redpill-linpro.com>: >>>>> * Dmitry Cherkasov >>>>> >>>>>> I am determining technical requirements to IPv6 provisioning system >>>>>> for DOCSIS networks and I am deciding if it is worth to restrict user >>>>>> to use not less then /64 networks on cable interface. It is obvious >>>>>> that no true economy of IP addresses can be achieved with increasing >>>>>> prefix length above 64 bits. >>>>> >>>>> I am not familiar with DOCSIS networks, but I thought I'd note that in >>>>> order to comply with the RIPE policies, you must assign at least a /64 >>>>> or shorter to each end user: >>>>> >>>>> http://www.ripe.net/ripe/docs/ripe-523#assignment_size >>>>> >>>>> -- >>>>> Tore Anderson >>>>> Redpill Linpro AS - http://www.redpill-linpro.com >> >> >> > > > > -- > Ray Soucy > > Epic Communications Specialist > > Phone: +1 (207) 561-3526 > > Networkmaine, a Unit of the University of Maine System > http://www.networkmaine.net/
