In article <xs4all.963e27c7-a0c5-44ac-86af-33e6286c9...@delong.com> you write: >There are better ways to avoid neighbor exhaustion attacks unless you >have attackers >inside your network.
You mean filtering. I haven't tried it recently, but a while ago I put an output filter on a Juniper router that allowed just the lower /120 out of a /64 on an interface. What happened was that neighbor discovery happened /before/ filtering. I should probably test that against recent JunOS releases, but that was a firm reason to go with a /120 instead of a filter. Besides, configuring a /120 is way less work than a filter per interface (yes we do have per-interface filters but they're kind of generic). >Even if you're going to do something silly like use /120s on interfaces, >I highly >recommend going ahead and reserving the enclosing /64 so that when you discover >/120 wasn't the best idea, you can easily retrofit. Sure, we do that, as soon as router vendors solve the NDP CE attack problem we'll go back to /64s. Mike.
