Using /126 for IPv6 router links

Igor Gashinsky igor at gashinsky.net
Thu Jan 28 15:19:54 CST 2010


On Wed, 27 Jan 2010, Dale W. Carder wrote:

:: 
:: On Jan 27, 2010, at 3:19 PM, Igor Gashinsky wrote:
:: 
:: > you face 2 major issues with not using /127 for
:: > PtP-type circuits:
:: >
:: > 1) ping-ponging of packets on Sonet/SDH links
:: >
:: >  Let's say you put 2001:db8::0/64 and 2001:db8::1/64 on a PtP
:: >  interface, and somebody comes along and ping floods 2001:db8::2,
:: >  those packets will bounce back and forth between the 2 sides of
:: >  the link till TTL expires (since there is no address resolution
:: >  mechanism in PtP, so it just forwards packets not destined for
:: >  "him" on).
:: 
:: Following this, IPv4 /30 would have the same problem vs /31?

As has been said before, IPv4 has a concept of broadcast, and "no ip 
directed broadcast" (or simmilar) to prevent it -- IPv6 does not.

:: > 2) ping sweep of death
:: >
:: >  Take the same assumption for addressing as above, and now ping
:: >  sweep 2001:db8::/64... if the link is ethernet, well, hope you
:: >  didn't have any important arp entries that the router actually
:: >  needed to learn.
:: 
:: Wouldn't this affect *all* /64's configured on a router, not
:: just point to point links?  Time for glean rate limiting.

While I don't disagree on smarter ARP gleaning, rate limiting by itself is 
not an answer (rate limiting means that legit requests get limited too), 
so a better approach is to prioritize arp/NDP refresh for anything already 
in cache, as opposed to new requests, which we've suggested to our 
vendors. 

Also, for a "core" network, you don't really need /64's in most places, 
and, if you do need them, their numbers are quite small compared to the 
number of PtP links.. (how many lan/host segments do you have connected to 
core routers, as compared to number of PtP links, and then, how many of 
those show up in a traceroute?)

:: If you were really concerned, you could hard code static NDP
:: entries, as I think someone else pointed out.

Or, you can use /127's -- to me, that's operationally easier (especially 
if you have to replace hardware in the future) :)

Like I said before, using /127's is our suggestion of what has worked best 
for us in both architectural and operational roles, and since my network 
isn't the same as yours, YMMV, just sharing our experience..

Thanks,
-igor




More information about the NANOG mailing list